Privacy and data protection
Introduction
MQ: Transforming Mental Health (“MQ” or “Us” or “We”) is a registered charity in England and Wales (1139916) & Scotland: (SC046075) and a registered company in England and Wales (7406055). We champion and fund world-class research to transform the lives of everyone affected by a mental health condition.
The MQ Foundation (MQF) is a US-based 501c3 public charity founded in 2018, whose mission and priorities are closely aligned with those of MQ. MQ has licensed the MQ brand to the MQ Foundation to foster synergy and efficiency between our two organisations. MQ and MQ Foundation share at least one board member, and at least one MQ Foundation representative serves on the MQ Research Committee.
It is important that you read this Privacy Notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal information about you so that you are fully aware of how and why we are using your information. This Privacy Notice supplements the other notices and is not intended to override them.
MQ’s accountability
MQ is committed to protecting your privacy and security as well as being transparent about how we store, use and share your information. We respect your privacy and are committed to protecting your personal data. MQ is the Data Controller. We are responsible for the management and processing of your personal information.
This Privacy Notice will inform you as to how we look after your personal data and tell you about your rights and how the law protects you.
You may be asked to provide your personal data anytime you are in contact with us, including, for example when you donate, participate in an event, apply for a grant or, visit our website (regardless of where you visit from). We may share this personal data and use it consistent with this Privacy Notice. You are not required to provide the personal data that we have requested, but, if you chose not to do so, we may not be able to fulfil your request.
This Privacy Notice does not apply to information collected by any third party, including through any application or content (e.g. advertising) that may link to or be accessible from our website.
As part of MQ’s induction process, all staff and volunteers sign a confidentiality agreement and in so doing agree to follow regulatory practices and this policy. New staff receive training in data protection to maintain best practices at MQ and we have refresher training on an annual basis.
Any staff member’s behaviour which breaches this policy and regulatory requirements alike, will be taken very seriously by MQ and will be subject to investigation and disciplinary action where appropriate.
Minors
Please note that our website is not intended for children to provide content (photos or stories) or donate. No one under the age of 18 may provide any information to or on our website without the prior given parental or guardian consent. We believe it’s important that children and young people can share their experience and views on mental health, and we are committed to ensuring real life experience guides our work and priorities. If a child, or young person under the age of 18, wants to interact with MQ, we require pre-consent from their parent or guardian. If you become aware that your child has provided personal information to us without your consent, please contact us as described in this Privacy Notice and we will take reasonable steps immediately to remove any such information.
This Privacy Notice is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this Privacy Notice.
If you have any questions about this Privacy Notice, including any requests to exercise your rights as provided under ‘Your Legal Rights’ below, please contact us.
The Information We Collect About You
At MQ, we would like to build long-lasting relationships with you based on trust and transparency. Your personal data enables us to understand you better and be more appropriate when communicating with you. In turn, this better equips us to handle enquiries, deliver materials and process payments. However, above all, it facilitates us in providing quality support.
What is Personal Data?
Personal data, or personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:
- Identity Data includes first name, last name, username or similar identifier, title, date of birth and gender as well as dietary, accessibility requirements when joining an event.
- Contact Data includes billing address, email address and telephone numbers.
- Financial Data includes bank account and payment card details, gift aid status.
- Transaction Data includes details about payments from you and other details of your gift or donations to us.
- Technical Data includes internet protocol (IP) address, Media Access Control (MAC) numbers, your login data, browser type and version, and time zone setting, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
- Profile Data includes your username and password (where an account set-up is required e.g. a Researcher applying for a Grant), gifts made by you, your interests, preferences, feedback and survey responses
- Usage Data includes information about how you use our website.
- Marketing and Communications Data includes your preferences in receiving marketing from us and/or marketing firms we engage with and your communication preference.
We also collect, use and share Aggregated Data (I.e. anonymised data) such as statistical or demographic data for Marketing, Fundraising and Reporting. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this Privacy Notice.
Special Category Data
As part of your employment, volunteer application or interaction with us we may collect any Special Categories of Personal Data about you like racial or ethnic origin or sexual orientation. We do not collect any information about criminal convictions and offences, except where germane to your employment or volunteer application.
We encourage people to talk transformatively about mental health to help combat stigma, access improved services and treatments more easily, to take part in research and invest their support in helping the next generation of those experiencing mental illness. In doing so people might want to share their own mental health story and this may contribute to further research about wellbeing and mental health. We will not store or process Special Category Data unless we get your prior permission to share your experience of mental health and/or publish this in an anonymous or pseudonymous fashion.
How Is Your Personal Information Collected
Information we collect directly from you:
We may collect information directly from you whenever you come in contact with MQ. For example, when you:
- Donate;
- Have meetings or come to one of our events
- Take part in research;
- Take on a challenge;
- Sign up to receive one of our newsletters;
- Share your story about your mental health;
- Request materials and templates such as the fundraiser toolkit;
- Register for an event;
- Request marketing to be sent to you;
- Apply for one of our available positions;
- Give us some feedback;
- Fill our whistleblowing form;
- Apply for the Lived Experience Experts Network (LEEN)
- Apply for an MQ funded research grant.
Information we collect indirectly from you.
We may also collect information indirectly from you. For example, through:
- Automated technologies or interactions. As you interact with our website, we may collect Technical Data about your equipment, browsing actions and patterns. We collect this personal information by using cookies, server logs, analytics tools, advertising networks and other similar technologies.
- Third-Party Fundraising Organisations e.g. JustGiving, Facebook
- Contact, Financial and Transaction Data from providers of technical, payment and delivery services based in the E.U or UK.
- Identity and Contact Data from data brokers or aggregators based inside or outside the EU.
- Identity and Contact Data from employment and recruitment agencies.
- Identity and Contact Data from other publicly available sources.
- We may, on rare occasions, purchase GDPR compliant contact lists of academics or other professionals for the intention of promoting funding calls or research activities.
We may also use publicly available information to add to what we already know about you. We want our communications and events to be relevant and tailored to your background and interests, and sometimes may use publicly available information to achieve this.
You can find more information below on cookies.
How We Use Your Personal Information
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Update and enhance our internal database systems to deliver excellent supporter care and positive experiences with MQ
- Where we need to receive and process your donation.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where you want us to bring you in contact with a selected researcher (via our Participate platform)
- Where we need to comply with a legal or regulatory obligation.
Please see the table below to find out more about the types of lawful basis that we will rely on to process your personal information.
Generally, we do not rely on consent as a legal basis for processing your personal information other than in relation to sending direct marketing communications. You have the right to withdraw consent to marketing at any time by using the opt-out options embedded in our communications or by contacting us.
Purposes for which we will use your personal information:
We have set out below, in a table format, a description of all the ways we may use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal information for more than one lawful basis depending on the specific purpose for which we are using your information.
Purpose/Activity |
Type of data |
Lawful basis for processing including basis of legitimate interest |
| To register you as a new or prospective supporter or a volunteer | (a) Identity (b) Contact |
(a) Consent (b) Legitimate Interest
|
| To process and accept your gift(s) including managing payments, fees and charges |
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications |
(a) Consent (b) Performance of a contract |
| Research & Profiling | (a) Identity (b) Contact (c) Financial |
(a) Legitimate Interest See Research & Profiling segment below |
|
To register you as a grant applicant/funded researcher
|
(a) Identity (b) Contact |
(a) Consent (b) Performance of a contract |
| Promoting funding opportunities to research candidates | (a) Identity (b) Contact |
(a) Legitimate Interest |
|
Invite participants to be part of a research study.
|
(a) Identity (b) Contact |
(a) Consent |
|
To communicate our legal obligations to you:
|
(a) Identity (b) Contact (c) Profile (d) Financial (e) Marketing and Communications
|
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated) |
| To enable you to complete a survey | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to study how donors use our services, to develop them and grow our charity) |
| To administer and protect our charity and website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security) (b) Necessary to comply with a legal obligation |
| To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you | (a) Usage (b) Marketing and Communications (c) Technical |
(a) Necessary for our legitimate interests (to study how our supporters use our services, to develop them, to grow our charity and to inform our marketing strategy) |
| To use your Identity, Contact, Technical, Usage and Profile Data to form a view on whether you want to consider donating to our charity or what may be of interest to you. This is how we decide which services and offers may be relevant for you. | (a) Identity (b) Contact (c) Profile (d) Usage (f) Technical (e) Marketing and Communications
|
(a) Necessary for our legitimate interests (to study how our supporters use our services, to develop them, to grow our charity and to inform our marketing strategy) |
| To use data analytics to improve our website, services, marketing, donor relationships and experiences | (a) Technical (b) Usage |
(a) Necessary for our legitimate interests (to define types of supporters, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
|
| To process your application for one of our available positions | (a) Identity (b) Contact (c) Special Category Data |
(a) Necessary for our legitimate interests (to assess your professional credentials against the needs of a particular role). |
|
To comply with the law (tax, anti-laundry legislation)
|
(a) Identity (b) Contact (c) Financial |
(a) Legal obligation |
In no event will MQ sell your personal data to third parties.
Research and profiling
As a fundraising organisation, we undertake in-house research and from time to time engage specialist agencies (trusted third parties) to gather information about you from publicly available sources, for example, Companies House, the Electoral Register, company websites, ‘rich lists’, social networks such as Linkedin, political and property registers and news archives.
We may also carry out wealth screening to fast track the research using our trusted third-party partners. You will always have the right to opt out of this processing. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. We also use publicly available sources to carry out due diligence on donors in line with the charity’s Gift Acceptance Policy and to meet money laundering regulations.
This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way and ensure that we provide you with an experience as a donor or potential donor which is appropriate for you.
If you would prefer us not to use your data in this way, please contact us.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
In the unlikely event we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Third-parties
Third Parties within the UK and EU
For operational reasons, or in order to meet specific requests, data may also be processed on MQ’s behalf by external organisations. In these instances, data will be handled under strictly regulated conditions and in accordance with the data protection and security regulations.
Third parties will only handle MQ’s data once we have screened their best practice policies and reviewed their:
- Methodology for being compliant with regulations.
- Processes for monitoring quality control
- Methodology of conducting due diligence
They will also need to have signed both a Service Level Agreement (SLA), a Data Processing Agreement (DPA) and confidentiality agreement called an ‘Non-disclosure Agreement’ (NDA).
We will never sell your details and will only share your details with third parties (who are not working with us directly) with your explicit consent.
We will only disclose information in one or more of the following circumstances:
- Where consent has been obtained
- Where there is a legal obligation
- Where there is a public duty (e.g. legal reasons)
- In connection with the transfer of all or any of rights and obligations to a third party (for example if we merged with another organisation)
- Third Parties in the USA and the rest of the world
When we work with third parties based outside of the EU/ EEAU we conduct due diligence to the same high standard.
We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.
Third-party links
Our website may include links to third-party websites and organisations, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the Privacy Notice of every website you visit to ensure you can make informed choices and are in control of your information. Our practices are aligned with the UK General Data Protection Regulation (UK GDPR 2020), alongside the Data Protection Act (DPA 1998) and the existing ePrivacy regulation, called the Privacy and Electronic Communications Regulation (PECR).
Third-party use of cookies and other tracking technologies
Some content or applications on our websites are served by third parties, including content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our websites. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based advertising or other targeted content. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.
If you are based in the United States you can opt-out of receiving targeted ads from members of the Network Advertising Initiative (“NAI”) on the NAI’s website at https://optout.networkadvertising.org/.
If you are based in the European Union you may visit the website of the European Interactive Digital Advertising Alliance (“EIDAA”) at https://edaa.eu/ as well as of the European Advertising Standards Alliance (“EASA”) at https://www.easa-alliance.org/.
Opting out
You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Do Not Track “DNT” Signals
We honour “Do Not Track” or “DNT” browser signals. However, while we take all reasonable steps to protect the privacy of our website visitors, we cannot promise that the current levels of our online applications programming will address every browser setting or honour every personal browser preference.
Cookies
We and our service providers use technologies on our sites and services to collect information, such as time spent on page, operating system, device, pages visits, internet protocol (IP) address, browser type and version, that helps us improve the quality of our sites and services and the online experience of our visitors and users. In this Privacy Notice, we refer to these technologies, which include cookies (small text files stored on your computer or mobile device to remember your actions or preferences over time) and tracking technologies, such as JavaScript and similar technologies from third party providers, collectively as “cookies”. Cookies allow us to personalize your return visits to our sites and services and to save you time during certain activities, such as remembering your user preferences.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this Website may become inaccessible or not function properly.
Disclosures of Your Personal Information
We may have to share your personal information with the parties set out below (under the Third Parties section in the Glossary) for the purposes set out in the table in under “Purposes for which we will use your personal information” above.
In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may also disclose your personal information as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
International Transfers
Whenever we transfer your personal information out of the UK, we ensure an adequate degree of protection is afforded to it by ensuring that when we share your personal information within the Group or with our trusted service providers, we may use specific contracts approved by the Commissioner which give personal information the same protection it has in the UK or E.E.A. Please contact us if you want further information on the specific mechanism used by us when transferring your personal information out of the UK or EEA. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Data Security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. We may use encryption, secure socket layer, firewalls, physical lock and key, internal restrictions, password protection, MFA and other security measures to help prevent unauthorized access to your personal information. We use standard security protocols and mechanisms for the transmission of personal data. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
No method of transmission over the Internet, or method of electronic storage, is 100% secure, however. Therefore, we cannot guarantee its absolute security. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. Notice will be given promptly, consistent with the legitimate needs of law enforcement and any measures necessary for MQ or law enforcement to determine the scope of the breach and to assure or restore the integrity of the data system. MQ may delay notification if MQ or a law enforcement agency determines that the notification will impede a criminal investigation, unless and until MQ or the agency determines that notification will not compromise the investigation. If you have any questions about the security of your personal information, you can contact us.
Data Retention
How long will you use my personal information for?
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances you can ask us to delete your information: see “Your Legal Rights” below for further information.
In some circumstances we may anonymize your personal information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your Legal Rights
We want to inform you of your rights when it comes to your information and we would like to help you to better understand them. Under UK data protection law, you have rights over personal information that we hold about you. These are (see glossary for explanation):
Right to access your personal information: You have a right to request access to or request a copy of the personal data that we hold about you unless legal exceptions apply.
Right to have your inaccurate personal information corrected: You have the right to have inaccurate or incomplete information we hold about you corrected. Please contact us if this applies.
Right to restrict use of your personal information: You have a right to ask us to restrict the processing of some or all of your personal information
Right to erasure of your personal information: You have the right to request that MQ deletes the data we hold on you. This is not an absolute right and if we are unable to delete your information, we will explain why.
Right for your personal information to be portable: Where we have your consent to process your personal information, you or an organisation with legal purpose, can request a copy of your personal data in a machine-readable format so it can be transferred.
Right to object to the use of your personal information: You have a right to object to our use of your information and we will aim to comply as soon as possible.
To exercise any of the above rights, please contact us. Under certain circumstances we will not be able to fulfil your request, such as if it interferes with our regulatory obligations, affects legal matters, we cannot verify your identity, or it involves disproportionate cost or effort, but in any event, we will respond to your request within a reasonable timeframe and provide you with an explanation.
Please note that for personal information about you that we have obtained or received for processing on behalf of a separate, unaffiliated entity–which determined the means and purposes of processing, all such requests should be made to that entity directly. We will honour and support any instructions they provide us with respect to your personal information.
Contact Us
If you have any questions or comments about this Policy or our privacy practices, please contact us using the details below. We will address all your questions or complaints within one month of receiving it. Directly contact our Supporter Care Team by email [email protected] or Phone: 0300 030 8100 or Complete our contact form.
You can also write to us at:
Supporter Care
MQ Mental Health Research
6 Honduras Street
London EC1Y 0TH
You also have the right to lodge a complaint about any use of your information with the Information Commissioners Office (link is external), the UK data protection regulator.
We reserve the right to change the terms of this Privacy Notice at any time. When we do, we will post the revised Privacy Notice to our Website and the last revision date will be updated so that you will always be able to understand what information we collect, how we use your information, and under what circumstances we may share your information with others. We will notify you of any material changes by way of a pop-up notice on our website prior to the changes becoming effective and pointing the changes to your attention.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us by contacting us.
This version was last updated on 09/02/2024.
GLOSSARY
LAWFUL BASIS
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your information where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal information where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
THIRD PARTIES
Internal Third Parties
The MQ Foundation (see introduction)
External Third Parties
- Service providers acting as processors based in or outside the UK who provide IT and system administration services.
- Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based inside or outside the UK who provide consultancy, banking, legal, insurance and accounting services.
- Regulators and other authorities acting as processors or joint controllers based inside or outside the UK who require reporting of processing activities in certain circumstances.
YOUR LEGAL RIGHTS EXPLAINED
Under UK GDPR (2020) you have the rights :
Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new information you provide to us.
Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios: (a) if you want us to establish the information’s accuracy; (b) where our use of the information is unlawful but you do not want us to erase it; (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.
Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain or services to you. We will advise you if this is the case at the time you withdraw your consent.