INJURED JOCKEYS FUND
FREEPHONE HOTLINE: 08080 453 453 +44(0)1162969461 LOGIN / SIGNUP MY BASKET
Home > Privacy Notice 2024

Privacy Notice

Who we are

Injured Jockeys Fund and Injured Jockeys Company Ltd are both registered with the Information Commissioner’s Office (ICO) as a Data Controller for the personal data that we hold and process. Our registered address is Peter O’Sullevan House, 7a Newmarket Road, Newmarket, Suffolk, CB8 7NU, our ICO registration numbers are Z4929460 and Z7969977 respectively.

Our Data Protection Officer (DPO) can be contacted by emailing dpo@ijf.org.uk

Our role

We act as a Data Controller. A Data Controller decides what personal data needs to be collected and how it is used, and is responsible for processing it in line with the law.

We can use your information in the ways we tell you about in this notice. More information is given below to explain what types of data are used in different situations.

If you have questions about anything in this notice, you can contact us by emailing us on DPO@ijf.org.uk

Your rights

You have rights in respect of our processing of your personal data. The relevant rights are:

  • Right of access: You can request a copy of the personal data which we hold about you, as well as details about why and how we use it;
  • Right to rectification: You can ask us to change or complete any personal data we hold about you which is inaccurate or incomplete;
  • Right to be forgotten/erasure: You have a right, under certain circumstances, to ask us to delete any personal data we hold about you. Please note that there may be situations where we must retain your personal data after a request for erasure where we have a lawful basis for doing so;
  • Right of restriction: You can ask us to restrict (prevent) the processing of your personal data where you have objected to our use of it and we have no lawful basis to continue processing your personal data;
  • Right of data portability: In certain circumstances, you can ask us to transfer the data we hold about you to another service. This would be sent in a structured, commonly used, electronic form;
  • Right to object: You can object to us using your personal data for particular purposes; and
  • Automated decision making: You have a right not to be subjected to automated decision making and profiling in certain circumstances.

If you want to exercise any of these rights, please email us on DPO@ijf.org.uk

You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the Information Commissioner’s Office (ICO) whose details are here: https://ico.org.uk/make-a-complaint/

How we use personal data

We use personal data about people (data subjects) with different relationships to us, in different ways. Below, we have provided Privacy Notices for each different type of data subject. Each notice sets out what data is used and why, where we got the data from, how long it is kept, and what lawful basis we use to process it.

Data sharing and transfers

We have a number of processors (such as cloud service providers) who act on our behalf. We have Data Processing Agreements in place with all of these processors to ensure that your data is processed in compliance with the law and only upon our instruction. We never sell your data. If we need to share your data with a Third Party, this will be outlined in the relevant notice below.

Transfers of your data outside the UK or EEA

We only transfer data outside of the UK or EEA if it is to a country or organisation that is deemed by the UK or EU to have adequate protection of data, or if appropriate safeguards have been put in place, for example EU Standard Contractual Clauses or the UK IDTA. When we rely on Standard Contractual Clauses/IDTA, we also carry out due diligence and transfer impact assessments to ensure they provide enough protection within the local legal framework.

Automated decision making

We do not use your personal data in any automated processes to make decisions about you.

Technical and operational security

 

We will take all reasonable steps to protect your personal information in order to prevent unauthorised access to or alteration or destruction of personal information in our possession. All the personal information we collect is stored securely. All areas of our premises that hold personal data are protected by secure physical access controls and covered by CCTV. Data stored in electronic form is secured using industry-standard cloud service providers and security configurations are reviewed regularly. Computing devices used to access personal information are centrally managed to ensure access controls, encryption, antivirus and system security are maintained

What happens if our organisation changes hands?

We may, from time to time, expand or reduce our organisation and this may involve the sale and/or the transfer of control of all or part of our organisation. Any personal data that you have provided will, where it is relevant to any part of our organisation that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our Privacy Notice

We may change this Privacy Notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up to date.

If we make any significant changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.

 

Tell me more…

To see more about how we use your personal data, read the notice or notices below which apply best to your relationship with us:

  • Beneficiary or Clinical Service User - you are a Beneficiary if you receive benefits from us which may include help with medical treatment, wellbeing or money matters. You are a Clinical Service User if you pay to use our clinical services (or if your insurance provider pays)
  • Donor - you have nominated us to receive a donation of money
  • Customer or Supporter - you’ve bought IJF Supporter Club membership or something else through our online shop
  • Volunteer - you’re one of our volunteer staff
  • Solicitor, Executor or Next of Kin - you’re handling the legacy wishes or are the next of kin of someone who has died
  • On-Site Visitor - you’re a visitor to one of our sites
  • Website Visitor - you’re visiting the Injured Jockeys Fund website or online shop
  • Subscriber - you’ve chosen to receive updates from us
  • Supplier or potential supplier - you provide services or products to us, or might do in the future
  • Job Applicant - you’ve applied for a job with us
  • Work Experience - you’re doing a work experience placement with us
  • Trustee & Patrons - you’re a Trustee or Patron of the charity
  • Industry expert - you’re an industry expert we have interacted with
  • Event attendee – you have attended an event we have organised

For any data subject, we may also process your personal data for legal reasons if we are obliged to provide it to a regulatory authority or to respond to a Data Subject Request. If you are not the requester, we will redact your data from Data Subject Request responses unless you agree to provide it. The lawful basis for this processing is Legal Obligation and the timeframe for the data to be kept will depend on the nature of the data involved.  

 

Beneficiary or Clinical Service User Privacy Notice

Data that we hold and how we use it

If you are a Beneficiary:

  • We hold the following personal data about you: name, your contact details (address, phone number, email address), bank details, information about the type of grant or expenses covered, information about your health, information about insurance, income and expenditure, information about criminal offences, emergency contact details, date of birth, gender, your marketing and data sharing consents, and copies of documents you provide to us.
  • We use contact details and bank details to: manage your case, plan meetings with you, including with our clinical services team, invite you to charity events, and pay expenses.
  • We use data about income, expenditure, insurance and criminal offence information as part of the information used to evaluate your case for beneficiary support. Where financial support is required, case information is shared with our Trustees for approval.
  • We process information about your health in order to manage your case and provide you with beneficiary help and services. Data that we hold related to your health may include: basic health data, information about injuries, clinician’s notes, copies of documents you provide to us, services requested.
  • Only with your consent, we may share basic contact details, basic health and social care data with third parties (e.g. the party who referred you to us, or for return-to-ride assessments), in order to help manage your case.
  • If we feature you in our materials such as a newsletter, social media posts or TV adverts, we may also have your image. In this case we use your data to help us inform about the Fund and promote our activities.
  • If you attend a beneficiary holiday, to organise this we will process your name and contact details, date of birth, passport information and, if applicable, health information and health insurance details.

If you are a Clinical Services User:

  • We may hold the following personal data about you: name, your contact details (address, phone number, email address), insurance details, and date of birth and emergency contact details.
  • We may use contact details and information about your insurance to manage your referral and your case, to plan meetings with you, including with our clinical services team, and to give electronic gym entry.
  • We may also process your date of birth and health insurance policy details in order to submit invoices for payment with health insurance providers.
  • We process information about your health in order to evaluate and manage your case, and grant access to gym training plan data where applicable. Data that we hold related to your health may include: basic health and social care data, clinician’s notes, information about injuries.
  • Only with your consent, we may share basic contact details, basic health and social care data with third parties (e.g. the party who referred you to us, or for return-to-ride assessments), in order to help manage your case

We will have received most or all of the data from you directly. If you were referred to us, we will have received your name and contact details and possibly some health information from the party who referred you.

Lawful basis for processing

For processing your health data, which is a protected Special Category of personal data, our lawful basis under UK GDPR is Contract together with Article 9(2)(g) ‘Reasons of substantial public interest’, with the condition ‘Support for individuals with a particular disability or medical condition’. Processing this data enables us to provide you with clinical care benefits and services. Where we provide healthcare or treatment from a health professional then we use Article 9(2)(h) “Health and social care” with the condition “Health or social care purposes”. We have an Appropriate Policy Document which outlines why this is our lawful basis and how we protect your data.

For processing information about criminal offences (or lack of) as part of beneficiary application, our lawful basis under UK GDPR is Contract together with the Article 10 condition “processing by not-for-profit bodies”. Processing this data enables us to ensure beneficiary support is given in line with the Terms of Engagement available on our website. This data is not disclosed outside the IJF without your consent.

For the following purposes, our lawful basis for processing your data is Legitimate Interests: arranging meetings and appointments, inviting you to events, introducing you to our volunteers, electronic gym entry.

When we pay expenses, our lawful basis for processing your data is for the performance of a Contract.

If we feature you – and possibly information about why you have had our support – in our materials such as TV adverts or social media posts or our newsletter, this would be with your explicit consent to take part and the lawful basis for processing your data is legitimate interests.

For Clinical Service Users, when we process your data to invoice health insurance providers, our lawful basis for processing your data is for the performance of a Contract.

Retention Periods

We store most of your data, including data about health, for the length of time that you are a Beneficiary or Clinical Service User plus 8 years.

If you are a Beneficiary we store data about criminal offences (or lack of), expenses, and your contact details to connect you with volunteers or to invite you to charity events or beneficiary holidays, for the length of time that you are a beneficiary plus 8 years.

For social media posts, the retention period is driven by the platform. For TV adverts, the retention period is the length of the advertisement run.

If you are a Clinical Service User we store the data that we use to invoice health insurance providers, for 8 years after the processing. For access to training programme data for gym members, the data is held for 8 years. For enabling electronic gym entry, the data is held for 120 days after your last visit.

 

Donor Privacy Notice

Data that we hold and how we use it

If you are a Donor to the Injured Jockeys Fund, the data that we hold about you includes your name, contact details, the value donated, any notes or requests you’ve made regarding your donation or your legacy wishes, and whether you are a fundraiser.

We use the data to record the details of donations and legacy payments for the charity, to collect those payments, to invite people to charity related events, and to send postal communications.

Lawful basis for processing

Our lawful basis for processing your data in this way is Legitimate Interest. It’s necessary for the purpose and you would reasonably expect us to use the data in this way.

Retention Periods

We store your data for 7 years from your last activity (donation made, payment received, event attended, legacy wishes completed). In the case of postal communications we send, we store your name and address data until you let us know you no longer wish to receive those communications.

Customer or Supporter Privacy Notice

Data that we hold and how we use it

If you make a purchase through our online shop, The Injured Jockey Company Ltd processes the following data about you: name, contact details (email address, phone number, address), credit card details, payment details, purchase details, amount donated via purchase (if applicable).

We use the data to process the order and send a receipt.

If you purchase membership of the Injured Jockeys Fund Supporter Club, the data that we hold about you includes: your name, contact details including your address, and the value donated.

We use the data to record the details of donations for the charity, to keep track of active yearly supporters, and to send postal communications.

Lawful basis for processing

Our lawful basis for processing your data is Contract when the data is used to enable us to fulfil our contract with you (i.e. to complete a transaction).

Our lawful basis for processing your data is Legitimate Interest when data is used to send your receipt, keep track of donations, keep track of active yearly supporters, and to send postal communications.

Retention Periods

We store supporter data for as long as you remain a member. In the case of postal communications we send, we store your name and address data until you let us know you no longer wish to receive those communications.

We store customer data for seven years after your most recent purchase, in case of dispute.

Volunteer Privacy Notice

Data that we hold and how we use it

If you work for us as a volunteer, we hold the following data about you: name, address, work email address, work telephone number, personal email address, personal telephone number, gender, date of birth, start date, role, nationality, national insurance number, probationary end date, method of recruitment, emergency contact details, details of references given, bank details, expense request details, training attended.

This information will be used to provide you with information and support as part of your work, including providing training and paying your expenses. We do this based on the contract we have with you.

We also carry out DBS (Disclosure and Barring Service) checks to check for criminal convictions. This helps us to check whether it is suitable for someone to work with vulnerable people. This means we hold the data about whether you have any criminal convictions.

We use CCTV at our sites, in order to protect the safety of individuals and security of premises. If you attend one of our sites, we may hold images of you.

If we feature you in our materials such as a newsletter, social media posts or TV adverts, we may also have your image. In this case we use your data to help us inform about the Fund and promote our activities.

Lawful basis for processing

Our lawful basis for processing your data is Contract and Legitimate Interest (for your training record, HR file details and CCTV).

Under UK GDPR our lawful basis for processing criminal offence check data is Article 9(2)(g) - ‘substantial public interest’, with the condition DPA 2018 Schedule 1 Part 2(12) – ‘regulatory requirements relating to unlawful acts and dishonesty’.

If we feature you in our materials such as TV adverts or social media posts or our newsletter. The lawful basis for processing your data is legitimate interest based in you having consented to take part.

Retention Periods

We store your data for 7 years after you leave as a volunteer.

We store CCTV data for 30 days.

For social media posts, the retention period is driven by the platform For TV adverts, the retention period is the length of the TV advert run.

Solicitor, Executor or Next of Kin Privacy Notice

Data that we hold and how we use it

If you are a solicitor or executor of an estate, handling the legacy wishes of someone who has died, we may hold the following data about you: your name, contact details, the value donated, any notes or requests you make in correspondence to us about the donation or legacy wishes.

We will have received this data from you directly.

We use the data to record the details of donations and legacy payments for the charity, and to collect those payments.

If you are a Next of Kin, we may hold the following data about you: your name, contact details, the value donated, any notes or requests you make in correspondence to us about the donation or legacy wishes, the details of any donation you make in memory of a deceased person.

We will have received this data from you directly, or from a Donor who identified you as their Next of Kin.

We use the data to record the details of donations and legacy payments for the charity, to collect those payments, and to send letters of acknowledgement.

Lawful basis for processing

Our lawful basis for processing your data in this way is Legitimate Interest. It’s necessary for the purpose and you would reasonably expect us to use the data in this way.

Retention Periods

We store your data for 7 years from your last activity (donation made, payment received, event attended, legacy wishes completed).

On-site Visitor Privacy Notice

Data that we hold and how we use it

We use CCTV at our sites, so if you are a visitor to one of our rehabilitation sites, we may hold images of you. We use CCTV in order to protect the safety of individuals and security of premises.

We will also ask you to sign in when you visit our sites and will record your name so we can monitor who is physically on site for health and safety reasons.

If our Health and Safety processes apply to your visit – for example if your work will involve a Permit to Work or a Personal Emergency Evacuation Procedure - then we will hold your contact details and may hold some health data about information about you.

If you attend one of our centres as a Beneficiary or Clinical Service User, please see the other Privacy Notice sections that apply to you.

Lawful basis for processing

Our lawful basis for processing your CCTV or visitor sign-in data is our Legitimate Interest, for protecting the safety of individuals and security of premises.

Our lawful basis for processing any data in relation to health and safety is Legal Obligation. If we need to process health data, which is a protected Special Category of personal data, our lawful basis under UK GDPR is Article 9(2)(b) Employment, social security and social protection law’, with the condition ‘Employment, social security and social protection’. We have an Appropriate Policy Document which outlines why this is our lawful basis and how we protect your data. 

Retention Periods

We store CCTV data for 30 days. We store names on our visitor books for a period of 3 months. If you are issued with a key fob then the data processed is kept for 120 days after your last visit. Health and Safety information is held for 7 years after an incident.

 

Website Visitor Privacy Notice

Data that we hold and how we use it

As a visitor to the Injured Jockeys Fund website or online shop, we hold the following data on you: IP address, pages visited, length of time spent on pages, your preferences and settings.

This data would have come directly from you, using cookies. Cookies are small text files that are stored on your browser or device by websites, apps, online media, and advertisements. We use cookies to:

  • Validate users
  • Remember user preferences and settings
  • Determine frequency of accessing our content
  • Measure the effectiveness of advertising campaigns; and
  • Analyse site visits and trends.

Lawful basis for processing

Our lawful basis for processing your data for essential cookies is legitimate interest and for non-essential cookies it is Consent.

Retention Periods

Further information about the purpose and storage duration of the specific cookies that we use can be found in the Cookie Settings tool available on the website.

 

Communication Subscriber Privacy Notice

 

Data that we hold and how we use it

If you opt to subscribe to our communications then we will process the following data about you: basic contact details, name, address, email address.

We use the data to stay in touch with you via our newsletter, catalogues and marketing.

You are given the chance to opt out of this in every communication. If you wish to stop receiving communications from us please just let us know.

Lawful basis for processing

Our lawful basis for processing your data is Consent. We give you the chance to opt out of all marketing on anything that we send you.

Retention Periods

We will hold your data until the point at which you opt out of communications. If you ask to unsubscribe from our newsletter/marketing, we will move your details to our suppression list to ensure that we don’t accidentally contact you again in the future. If you make a purchase and become a Customer, then that Privacy Notice will apply.

Supplier or Potential Supplier Privacy Notice

Data that we hold and how we use it

If you are a supplier to us, we hold the following details: name, contact details, vendor company information, address and bank details, type of grant or expense.

We use these details to manage relationships and fulfil contracts with suppliers, who may be supplying goods or outsourced services or may be involved in charity events.
 Some out-sourced suppliers of services to the Injured Jockey Fund may be approved to use our software system, which involves processing your logon details, contact details and any event logging.

If you are a potential supplier to us, we store your name, contact details and type of service, in case we need your services in the future.

Lawful basis for processing

Our lawful basis for processing your data is Contract; the data is used to enable us to fulfil our contract with you, including paying you and managing our relationship with you.

Retention Periods

For suppliers, we keep your data for as long as we have a relationship with you plus 7 years, for potential suppliers, we hold you data for the length of time that we are considering a relationship with you.

Job Applicant Privacy Notice

Data that we hold and how we use it

If you apply for a job with us we will hold the following data on you: name, contact details, CV, interview notes, and any correspondence relating to a potential contract.

The data we hold will have come directly from you.

If you are successful in gaining employment with us then you will fall under the Employee Privacy Notice going forward; please refer to the employee handbook.

Lawful basis for processing

Our lawful basis for processing your data is Contract. When you applied for a job it was with a view to entering into an employment contract with us.

Retention Periods

If you are not successful in securing a role, then we will keep your details on our database for a period of 6 months.

Work Experience Privacy Notice

Data that we hold and how we use it

If you join us for a work experience placement, we hold the following data about you: name, address, email address, telephone number, qualifications, some background information and personal bio, emergency contact details.

This information will be used to provide you with information and support as part of your work experience.

Lawful basis for processing

Our lawful basis for processing your data is legitimate interest.

Retention Periods

We store your data only for the duration of your work experience.

Trustee & Patron Privacy Notice - you’re a Trustee or Patron of the charity

Data that we hold and how we use it

If you are a Trustee or Patron of the Injured Jockeys Fund, the data that we hold about you includes name, address, bank details, and type of expense. We use this data to manage our relationship with you and fulfil our legal obligations as a charity and UK based company.

 If we feature you in our materials such as publications, social media posts or TV adverts, we may also have your image. In this case we use your data to help us inform about the Fund, our trustees and promote our activities.

If you attend a beneficiary holiday, to organise this we will process your name and contact details, date of birth, passport information and, if applicable, health information and health insurance details.

Lawful basis for processing

Our lawful basis for processing your expense data is Contract; the data is used to enable us to fulfil our contract with you and Legal Obligation.

If we feature you in our materials such as TV adverts or social media posts or our newsletter, this would be with your explicit consent. The lawful basis for processing your data is legitimate interest based in you having consented to take part.

Our lawful basis for processing your data is Legitimate Interest for organising our charity events and holidays, to support IJF beneficiaries.

Retention Periods

We store your expense data for 7 years after your last activity.

For social media posts, the retention period is driven by the platform For TV adverts, the retention period is the length of the TV advert run.

We store events information for 7 years, and holidays information for the time that you are involved with IJF plus 8 years.

 

Industry Expert Privacy Notice

Data that we hold and how we use it

If you are an industry expert who we’ve interacted with, then we may process your data in order to invite you to a charity related event, or in relation to organising beneficiary holidays.

The data will include your name and contact details. If we need further details in relation to organising travel, then these may include your date of birth, passport information and, if applicable, health information and health insurance details.

We may also process your personal data for legal reasons if we are obliged to provide it to a regulatory authority or to respond to a Data Subject Request. If you are not the requester, we will redact your data from Data Subject Request responses unless you agree to provide it.  

Lawful basis for processing

Our lawful basis for processing your data is Legitimate Interest for organising our charity events and holidays, to support IJF beneficiaries.

Retention Periods

We store events information for 7 years, and holidays information for the time that you are involved with IJF plus 8 years.

 

Event Attendee Privacy Notice

 

If you are an event attendee then we will process data necessary for your attendance (Contact details, role etc) as well as any dietary preferences and considerations we may need to take to ensure your attendance goes as smoothly as possible. If we process any other data that time of the event, or need to share data with a Third Party (for example a co-hosted event), then we will let you know at the time and give you the chance to opt out as appropriate.

Our lawful basis for processing is legitimate interest, and we retain the data so we can invite you to future events and keep you up to date with our activities. If you wish to be removed from our database, you can always let us know.