MSA Trust Privacy Notice

Who we are?

“We” and “us” means The Multiple System Atrophy Trust or MSA Trust. We are a charity with registered charity number 1137652. We are the main UK and Ireland support and information service for people with MSA, their families, carers and healthcare professionals. We also fund research to find the cause and cure of MSA.

Your privacy matters

At MSA Trust we are committed to keeping your personal data safe and secure.

This notice sets out in detail the purposes for which we process information about you, who we share it with, what rights you have in relation to that information and everything else we think it’s important for you to know.

If you have any questions about the processing of your personal information, or you would like to exercise any of your rights, please reach out to us via email: support@msatrust.org.uk.

How we process your information:

To understand how we process your personal information and to understand your rights, please visit the relevant section below:

Section 1: Service Users (people living with MSA, their carers, family and friends, healthcare professionals)

Section 2: Human Resources (job applicants, employees, volunteers, trustees)

Section 3: Supporters (events, donations, fundraising and marketing)

Section 4: Website visitors (cookies and online shop)

Section 5: General Information (your rights, complaints procedure)

Changes to this Privacy Notice

We aim to keep this privacy notice regularly updated and it is kept under regular review. If we make any significant changes to the way in which we process your information, we will let you know by either reaching out to you or posting a banner on the website.

This was last updated in June 2025.

Section 1 – Members, carers, family, friends and healthcare professionals

How and when do we collect information about you? 

We collect your personal data directly from you, when you engage with us to use or enquire about our services.

We collect information in this process through different channels, such as the ‘join us’ forms on the website, various consent forms, case studies etc.

Information may also be provided about you by other sources such as from your healthcare professional team or external agencies or charities you engage with for support and during your time accessing MSA Trust information and services.

What types of information is collected about you?  

We may collect the following regular and special category information about you:

• Name
• Address
• Email address
• Phone number
• Date of birth
• Diagnosis
• Carer information
• GP information
• Specialist/Neurologist information
• NHS/HSE number
• Medical background and ongoing symptoms and treatment

During your engagement with our service, you may disclose information about other individuals (e.g. if you’re a carer, you may disclose information about those you care for) which would also be recorded.

How is the information used? 

We use this information to:

1. Effectively provide our services or programs to you
2. Address any safeguarding concerns
3. Facilitate your enquiries and help you use services
4. Carry out internal evaluation and monitoring

What is our lawful basis for processing this information?

1. To process your information when you use our services, or when we receive a referral from a professional or organisation, we rely on legitimate interest, read with substantial public interest and conditions from the Data Protection Act 2018 (DPA). For example, when you request to receive services or products from the MSA Trust, we have a legitimate organisational interest to use your personal information to respond to you and there is no overriding prejudice to you by using your personal information for this purpose.
2. Any information about any third parties that is shared with us when you use our services is processed on the basis of legitimate interest, read with substantial public interest and conditions from the DPA.
3. For any safeguarding information that we record, we rely on legitimate or vital interest, read with substantial public interest and conditions from the DPA.
4. For any case studies, and photography that we circulate, we rely on legitimate interest or consent depending on the situation, and for surveys, we rely on your explicit consent (if they are not anonymous).

Who do we share your data with?

1. Only authorised staff will have access to your personal information, which is kept on our CRM database. This will not be shared with any unauthorised staff without your express permission.
2. We may share your information with the National Congenital Anomaly and Rare Disease Registration Service (NCARDRS) if you live in England or the Congenital Anomaly Register and Information Service (CARIS) if you live in Wales, but we will only ever do this with your consent.
3. We may share your information with the NHS, DWP, local authorities and other statutory or voluntary organisation on your behalf when we support you via our social welfare specialist or health care specialist services, at your request and with your explicit consent.
4. With third-party processors that we use to provide services for us such as (but not limited to) the mailing of the MSA magazine or with contracted IT services to ensure reliable and secure technology services.
5. Personal data is not shared with funders. Information shared with funders is shared only anonymously.
6. To comply with our duty of care and safeguarding, we may need to pass some information raising safeguarding concern with the authorities. In such circumstances, we apply vital interest and legitimate interest as our lawful basis. Data subjects’ rights and other UK GDPR provisions may be restricted when concerning personal data processed in these circumstances. Exceptions and exemptions are applied on a case-by-case basis.

How do we store your information and for how long?

Your information is stored securely in our CRM system (Raiser’s Edge). We retain your personal data in line with our retention periods – retention periods can vary depending on why we need your data and some retention periods are set by the law. For example, we must keep medical case notes for eight years after you stop engaging with the organisation. Data is destroyed or deleted in a secure manner as soon as the retention date has passed.  Please get in touch by contacting us using the details above if you want to know more about retention periods.  

Section 2 – HR (employees, applicants, volunteers, trustees)

How and when do we collect information about you? 

You provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment/engagement. We may collect information from you during the course of your employment/engagement. In some cases, we will collect data about you from third parties, such as employment agencies or former employers when gathering references. Data may also be collected from sign up forms, e.g. our volunteer registration form.

What types of information is collected about you?  

We keep several categories of personal data to carry out effective and efficient processes. Specifically, depending on your type of engagement with us, we may process the following types of data: 

• personal details such as name, address, phone numbers, marital status
• name and contact details of your next of kin
• footage of organisation events where you may appear
• health or medical information you have disclosed
• right to work documentation, National Insurance number, bank account details
• information gathered via the recruitment process such as that included in a CV, cover letter or application form, references, details on your education and employment history etc
• information relating to your employment/engagement with us (e.g. job title, job description, salary, terms and condition of the contract, annual leave records, appraisal and performance indication, formal and informal proceedings involving you such as letters of concern and disciplinary, disciplinary and grievance proceedings)

We may also process criminal records information if your role involves a DBS check.  

How is the information used? 

We are required to process your personal data for various legal and practical purposes for the administration of your contract of employment or your volunteer/trustee agreement, without which we would be unable to employ or engage you. Holding your personal data enables us to meet various administrative tasks, legal obligations or contractual/agreement obligations. We process information in relation to the DBS for our safe recruitment practices.  

What is our lawful basis for processing this information?

We mainly use ‘contractual obligation’ as a lawful basis for processing personal data for employees, job applicants and freelancers. We mainly use ‘legitimate interest’ for trustees and volunteers. We may also have legal obligation in order to process and share your data, for example we need to share salary information to HRMC or use some of your data to enrol a new employee on a pension scheme.  

We rely on our legitimate interest for processing activity such as keeping supervision and appraisal records; using your image, bio and videos/pictures of the organisations’ events where you may appear on our website or marketing/fundraising materials to promote the charity.  

Some special categories of personal data, such as information about health or medical conditions is processed in order to carry out employment law obligations and for health and social care obligations (such as those in relation to individuals with disabilities and for health and safety purposes).

When processing criminal records (for example, in order to perform DBS check), the organisation relies on the lawful basis of legitimate interest and additional conditions of the UK GDPR and DPA 2018.

Who do we share your data with?

We have a legal obligation to share your salary with HMRC. Personal Data may be shared with third parties for the following reasons:

1. for the administration of payroll, pension, HR functions, IT security and administering other employee benefits and with the building security team for the issuing of any building access pass.
2. When sharing information with third parties, we have data sharing agreements, data processing agreements or contracts in place to ensure data is not compromised. These third parties implement appropriate technical and organisational measures to ensure the security of your data.

How do we store your information and for how long?

Your information is stored securely in our CRM system (Raiser’s Edge) and on our shared drive (currently SharePoint/OneDrive).

We only keep your data for as long as we need it for, which will be at least for the duration of your employment/engagement with us though in some cases, we will keep your data for a period of 6 years after your employment/engagement has ended. If you’ve applied for a vacancy but your application hasn’t been successful, we will keep your data only for 12 months.  

Retention periods can vary depending on why we need your data and some retention periods are set by the law. Data is destroyed or deleted in a secure manner as soon as the retention date has passed.  Please get in touch by contacting us using the details above if you want to know more about retention periods.  

Section 3 – Supporters (events, donations, fundraising and marketing)

How and when do we collect information about you? 

As a supporter, we may collect your information when you attend one of our events, make a donation to MSA Trust, fundraise on our behalf, sign up to receive our marketing newsletters, purchase a product or get in contact to enquire about our services.

Your information may be shared with us by independent event organisers, for example the London Marathon or fundraising sites like JustGiving or Stripe payments. These independent third parties will only do so when you have indicated that you wish to support the MSA Trust and with your consent. You should check their Privacy Policy when you provide your information to understand fully how they will process your data and what might be shared with us.

What types of information is collected about you?  

Depending on your type of support for us, we may process the following types of data: 

• your name
• contact details like your email address, home address, phone number
• donation history and fundraising activity
• footage of organisation events where you may appear
• gift aid declaration
• dietary information or accessibility information if you’re attending an event
• card or payment details

How is the information used? 

We may use your data to process your donation, process your registration to one of our events, record your dietary or accessibility information for those events, deal with any potential enquiries, inform you about our work via marketing communications.

If you would like to change your marketing preferences, please reach out to us on the email address provided in the first section of this privacy notice, or you can simply unsubscribe with the option on the bottom of our emails.

We may occasionally use minimal donor profiling or segmentation, based on the information you have provided to us, to help tailor our communications and fundraising efforts more effectively. This processing is carried out under our legitimate interest to better engage with our supporters and ensure that our messages are relevant and appropriate. We do not use any automated decision-making or intrusive profiling, and you can object to this processing at any time.

What is our lawful basis for processing this information?

We mainly use ‘legitimate interest’ as our lawful basis to collect the majority of the information mentioned above.

We only collect information about dietary requirements or accessibility needs with your explicit consent.

We may also have legal obligation in order to process and share your data, for example sharing Gift Aid information with HMRC.

We will not send you marketing communications without your consent.

Who do we share your data with?

We have a legal obligation to share Gift Aid information with HMRC.

For the administration of events we may share your data with suppliers such as a digital events platform or company or for the mailing our of resources to you. When sharing information with third parties, we have data sharing agreements, data processing agreements or contracts in place to ensure data is not compromised. These third parties implement appropriate technical and organisational measures to ensure the security of your data.

How do we store your information and for how long?

Your information is stored securely in our CRM system (Raiser’s Edge) and on our shared drive (currently SharePoint/OneDrive).

We only keep your data for as long as we need it for, including for satisfying any legal, tax, accountancy, reporting and our legitimate interest requirements. Retention periods can vary depending on why we need your data and some retention periods are set by the law (for example, gift aid records must be kept for six years in line with HMRC requirements). Data is destroyed or deleted in a secure manner as soon as the retention date has passed.  Please get in touch by contacting us using the details above if you want to know more about retention periods.  

Section 4 – Website visitors (cookies and online shop)

How and when do we collect information about you? 

We use cookies on our website, which are small files which, with your consent, are placed on your computer’s hard drive. Cookies help us to deliver a better website experience to you.

We also collect your data when you make a purchase through our web shop.

What types of information is collected about you?  

Depending on your engagement, we may process the following types of data: 

• your name
• analytical information about site useage from cookies

Details you write on registration forms to access services or register for an event (see section 1).

How is the information used? 

We may use your data to improve our website, analyse its performance and process your form request.

What is our lawful basis for processing this information?

We use ‘legitimate interest’ as our lawful basis to store essential cookies, however we obtain your consent to collect non-essential cookies.

We use contractual obligation when collecting information when you make a purchase through our online shop.

Who do we share your data with?

Your information may be processed by third-party payment providers when you make a payment on our online shop. Your information is kept secure during this transaction, and we have agreements in place with all third-parties to ensure it’s safety.

How do we store your information and for how long?

Your information is stored securely on our CRM database. It may be stored on the WordPress site that hosts our website but with forms this is limited to 24 hours.

We only keep your data for as long as we need it for, including for satisfying any legal, tax, accountancy, reporting and our legitimate interest requirements. Retention periods can vary depending on why we need your data and some retention periods are set by the law. Data is destroyed or deleted in a secure manner as soon as the retention date has passed.  Please get in touch by contacting us using the details above if you want to know more about retention periods.  

Section 5 – General information (your rights, complaints procedure)

Your rights as a Data Subject

You have the following rights. Please note, some of these rights are not absolute and we may rely on exemptions and exceptions to these rights in some cases.

• ‘Right to be informed’, which means we will be completely clear and transparent about how we plan to use your personal information.
• ‘Right of access’, which means you can request details of the personal information we hold about you and how we use it. We will provide this within one month.
• ‘Right to rectification’, which means you can ask us to update or amend the personal information we hold about you, if it is incorrect.
• ‘Right to restrict processing’, which means you can ask us to change, restrict or stop the way we are using your personal information.
• ‘Right to erasure’ (or ‘right to be forgotten’), which means you can ask us to remove your personal information from our records, legal obligations allowing.
• ‘Right to object’, which means you can object to us using your personal information.
• ‘Right to data portability’, which means you can obtain the personal information we hold about you and reuse it for your own purposes.
• ‘Right not to be subject to automated decision making’, which means if we use systems to make a decision about you, you have the right to ask for a person to intervene, which may change the outcome.
• Right to lodge a complaint with a supervisory authority, such as the Fundraising Regulator or the Information Commissioner’s Office (ICO), if you are not satisfied with our response to a request you make to us, or you feel we are not using your information correctly.

International Data Transfers

Your personal data is stored in the UK.

If personal data were to be stored outside of the UK and the EEA, safeguards to protect personal data may include but are not limited to the UK Addendum used in conjunction with the EU Standard Contractual Clauses (SCCs), or UK International Data Transfer Agreement (IDTAs). Such safeguards will be subject to Transfer Risk Assessments (TRAs).

Complaints procedure

If you are unhappy with the way we process your data, please get in touch with the Data Protection Lead using the contact details mentioned at the top of this notice.

You can also make a complaint to the Information Commissioner’s Office (ICO), which regulates the use of information in the UK. They can be contacted at 0303 123 1113 or you can write to them at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Created: June 2025

Reviewed: June 2026

Version 1.0