Introduction
This website is owned and operated by St John Ambulance.
St John Ambulance respects your privacy and is committed to protecting your personal data. This privacy notice explains how we, St John Ambulance, and our subsidiary trading company Support St John Limited may collect and use the information you give us, the conditions under which we may disclose it to others and how we keep it secure. We may change this Notice from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our websites, you agree to be bound by this Notice. Please also use the Data Protection Glossary at the end of the Notice to understand the meaning of some of the key terms used.
Important information and who we are
St John Ambulance is a registered charity in England and Wales (charity number 1077265-1). We are also a company limited by guarantee (company number 3866129) and have a wholly owned trading subsidiary, Support St John Limited (company number 1181644), each of which trades as St John Supplies.
The information in this Privacy Notice relates to personal information which is obtained by the above entities and for which St John Ambulance is the Data Controller under data protection legislation.
Purpose of this privacy notice
This Notice aims to give you information on how St John Ambulance collects and processes your personal data, for a quick view of the type of personal information and how we use it, please see tables below which have been split into the main ways individuals interact with us as an organisation.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. We want to be as transparent as possible in the way in which we use your information so that you can be comfortable in providing the information to us and be clear on why we need certain information.
Controller
St John Ambulance acts as the data controller (joint-controller in some instances) and is responsible for your personal data (collectively referred to as “St John Ambulance”, “SJA”, “we”, “us” or “our” in this Notice). If you have any questions about this Notice, including any requests to exercise your legal rights, please contact us using the details set out below.
Contact details
Please contact us via email at data-protection@sja.org.uk or by post- marked for the attention of the Data Protection Officer at St John Ambulance, 27 St John's Lane, London EC1M 4BU.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to this notice and changes to your personal data
This Notice may be varied from time to time, where possible we will notify you of any changes to this Notice. This may be by way of a pop-up notification on the website or communicated to you by another means which you have agreed we may contact you by.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.
The date we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, email address, postal address, phone number, photographs and CCTV footage.
- Identification Evidence Data includes uploaded passport, utility bills, birth certificate, driver's license or any other identification evidence for the purpose of validating your identity.
- Employment Data which could include employment status, job title, DBS and accreditation data.
- Educational & Qualifications Data includes details on any qualifications gained or courses attended relevant to the delivery of our service.
- Contact Data includes billing address, delivery address, email address and telephone numbers.
- Financial Data includes bank account and/or payment card details.
- Transaction Data includes details about payments to and from you and other details of services you have purchased from us.
- Services Data includes Customers employee names and contact details along with details on job roles and qualifications.
- Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Usage Data includes information about how you use our website.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
Special Categories of Personal Data (this can include details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). We may collect, use, store and transfer different kinds of special personal data about you which we outlined in the below tables.
If you fail to provide personal data
Where we need to collect personal data by law, or in order to provide our services to you and you fail to provide that data when requested, we may not be able to provide such services. In this case, we may have to cancel the service you have with us, but we will notify you if this is the case at the time.
How is your personal data collected?
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity and Contact data when you contact us via this website or by corresponding with us by post, phone, email or otherwise.
- Automated technologies or interactions. As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
Third parties or publicly available sources. We may receive personal data about you from various third parties such as your employer and public sources. We protect data obtained from third parties according to the practices described in this Notice, plus any additional restrictions imposed by the source of the data. These third-party sources vary over time, but have included:
Someone who may have nominated you for an Everyday Heroes Award.
Someone who may post a photograph or information relating to you to our social media platforms.
Data brokers from which we purchase information for potential business customers (for example, name, job title and business address).
Partners with which we offer co-branded services or engage in joint marketing activities.
Publicly available information such as newspaper or online media items; public posts on LinkedIn or social media; open government databases such as Companies House; databases of grant-funding opportunities and other data in the public domain. Please refer to section 7 (‘Profiling’) below for more information about how we may use this information.
Some of our premises and vehicles are monitored by CCTV and footage may be captured for security and safety purposes.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform a contract we are about to enter into or have entered into with you.
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Such as via the ‘Contact’ service on this website.
Where we need to comply with a legal or regulatory obligation.
Where you have given us Explicit Consent for other purposes such as marketing. Where we do rely on your Explicit Consent you have the right to withdraw your consent at any time.
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal basis we rely on to do so. We have also identified what our legitimate interests are where appropriate. These tables have been split into the key ways individuals interact with us as an organisation, including as a:
- donor & supporter
- customer (training & supplies)
- young person (Cadets & Badgers)
- patient
- suppliers and contractors
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.
Donors and supporters
Purpose / Activity
Profiling you as a potential donor
Type of Data
a) Identity Data
b) Employment Data
e) Contact Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Necessary for our legitimate interest to ensure that we are engaging with the people most likely to support St John Ambulance. Profiling allows us to target our resources effectively and help ensure that we only send you information we reasonably think will be of interest to you.
To register you as a donor and process your donation
a) Identity Data
e) Contact Data
f) Financial Data
g) Transaction Data
To maintain a relationship with you as a donor in line with your contact preferences
e) Contact Data
Young people (Cadets & Badgers)
Purpose / Activity
Onboarding young people into the organisation, which will include obtaining personal data of both the young person, and their parent/ guardian.
Please note, in some cases, sensitive data relating to disability may be collected in order to support a young person’s journey in SJA.
Type of Data
a) Identity Data
b) Identification Evidence Data
e) Contact Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Processing is necessary to fulfil a contractual agreement, steps taken to enter a relationship between the individual and the organisation.
Purpose / Activity
Cadet & Badgers Financial assistance. Further data will be required to review financial assistance requests.
Type of Data
f) Financial Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Processing is necessary to fulfil a contractual agreement, steps taken to enter a relationship between the individual and the organisation.
Patients
Purpose / Activity
Type of Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Further information
Personal data is obtained from patients treated by SJA, this is so SJA have a record of the patients and treatment provided and so this can be retrieved if requested.
Type of Data
a) Identity Data
e) Contact Data
The nature of a patient report form (PRF) will mean sensitive (medical) data is captured.
Lawful basis for processing including basis of legitimate interest and further description of activity
Processing is necessary for the performance of a task in the public interest
Further information
All patients can request to receive a copy of their Patient Report Form (PRF) by contacting data-protection@sja.org.uk
b) Identification Evidence may be asked for if you have made a request for your PRF, this will be destroyed on completion of the request.
Customers (training and supplies)
Purpose / Activity
Provide our learning and training services
Type of Data
a) Identity Data
e) Contact Data
f) Financial Data
g) Transaction Data
h) Services Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Processing is necessary to fulfil a contractual agreement, between the organisation (or individual) booking onto a course and SJA fulfilling their obligations in relation to that course, including providing the relevant certification post completion.
Further information
We may send direct marketing to bookers and/or delegates dependent on contact preferences or where there is the ability for us to do so under legitimate interest (business contacts).
Sell and distribute supplies (St John Supplies)
a) Identity Data
e) Contact Data
f) Financial Data
g) Transaction Data
h) Supplies Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Processing is necessary to fulfil a contractual agreement, between the organisation (or individual) purchasing supplies and SJA fulfilling their obligations in relation to these supplies.
Further information
We may send direct marketing to customers dependent on contact preferences or where there is the ability for us to do so under legitimate interest (business contacts).
Suppliers and contractors
Type of Data
a) Identity Data
e) Contact Data
f) Financial Data
g) Transaction Data
h) Services or Goods Data
Lawful basis for processing including basis of legitimate interest and further description of activity
Processing is necessary to fulfil a contractual agreement, between the organisation (or individual) providing services or goods and SJA fulfilling their obligations.
Disclosures of your personal data
We will not sell or rent your information to third parties. We may have to share your data with third parties, as described below. If we do, you can expect a similar degree of protection in respect of your personal information to that provided by us. We require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may pass your personal information to our third-party service providers, including contractors and designated agents, and other associated organisations for the purposes of completing tasks on our behalf (for example to process donations and payments, to fundraise, send you St John Ambulance® communications, to supply you with goods and services, to resolve product queries or issues and to assist us with marketing analysis). However, when we use third party service providers, we disclose only the personal information that is reasonably necessary to deliver the service.
We may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or re-organisation, or if we’re under a legal duty to disclose or share your personal data in order to comply with or enforce any legal obligation or rights or to enforce or apply our terms of use or to protect the rights, property or safety of our supporters and customers. However, we will aim to protect your privacy.
We may share your personal information with our parent charity, The Priory Of England And The Islands Of The Most Venerable Order Of The Hospital Of St. John Of Jerusalem (charity number 1077265) where reasonably necessary.
We may also share your personal information with The Order of St. John, an Order of the Chivalry formed by Royal Charter and our ultimate parent organisation, for the purposes of the Order’s honours and awards system.
International transfers
There may be some instances where your personal information is processed or stored outside of the UK/EEA. In those instances, we will ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law.
St John Ambulance operates in the Baliwicks of Guernsey, Jersey and in the Isle of Man, each of which are outside of the EU. Personal information provided to St John Ambulance may be given to our local offices in those territories and stored in data retrieval systems in the territory, but only when you request information or services relating to our operation in those territories. There is an adequacy decision by the European Commission for these countries, which means that they are deemed to provide an adequate level of protection for your personal information.
Data Security
St John Ambulance uses appropriate security measures to protect your personal information against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures may include, but are not limited to, a range of organisational safeguards such as staff training, and duties of confidentiality and the following technical safeguards listed below. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach, where we are legally required to do so.
Data retention - how long will you use my personal data for?
We will only retain your personal information for as long as necessary for the purposes we collected it for, as set out in our Data Retention Schedule, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
For further information about the retention period in a particular case, please contact our Data Protection Officer by email- data-protection@sja.org.uk or by post- marked for the attention of the Data Protection Officer at St John Ambulance, 27 St John's Lane, London EC1M 4BU.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please review the detail below to find out more about your legal rights. If you wish to exercise any of the rights set out above, please contact us.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. Please use this Subject Access Request Form if you wish to make a request.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you believe that any information, we are holding on you is incorrect or incomplete, please write to or email us as soon as possible, at the following address. We will promptly correct any information found to be incorrect
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues, you can do so here.
Data protection glossary
Term Data Controller
Definition A person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Term Data Processor
Definition A person, public authority, agency, or other body which processes personal data on behalf of the controller.
Term Information Commissioner’s Office (ICO)
Definition Commissioner’s Office (ICO)
The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
The ICO website is also a great resource to refer to for all data protection queries.
Term Personal Data
Definition Any information relating to a person (a ‘data subject’) who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Term Special Category Data
Definition Special category data needs more protection than personal data, as it is more sensitive. The UK GDPR defines special category data as personal data revealing:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data
biometric data
health
sex life
sexual orientation.
Term Subject Access Request (SAR)
Definition Anyone has the right to ask an organisation whether they are using or storing their personal data. You can create a SAR to request copies of your personal information, this can be done verbally, via email (data-protection@sja.org.uk) or by filling out this online form.
Term UK GDPR
Definition The UK General Data Protection Regulation is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights, and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
Your rights in connection with personal information
By law you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for process it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please send a written request to our Data Protection Officer by email- data-protection@sja.org.uk or by post- marked for the attention of the Data Protection Officer at St John Ambulance, 27 St John's Lane, London EC1M 4BU.
We will ask you for information to confirm your identity and, where applicable, to help us search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received any request (including any identification documents requested).
Use of Cookies
What are cookies and how we use them
Cookies are text files containing small amounts of information which are downloaded to your computer or device and which do lots of different jobs.
When you first visited the website, you would have been given a choice about what cookies are set.
Some cookies are necessary to make the website work properly, for example allowing us to show you the right web page, and helping us to keep our website secure. Performance cookies help us to analyse and improve how our website works, and are optional. Marketing cookies help to ensure the adverts you see online are more relevant to you and your interests, and are optional.
Cookies which are set by us are called ‘first-party’ cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts.
You can see the full list of cookies on our website, and change your preferences, here.
Organisation contact
We have appointed a Data Protection Officer to oversee compliance with this Notice. If you have any questions about this Notice or how we handle your personal information, please contact our Data Protection Officer by email-data-protection@sja.org.uk or by post- marked for the attention of the Data Protection Officer at St John Ambulance, 27 St John's Lane, London EC1M 4BU.
Right to make a complaint
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. The contact details for the Information Commissioner’s Office, the data protection regulator in the UK, are below:
Post: Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Call: 0303 123 1113
Email: casework@ico.org.uk
If you have any questions, please contact data-protection@sja.org.uk
Policy last updated Dec 2024.
