Privacy policy

This privacy policy sets out how West Midland Adult Cystic Fibrosis Centre uses and protects any information that you share with West Midland Adult Cystic Fibrosis Centre when you use this website.

West Midland Adult Cystic Fibrosis Centre is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.

The information in this policy is valid for visitors to and pertains to the information they share or that is collected about them whilst viewing and interacting with the website's content. This policy is not applicable to information collected offline or via other channels - for this, see the GDPR Patient Information Sheet lower down the page.

If you can't find the information you're looking for within the policy or if you have any additional questions please contact us.


By using our website, you hereby consent to our Privacy policy and agree to its terms.

PII (Personally Identifiable Information) we collect and how we use it

If you make a donation, use the marketing sign up consent form, or contact us via the website, we may collect the following information:

  • Your name
  • Your email address
  • Your house name or number and postcode, if you choose to Gift Aid a donation
  • You may also include a message if contacting us

We hold PII you submit through forms on the website for a maximum of 12 months. We collect this information in order to be able to process your donation or respond to any message you send us.

Details submitted via the marketing sign up consent form will be held indefinitely, but you may choose to unsubscribe at any time via the link at the bottom of any marketing email.

Data collected by Google Analytics

We use Google Analytics to track user activity on our website. To do this a unique identifier is created when you first visit our website and stored as a cookie so that as you visit other pages on the website, or if you leave and then return to the website, we identify the activity as belonging to the same user. This unique identifier does not directly provide us with any Personally Identifiable Information (such as your name or email address).

We monitor visitor activity to:

  • Track how visitors find / arrive at our website (e.g. via a Google search, a social media post, a link on another site)
  • Measure how visitors engage with our content (e.g. bounce rate, number of pages viewed per session, time spent per visit)
  • Monitor the performance of our website in meeting key goals (e.g. when a visitor makes a donation)

Based on the data we collect with Google Analytics we optimise our online strategy to help the website be discovered by more potential clients and we make changes to the website to improve the experience for visitors.

Your unique identifier is held for 26 months. If you don't wish to have your activity tracked whilst visiting the website you can disable cookies for the website in your browser. The website will continue to function as normal if you disable any or all cookies.

Data we collect in server logs

We store the following information about each request (page visit) visitors make when visiting

  • IP (Internet Protocol) Address
  • ISP (Internet Service Provider)
  • User agent (browser and OS type)
  • Date and time of each request
  • The URL visited
  • In the event of an error additional information about the request will be captured including headers, cookies and the request body (present on PUT and POST requests).

We collect this information to help us monitor traffic to the website, detect and analyse issues and to filter out unwanted traffic (e.g. unregistered web crawlers/bots).

We hold information in the server logs for 90 days. This information we collect does not directly provide us with any PII (Personally Identifiable Information) (such as your name or email address) except where PII is submitted as part of a request that generates an error. For example, if you were submitting your email address as part of sending an enquiry and an issue was raised your email would be collected as part of the error information.

GDPR Data Protection Rights

We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

  • The right to access – You have the right to request copies of your personal data held by us (commonly known as a subject access request).
  • The right to rectification – You have the right to request that inaccurate personal data we hold is rectified, or completed if it is incomplete.
  • The right to erasure / The right to be forgotten – You have the right to request that we erase personal data that we hold about you. This right is not absolute and only applies in certain circumstances.
  • The right to restrict processing – You have the right to request that we restrict the processing of personal data we hold about you. That is, we may hold that data but may not use it. This right is not absolute and only applies in certain circumstances.
  • The right to data portability – You have the right to request that we transfer the data we have collected about you; directly to you or to another organisation.
  • The right to object to processing – You have the right to object to us processing personal data we collect and hold about you.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us.

A more detailed overview of your rights under GDPR can be found on the Information Commissioner's Office website.

GDPR Information Sheet

Registered Charity Number: 1074745

This sheet sets out how Heartlands Cystic Fibrosis Centre Charity, which supports the West Midlands Adult CF Centre which is part of University Hospitals Birmingham, uses and protects any personal information that you consent to providing. Heartlands Cystic Fibrosis Centre Charity will ensure that your privacy and personal data is protected as governed by the General Data Protection Regulations/Data Protection Act 2018.

Last updated: August 2019


CharityMeans Heartlands Cystic Fibrosis Centre a registered charity, no. 1074745 (registered as an independent charity)
GDPRmeans the General Data Protection Regulations
Responsible PersonCF Centre Director (working at UHB)
Register of Systemsmeans a register of all systems or contexts in which personal data is processed by the Charity

1. Data protection principles

The Charity is committed to processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

  1. processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
  6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

2. General provisions

  1. This policy applies to all personal data processed by the Charity.
  2. The CF Centre Director shall take responsibility for the Charity’s ongoing compliance with this policy.
  3. This policy shall be reviewed at least annually.

3. Lawful, fair and transparent processing

  1. To ensure its processing of data is lawful, fair and transparent, the Charity shall maintain a Register of Systems.
  2. The Register of Systems shall be reviewed at least annually.
  3. Individuals have the right to access their personal data and any such requests made to the charity shall be dealt with in a timely manner. You can make a request by emailing our Charity Administration Manager on Alternatively you can write to them using the following address: FAO: CF Charity Administration Manager, Ward 26, Birmingham Heartlands Hospital, Birmingham, B9 5SS.

4. Lawful purposes

  1. All data processed by the charity must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
  2. The Charity shall note the appropriate lawful basis in the Register of Systems.
  3. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.

5. Data minimisation

  1. The Charity shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  2. The data will be stored on a password protected computer. This is password protected to ensure that the data is kept as secure as possible by the CF Centre Charity.

6. Accuracy

  1. The Charity shall take reasonable steps to ensure personal data is accurate.
  2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
  3. Accuracy of data will be checked every 5 years by contacting those on the charity database.

7. Archiving / removal

  1. To ensure that personal data is kept for no longer than necessary, the Charity shall permanently erase old and inaccurate data.

8. Security

  1. The Charity shall ensure that personal data is stored securely.
  2. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
  3. When personal data is deleted this should be done safely such that the data is irrecoverable.
  4. Appropriate back-up and disaster recovery solutions shall be in place.

9. Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Charity shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website) and an incident form (IR1) shall be completed on the trusts system.

10. References and Links

ICO Guide to the General Data Protection Regulation (GDPR)

EUR-Lex: General Data Protection Regulation in full