Introduction and general terms
Oxfam Great Britain (OGB) promises to take great care with your personal data. We commit to protecting any personal information we obtain about you, whether you are a financial supporter, shopper, volunteer, partner or campaigner.
Who we are
Oxfam is a registered charity in England and Wales (charity number 202918) and in Scotland (charity number SC039042). We are also a company limited by guarantee (company number 612172), and have a wholly-owned trading subsidiary (Oxfam Activities Limited, company number 00830341).
Oxfam's registered address is Oxfam House, John Smith Drive, Cowley, Oxford, OX4 2JY.
Oxfam's purpose and overall mission is to end the injustice of poverty. We provide humanitarian aid in times of crisis, fund long term community development programmes and conduct research and campaign for long term solutions to poverty.
Our supporters help us to achieve this in a variety of ways, primarily by:
- Fundraising, donating money and donating or purchasing goods for sale in Oxfam shops in order to support our programme of work
- Campaigning for change, through signing petitions, writing letters and taking part in other campaigning actions
- Volunteering, including in Oxfam shops, at events and in our offices
We take active steps to make sure that our supporters are aware of the ways in which they can help us achieve our overall purpose.
Why we hold and process supporters’ personal data
We hold and process supporters' personal data for a number of reasons:
- To keep a record of donations made and actions taken by our supporters and our communications with them
- To send our supporters marketing information about our projects, fundraising activities and appeals where we have their consent or are otherwise allowed to
- To support volunteers, whether in shops, at festivals or participating in fundraising events
- To record campaigning actions by supporters
- To support community based fundraising and campaigning
- To claim gift aid on donations
- To fulfil contractual obligations entered into with supporters e.g. online purchases
- To keep people safe, whether they are visitors to our shops, staff or participants in events
- To comply with legal obligations
- To manage our organisation
- To ensure we do not send unwanted information to supporters or members of the public who have informed us they do not wish to be contacted
These reasons are underpinned by a "legal basis" under GDPR. We outline in the next section what these are for our main activities.
Explaining the legal bases we rely on
The law on data protection sets out a number of different reasons for organisations to collect and process your personal data: When collecting your personal data, we will always make clear to you which data is necessary for a particular purpose.
Oxfam relies on the following legal bases in our marketing activities:
Wherever possible, we will ask for your consent to send you marketing information. We will do this through a clear statement of what you will receive and allow you to select only those channels that you wish to hear from us by.
For example, if you donate online to one of our emergency appeals, you will be asked whether you would like us to keep in touch about our projects, fundraising activities and appeals. You will also be asked which channel(s) of communication you would like us to use (with a choice of email, SMS, post and telephone being offered).
In specific situations, we process your data to pursue our legitimate interests in ways which might reasonably be expected and which do not materially impact your rights, freedom or interests. Oxfam's use of legitimate interest includes the following:
Sending direct marketing information by post, to keep our supporters updated on Oxfam's projects, fundraising activities and appeals. We will only do this where we have reason to believe that this information will be of interest. We make it easy for you to opt out, see How to control what we send you or request we update your personal information
Where you have bought items from the Oxfam Online Shop we will email you to tell you about other relevant offers. All such emails will include a simple opt out mechanism.
If you have opted in to Oxfam emails or text messages we may use your details to link to your account on Facebook or other social media site in order to serve you Oxfam content.
We analyse your previous support of Oxfam in order to offer relevant ways of supporting Oxfam in the future.
To help identify businesses who may wish to support Oxfam, we send emails to individuals where relevant to their job, for instance people working in Corporate Social Responsibility.
For activities other than marketing, we may rely on different legal bases:
If the law requires us to, we may need to collect and process your data.
For example, where you sign up to the Gift Aid scheme, we will process your data for the purposes of submitting a Gift Aid claim to HMRC.
In limited situations we may use data in the public interest. It is likely to be in the public interest to collect data to prevent crime or dishonesty, ensure that we are fair in our practices by carrying out equality and diversity monitoring, or safeguard the wellbeing of people with whom we work.
When and why we will send you personalised marketing communications
Oxfam will only contact you for marketing purposes - for example keep you up to date on our work, or let you know of ways in which you can support that work - where we have your consent or we are otherwise allowed to do so (see Other circumstances in which you may receive marketing information from Oxfam).
We will make it easy for you to tell us if you would like to receive marketing communications from us and hear more about our work and the ways in which you would like to receive this information (post, email, SMS and phone). We will not send you marketing material if you tell us that you do not wish to receive it. There are a variety of ways you can do this, see How to control what we send you or request we update your personal information.
Where you give us your consent to send marketing information, we will wherever possible let you know how long this consent will last. Unless we have grounds for believing that a longer period is reasonable and have explained this to you, we will understand your consent to last for 24 months. After this time, in order for us to continue to update you, we will need your refreshed consent. You can update or withdraw your consent at any time, for individual channels of communication, or for all channels. See How to control what we send you or request we update your personal information for details on how to do this.
Consent lasting more than 24 months
We will generally treat any marketing consent you give us as lasting for 24 months, but will apply the following exceptions (but only where we inform you of this at the time you give consent):
- Where you have committed to giving us a regular donation (usually monthly). In this situation, and unless you withdraw your consent, we will treat consent as enduring until you cancel your donation, at which point your consent will expire 24 months after the last donation. This is to enable us to keep you up to date with the impact of your gifts, and to ask whether alternative means of support would be of interest.
- Where you have notified us that you will be leaving a legacy to Oxfam. This is a lifetime commitment and although we will provide you with regular opportunities to shape and control your communication from Oxfam we will treat your consent as ongoing.
Other circumstances in which you may receive marketing information from Oxfam
We may send you marketing communications by direct mail where you are a regular supporter and we have evidence that you do not object to receiving marketing material through the post.
We will not use "legitimate interest" if you have opted out of direct mail whether direct to Oxfam or by registering with the Mailing Preference Service (MPS) or the Fundraising Preference Service (FPS).
"Soft opt in"
This allows organisations to send marketing communications by email and SMS to individuals who have previously purchased similar goods and services, provided they were given the opportunity to opt out at the time of purchase. In Oxfam's case, this allows us to send marketing emails and SMS to previous customers of the Oxfam online shop. We apply a 24-month time limit, and only communicate on this basis where you have made a purchase within this period. We will not use the "soft opt in" option if you have opted out of receiving email and/or SMS, whether direct to Oxfam or via the Fundraising Preference Service.
When we collect information about you
Oxfam may collect your personal data in the following circumstances:
- When you give it to us DIRECTLY
You may give us your personal data directly when you make a donation, sign up for one of our events, take part in a campaigning action, volunteer at one of our shops, purchase products from the Oxfam Online Shop, when you communicate with us or when you download the MyOxfam app.
- When you give it to us INDIRECTLY
You may give us your information indirectly when you sign up to events such as the London Marathon, contribute to Oxfam via fundraising sites like JustGiving or Virgin Money Giving, or participate in a campaigning action with a partner. These independent third parties will pass your data to Oxfam where you have indicated that you wish to support Oxfam and have given your consent or it is a necessary part of completing a contract with you.
Sometimes your personal data is collected by an organisation working on our behalf (for example a professional fundraising agency) but as they are acting on our behalf we are the "data controller" and responsible for the security and proper processing of that data.
- When you access Oxfam's Social Media
We might also obtain your personal data through your use of social media such as Facebook, WhatsApp, Twitter or LinkedIn, depending on your settings or the privacy policies of these social media and messaging services. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this.
- When the information is publicly available
We might also obtain personal data about individuals who may be interested in giving major gifts to charities or organisations like Oxfam. In this scenario, Oxfam may seek to find out more about these individuals, their interests and motivations for giving through publicly available information. This information may include newspaper or other media coverage, open postings on social media sites such as LinkedIn, and data from Companies House. Oxfam will not retain publicly available data relating to major donors without their consent, which will be sought at the earliest practical opportunity. Where we decide not to make contact, we will delete all personal data obtained, other than basic contact details, to which we will apply a suppression flag to ensure we do not make contact in the future.
We may also gather information if your activities relate to our work - for instance, if you are a public figure such as a Member of Parliament or you represent an organisation which we work with or which is related to one of our campaigns we may gather information about you in order to inform our campaigning and make decisions - for instance, whether we engage with you to seek your support for our work, ask your constituents to write to you, or choose to work you in another way.
If you visit our website as an anonymous visitor (e.g. you switch off cookies), Oxfam may still collect certain information from your browser, such as the IP address (an IP address is a number that can uniquely identify a computer or other internet device).
What information might Oxfam collect about you?
We only collect personal data relevant to the type of transactions or interaction you have with Oxfam.
Whatever your interaction with us this information will be minimal and linked to the purpose for which we need it.
For example, when you contact Oxfam to make a donation, purchase an item online, support our "Tag your Bag" gift aid scheme, take a campaign action, or sign up to any of Oxfam's activities or online content (such as newsletters, competitions, or message boards) or you telephone, email, write to or text Oxfam, or engage with Oxfam via social media channels, we may receive and retain personal information.
In these cases we are likely to process details such as your name, email address, postal address, telephone or mobile number, bank account details to process donations and whether or not you are a tax payer so that we can claim Gift Aid.
If you visit one of our shops or sites we may capture you on CCTV, or you may give information to our staff via a feedback process or through our "Tag your Bag" Gift-Aid Scheme.
If you participate in an event we may (with your permission) take your photograph or video, or interview you.
If you participate in market research, we may ask you questions regarding your experience with us, or other survey questions relating to your experience.
If you are a campaigner or work with our campaigns team, we may collect information such as correspondence with you regarding campaigning, details of your background and activities with us or relating to the issue, the events you attend, or how we would like to work with you.
Where we gather information about you which is publicly available - for instance as a major donor or your views on our campaigning activity - this may include your name, contact details, views and positions you have expressed, and details regarding your circumstances- for instance which political roles you hold or what your background is.
Sensitive Personal Data
We only collect "sensitive personal data" about our supporters, e.g. health status, where there is a clear and specific reason for doing so, such as participation in a marathon or volunteering at a music event or an Oxfam shop.
We collect this data where we need it to ensure that we provide appropriate facilities or support to enable you to participate in the event or carry out your role. Clear notices will be provided on application forms so that it is clear what information we need and why we need it. In certain circumstances, such as when we recruit volunteer festival stewards, we need to obtain information about criminal convictions (where these are unspent) in order to check that it is appropriate for you to undertake the role.
Rarely, we may collect this data for the prevention of crime or dishonesty, to safeguard those with whom we work, or for another reason which is in the public interest. Where we do this we will do it carefully and in accordance with applicable laws.
Should you support Oxfam in a substantial way, we may provide an account manager to help you tailor your relationship to suit your interests. If this is the case we may collect sensitive personal data where relevant to our relationship, such as your political or religious views. Should you disclose information to us about your health or your family, this may also be recorded, so that we can communicate with you in a considerate and appropriate manner.
All sensitive personal data is stored on a secure database, to which only a limited number of relevant staff have access. It is deleted when no longer relevant, is never shared with third parties, and is available to you at any point should you wish to see it.
How will Oxfam use your personal data?
Oxfam will use your personal information for the following purposes:
- For administrative reasons, including:
- "service administration", which means that Oxfam may contact you for reasons related to administering any donations you have made, your tax status with regard to Gift Aid if claimed, the completion of commercial or other transactions you have entered into with Oxfam or the activity or online content you have signed up for;
- to confirm receipt of donations (unless you have asked us not to do this), and to say thank you and provide details of how your donation might be used. for example if you donate via text you will receive a "bounce back" text message;
- in relation to correspondence you have entered into with us whether by letter, email, text, social media, message board or any other means, and to contact you about any content you provide;
- for internal record keeping so as to keep a record of your relationship with us;
- to fulfil sales contracts you have entered into with Oxfam, such as the Tag Your Bag (Gift Aid) scheme, under which we are required to notify you of the proceeds from sale of items you have donated to Oxfam shops;
- to provide logistical and fundraising information to people who are taking part in a fundraising event in aid of Oxfam, such as the Oxfam Trailwalker event, or the London Marathon;
- to communicate with Oxfam volunteers - to support you in your designated role or administer that role and our organisation;
- to keep your data up to date - for instance we use the Royal Mail's data on postal address changes to ensure that we can maintain contact with you where we believe you are happy to be contacted by post, we also use services which notify us of the recently deceased to avoid any distress that continued communications would cause;
- to implement any instructions you give us to with regard to withdrawing consent to send marketing information or informing us through the Fundraising Preference Service that you do not wish to receive any marketing information;
- to use IP addresses to identify the location of users, to block disruptive use and to establish the number of visits from different countries;
- to protect our staff and those with whom we work, or to prevent crime and dishonesty. This will involve frequent fraud and anti-terrorism screening of employees and partners using the World-Check database (Thomson Reuters).
- For marketing and fundraising reasons (see '5. When and why we will send you personalised marketing communications').
- For market research
- to invite you to participate in surveys or research about Oxfam or our work (participation is always voluntary);
- to analyse and improve the activities and content offered by the Oxfam website to provide you with the most user-friendly navigation experience. We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes.
Will Oxfam share your personal information with anyone else?
We will only use your information within Oxfam for the purposes for which it was obtained. Oxfam will not, under any circumstances, share or sell your personal data with any third party for their own marketing purposes, and you will not receive marketing from any other companies, charities or other organisations as a result of giving your details to us.
We may need to share your information with service providers who help us to deliver our projects, fundraising activities and appeals, for instance through handling responses to our emergency appeals. These "data processors" will only act under our instruction and are subject to pre-contract scrutiny and contractual obligations containing strict data protection clauses. We do not allow these organisations to use your data for their own purposes or disclose it to other third parties without our consent and we will take all reasonable care to ensure that they keep your data secure.
Facebook and other social media sites
We may also use your email address and phone number to match to your account on Facebook or other social media sites in order to show you Oxfam content while using these services. We only do this where you have opted in to marketing emails or phone calls and we keep your data secure by encrypting it. No data we hold about you is retained by the third party.
In addition, we may also use your email address and phone number to link to Facebook or other social media sites in order to identify other users of these sites whom we believe would be interested in Oxfam, and we may then show them Oxfam content. No data we hold about you is retained by the third party.
There are two ways to prevent this use of your data, you can either update your preferences at Oxfam by opting out of the relevant channel of communication or you can do this via the social media site:
Updating your preferences with Oxfam will not guarantee that you never see Oxfam content on social media, since the social media site may select you based on other criteria and without your data having been provided by Oxfam.
Current and former Oxfam employees
When you leave Oxfam, Oxfam may process your data to respond to requests for employment references. In addition, OGB participates in the Inter-Agency Scheme for the Disclosure of Safeguarding-related Misconduct in Recruitment Process within the Humanitarian and Development Sector ('Scheme'). Where you apply for employment with another member of the Scheme, they will request a statement from Oxfam disclosing whether you have been found to have committed misconduct (in the form of sexual exploitation, sexual abuse or sexual harassment) while employed at Oxfam. Oxfam will respond to these requests in line with the rules of the Scheme.
More details about the Scheme are available on the Steering Committee for Humanitarian Response website.
Find out more about Oxfam's assessment of the privacy impacts of participation in the Scheme.
Where legally required
We will also comply with legal requests where disclosure is required or permitted by law (for example to government bodies, statutory bodies, or law enforcement agencies for tax purposes, where it is in the public interest, or the prevention and detection of crime, subject to appropriate protection in law).
Oxfam may transfer your personal data outside the EEA. If it does so, this may occur under the protections of the European Commission's standard contractual clauses, but will otherwise only take place where appropriate standards and safeguards are in place.
How long will Oxfam keep your personal information?
We will hold your personal information on our systems for as long as is necessary for the relevant activity, for example we will keep a record of donations subject to gift aid for at least seven years to comply with HMRC rules.
If you request that we stop sending you marketing materials we will keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.
Legacy income is vital to the running of the charity. We may keep data you provide to us indefinitely, to carry out legacy administration and communicate effectively with the families of people leaving us legacies. This also enables us to identify and analyse the source of legacy income we receive.
Where you contribute material to us, e.g. user generated content or in response to a particular campaign, we will only keep your content for as long as is reasonably required for the purpose(s) for which it was submitted unless otherwise stated at the point of generation.
How to control what we send you or request we update your personal information
The accuracy of your information is really important to us. We want to ensure that we are able to communicate with you in ways that you are happy with, and to provide you with information that is of interest.
If you wish to change how we communicate with you, or update the information we hold, then please contact us:
- amend your preferences on our website here: https://www.oxfamapps.org.uk/gdpr/
- amend your preferences through the My Oxfam App (available in Apple and Android stores)
- email us at firstname.lastname@example.org
- write to us at: Freepost Oxfam GB
- call us on 0300 200 1300 (Mon-Fri 9am-5pm)
Additionally you can opt out of email and SMS separately:
- Email - You can opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email from Oxfam.
- SMS - You can also opt out of SMS messages by texting NOINFO to 70066, this is charged at your standard text rate.
How long will it take for these changes to be effective?
We endeavour to meet the following service levels where supporters request we do not send them marketing information:
- Email - 24 hours from receipt of email
- SMS - 24 hours from receipt of SMS
- Telephone - 24 hours from receipt of request to opt out
- Mail - 28 days from receipt of 'do not mail' request. This period is longer than for other channels due to the production times for mailing campaigns, and in most cases we would expect the change to be effective much more quickly.
Should you request we stop marketing to you by completing our preferences web page, it may take up to 10 days to complete your request due to the manual nature of this process.
How Oxfam keeps your data safe
We ensure that there are appropriate technical controls in place to protect your personal details. For example our online forms are always encrypted and our network is protected and routinely monitored.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff, volunteers and contractors.
We use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect on our behalf, or have access to. We have a robust partner monitoring framework to ensure these contractual obligations are met.
These organisations - referred to as "Data Processors" also have legal liability for the way in which your data is used, providing you with additional protection.
Your rights over your personal data
You have a variety of rights in respect of your data, including the rights to see, update, restrict, object to the use of or withdraw use of your data. In particular, depending upon why we hold your data, you may have the right to request:
- Access to the personal data we hold about you, including how we first obtained your details, free of charge in most cases (this is known as a 'Subject Access Request').
- The correction of your personal data when incorrect, out of date or incomplete.
- That we stop using your personal data for direct marketing (either through specific channels, or all channels).
- That we delete your personal data from our systems (this is known as the "Right to be Forgotten").
- That we no longer process your data automatically to decide whether particular marketing activities are likely to be of interest, or suggest an appropriate donation level based on your previous donation history. This is known as profiling, and helps us to ensure that our marketing is relevant and appropriate.
You can contact us to request to exercise these rights at any time, see How to control what we send you or request we update your personal information for details of how to get in touch.
Opting out of Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We will always comply with your request.
Where we are sending you direct marketing on the basis of our legitimate interest, you can also ask us to stop. In the case of postal marketing sent on this basis, we will always comply with your request to opt out. Similarly, where we send email marketing on a soft opt in basis (see How and when we collect information about you), we will also comply with all requests to opt out.
Right to be Forgotten
Upon request we will delete your personal data from our systems, to the extent that we are permitted to by law or regulatory guidelines. For instance under HMRC rules we are required to retain financial data for 7 years for audit purposes, and so will not be able to delete donation details until this time period has elapsed.
Opting out of profiling
Upon request we will cease using your personal data to decide whether you would be interested in particular updates and other marketing. Such requests may lead to you not hearing from us in future.
Subject Access Requests
You have the right to request a copy of the personal information we hold about you. We will provide this as soon as possible, and within a month unless there are specific reasons why this would not be possible. We will always let you know if this is likely to be the case.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
How to find out more, or make a complaint about Oxfam’s approach to data protection
If you would like more information, to update your details or have any questions about this policy, please contact our supporter relations team by email at email@example.com or write to us at: Supporter Relations, Oxfam GB, Oxfam House, John Smith Drive, Oxford, OX4 2JY, or call us on 0300 200 1300 (Mon-Fri 9am-5pm).
To make a formal complaint about Oxfam's approach to data protection or raise privacy concerns directly with our data protection team, please contact:
The Data Protection Officer
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner's Office.
You can contact them by calling 0303 123 1113.
Or go online to www.ico.org.uk/concerns (opens in a new window; please note we can't be responsible for the content of external websites).
Q. Does Oxfam obtain data from other organisations?
A. Oxfam receives data from a limited number of Third Parties, including:
- CACI Ltd - who provide summarised data at postcode level (this is typically 16 houses). This includes data such as age, income, house type, and the ages of children in the household. We use this information to decide who to target for our marketing campaigns, so as to improve the effectiveness of our fundraising, and to ensure we do not send out marketing information which is unlikely to be of relevance.
- UK changes - who provide data on house movers and the deceased so that we can keep our records up to date and make sure we only send marketing materials where appropriate. This data is only obtained where it is consistent with current data protection laws and Oxfam's Fundraising Policy, and where you have given permission for it to be shared for this purpose.
- Publicly available sources such as Twitter, Facebook, LinkedIn, parliamentary records, or statements which you make publicly, depending upon our relationship with you - in particular we are likely to collect these in connection with our campaigning activities
- From the following suppression services;
- The Mail Preference Service (MPS), which ensures we do not send unsolicited mail to those who have indicated they do not wish to receive it.
- The Telephone Preference Service (TPS), which ensures we do not telephone people who do not wish to receive unsolicited phone calls.
- The Fundraising Preference Service (FPS), which ensures we do not send unsolicited marketing material to people who have indicated that they do not wish to hear from Oxfam.
Q. Does Oxfam use profiling as part of its marketing campaigns?
A. How we target our marketing campaigns (profiling)
Profiling is a common technique used in direct marketing and involves analysing data to improve the targeting of communications. Oxfam uses profiling techniques to help ensure our communications are relevant. Profiling allows us to target our resources effectively, which donors consistently tell us is a key priority for them. It enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would. The data may have been provided to Oxfam by our supporters when responding to our marketing campaigns, or when using our website, or social media sites such as Facebook. It may also have been provided by external organisations as described below.
When building a profile we may analyse geographic, demographic and other information relating to you, as well as your previous responses to our marketing campaigns. We do this in order to determine whether we believe a particular marketing campaign might be of interest. Some of the data is provided by external organisations and may be provided at an aggregate level (e.g. by postcode). Where it relates to you as an individual we check that you have provided your express consent to the relevant third party for this use of your data. This helps to maximise the effectiveness of our campaigns and to minimise the wastage that would result from sending marketing information where it is not of interest. You have the right to request we cease this profiling, for details see Your rights over your personal data.