Privacy Notice

Last updated: December 2025

1. Who we are and how to contact us

This Privacy Notice tells you what to expect us to do with your personal information. We will review this Privacy Notice every two years and make any changes as and when required. Any new version of this Privacy Notice will be published on this page.

We are The Breastfeeding Network (BfN), a registered charity in Scotland (Charity No. SC027007) and a Company Limited by Guarantee registered in Scotland (No. SC330639). We are registered with the Information Commissioner’s Office (ICO).

Our registered address is:

The Breastfeeding Network
Unit 49, Sir James Clark Building
Abbey Mill Business Centre
Paisley
Renfrewshire
PA1 1TJ
United Kingdom

Email: dataandprivacy@breastfeedingnetwork.org.uk
Postal enquiries about data protection can also be sent to the above address.

Depending on the circumstances, we may act as either a Data Controller or a Data Processor. In many cases we are commissioned by organisations such as NHS boards or local authorities to deliver services. When we collect information on their behalf, we do so as a Data Processor. In some situations, we may act as a joint Data Controller with our commissioners. In other circumstances, for example, when we collect information for our own organisational purposes, such as HR or internal governance, we act as a Data Controller. Whatever our role, we apply the same high standard of protection to your personal information.

We are required by law to treat your personal information legally, fairly, and transparently. We comply with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 and the Data (Use and Access) Act 2025.

You have rights over your personal information.

These include:

• the right to know how and why we are using your data
• the right to ask for a copy of the personal data we hold about you
• the right to have any incorrect or incomplete information corrected
• the right to ask us to delete your information in some circumstances
• the right to ask us to stop or limit how we use your information in some circumstances
• the right to ask for your data in a format that allows you to move it elsewhere
• the right to object to us using your personal data in some situations
• rights relating to decisions made about you, including profiling
• the right to withdraw your consent at any time, if we are relying on consent to process your data
• the right to raise a concern or complaint with the Information Commissioner’s Office (ICO) if you are unhappy with how we are handling your information.

We will always do our best to support you in using these rights.

You can ask us to:

• stop sending you marketing or newsletters
• update or correct your information
• withdraw your consent
• access your personal data
• ask us to delete or restrict the use of your information, in certain circumstances
• object to how we are using your information

To exercise any of these rights, please contact us:

Email: dataandprivacy@breastfeedingnetwork.org.uk

Address: The Breastfeeding Network, Unit 49, Sir James Clark Building, Abbey Mill Business Centre, Paisley, Renfrewshire, PA1 1TJ, United Kingdom.

We will respond without undue delay and within one month.

You can read more about your rights on the Information Commissioner’s Office (ICO) website.

If you remain unhappy with how we’ve used your data, you can complain to the Information Commissioner’s Office (ICO). The ICO is the UK data protection regulator.

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint

We complete the NHS Data Security and Protection Toolkit each year to demonstrate compliance with NHS data protection and cyber security standards. We are also Cyber Essentials certified, confirming that we maintain recognised technical controls to protect our systems and data from common cyber threats.

2. What information we collect and why

We only collect information that we need. We are required to have a reason for doing so. In most cases, we will collect information so that we can carry out our regular business functions (“legitimate interests”). In some cases, we are required to collect data in order to fulfil our contracts with others and to understand and account for the effectiveness and impact of our work (“contract”). Very occasionally, we will need to ask for your express agreement to process data (express consent). For more detail, see Section 4. below.

a) When we provide breastfeeding support or other services

For example: helpline calls and messages, peer support, drop-ins, referrals from health professionals, community programmes.

We may collect:

• Your name and contact details, including your postal address and post code
• Your ethnicity*
• Your preferred pronouns
• Date of birth/baby’s date of birth
• Information about infant feeding, health, and wellbeing*
• Relevant medical or support needs you tell us about*
• Records of the support we have provided
• Recordings or transcripts if you contact us by phone, online chat, or social media message
• Information about your home / caring situation if relevant to the support

Why we collect it:

• To respond to your question or request for support
• To improve and develop the services we offer to women, families, in line with our charitable objects
• To comply with our obligations with our commissioners to deliver breastfeeding support services safely and consistently
• For safeguarding, where there is a concern about risk to you or a child

*This information is “special category data”. This information gets extra protection in law as is deemed to be more sensitive. More information about special category data and why we collect it in Section 4.

b) When you donate, fundraise or support us financially

We may collect:

• Name and contact details
• Donation history and Gift Aid declarations
• Information about fundraising activities you organise
• Pledges, gifts in wills and in-memory donations

Why we collect it:

• To process your donation
• To reclaim Gift Aid from HMRC (if you are eligible)
• To thank you and keep accurate financial records
• To comply with charity and finance law

c) When you buy items from our shop or pay for training, events or services

We will collect:

• Your name and delivery/billing address
• Contact details
• Order history

We may collect (if relevant):

• Accessibility requirements*
• Health information (for example, if needed for safe participation in an activity or event)*
• Dietary requirements (for catering at in-person events or training)*

Why we collect it:

• To process and deliver what you’ve bought or booked
• To contact you about your order, booking or attendance or any necessary updates or changes

*This information may be “special category data”. This information gets extra protection in law as is deemed to be more sensitive. More information about special category data and why we collect it in Section 4.

d) When you volunteer, train with us, apply for a role or work for us

We may collect:

• Contact details
• CV and application information
• Employment and education history
• References
• Proof of right to work / ID documents
• Equality and diversity monitoring information you choose to provide (e.g. age group, gender, ethnicity, disability status, etc.)*
• Disclosure and criminal records checks (e.g. PVG/ DBS/Disclosure Scotland/Access NI)*
• Emergency contact and next of kin details
• Performance, supervision and training records
• Health or support needs relevant to carrying out a role safely*

Why we collect it:

• To assess and profess your application for volunteering, training or employment
• To manage and support you as a volunteer, trainee or employee
• To meet safeguarding, health and safety and governance obligations
• To monitor equality, diversity and inclusion across our recruitment, training and volunteering and to meet our reporting requirements with our commissioners

*This information is “special category data”. This information gets extra protection in law as is deemed to be more sensitive. More information about special category data and why we collect it is in Section 4 below.

e) When you sign up for updates, newsletters or information

We will collect:

• Your name
• Your email address or contact method
• Your communication preferences
• A record of your consent to receive updates

Why we collect this:

•  To send you the updates you have requested
•  To keep you informed about our work, services, news, and opportunities that may be of interest, in line with your communication preferences
•  To tailor our communications so they are timely and relevant, and reflect our organisational purpose
•  To record your agreement to receive updates so we can demonstrate compliance with our legal obligations and, where applicable, meet the requirements of the soft opt-in in the Data (Use and Access) Act 2025[1].

You can change your communication preferences or unsubscribe at any time.

f) When you support our fundraising

We will collect:

• Your name and contact details
• Donation history and Gift Aid status (if applicable)

Why we collect this:

• To thank you for your donation
• To keep a record for financial and audit purposes
• To contact you again about similar fundraising and promotional activities, and opportunities for you to make a difference through BfN, if it is reasonable to do so

g) When you take part in marketing, campaigns or case studies

We may collect (only if you agree):

• Photographs, videos or your story
• How you would like to be credited or described
• Any limits on how we can use your story (e.g., anonymous, first name only, specific channels)

Why we collect this:

• To share experiences and raise awareness of our work
  
  

h) When you visit our website

We may collect:

• Basic website usage information such as pages visited and user interactions
• Your cookie consent choices (whether you accept or reject cookies)

We use Google Analytics 4 to analyse website usage. Google Analytics 4 does not collect IP addresses.

Why we collect this:

• To understand how our website is used and improve the experience for visitors

i) When you raise a concern, complaint or safeguarding issue with us

We will collect:

• Your name and contact information
• Details of the concern or complaint
• Records of our communications with you (for example, emails or phone notes)

We may collect (if relevant):

• Information about health, care or family circumstances, only where it helps us understand or address the concern
• Safeguarding information, including details of concerns about a person’s safety or wellbeing, risks of harm, and any safeguarding actions or referrals made
• Statements from others involved or who witnessed events

Why we collect this information:

• To look into and respond to the concern or complaint
• To meet our safeguarding, legal and regulatory obligations
• To monitor quality and improve our services

3. Where we get your information from

We may receive personal information:

• Directly from you (for example, by phone, in person, by email, through online chat or forms)
• From NHS staff, local authorities, or other commissioners who refer you to us for breastfeeding support
• From other health or care professionals where you have agreed to that referral
• From fundraising platforms (for example, where you set up a fundraising page and choose to share your details with us)
• From previous employers or referees (for staff and volunteer recruitment checks)
• From DBS service / PVG scheme
• From family members or carers, where it is appropriate and lawful to share information on your behalf
• From publicly available sources where relevant to due diligence (for example, to meet safeguarding or fundraising compliance requirements)

4. Our lawful bases for using your information

We must have a lawful basis under UK GDPR and the Data (Use and Access) Act 2025 to collect and use personal information. The main lawful bases we rely on are:

Contract
We need to process the information to supply something you’ve asked for or agreed to (for example, delivering shop orders or providing booked training).

Legal obligation
In some situations, we are required by law to collect and use personal information. In these cases, we must process certain data and cannot always erase it if requested.

Examples include:

• Keeping Gift Aid donation records for HMRC
• Health and safety reporting and incident records
• Safeguarding and child protection duties (Data Protection Act 2018, Part 2, Paragraph 18)[2]
• Right-to-work checks and employment law requirements
• Disclosure and criminal records checks, such as DBS, PVG, Disclosure Scotland or Access NI, where a role requires this

Legitimate interests
We process some information because it is necessary for our genuine organisational interests as a charity, and those interests are not overridden by your rights. Examples of this include:

• Recording breastfeeding support provided to you so we can offer safe, consistent support
• Monitoring and improving our helplines and community services
• Contacting you when you’ve asked a question and we need to reply
• Managing, supporting and supervising volunteers

Consent
In some cases we will only use your information if you say we can. Examples of this include:

• Sending you email marketing or newsletters
• Using your story, photo or video publicly
• Collecting certain types of sensitive personal data not covered by another lawful basis

You can withdraw your consent at any time by contacting us (see Section 9).

Special category data (sensitive information)
Special category data is:

• personal data revealing racial or ethnic origin
• personal data revealing political opinions
• personal data revealing religious or philosophical beliefs
• personal data revealing trade union membership
• genetic data
• biometric data (where used for identification purposes)
• data concerning health
• data concerning a person’s sex life
• data concerning a person’s sexual orientation

This type of information needs to be handled with extra care, as using it could have a greater impact on someone’s rights or could put them at risk of discrimination.  This type of information is handled with extra care and security. Access to it is restricted, it is stored in secure systems, and staff receive specific guidance on how to use it appropriately.

We only collect or use special category data where we have a clear legal reason to do so.

This may include:

• Your explicit consent (for example, if you choose to share your story publicly) – UK GDPR Article 9(2)(a)
• Providing health or social care support, including breastfeeding support and related safeguarding – UK GDPR Article 9(2)(h)
• Monitoring equality, diversity and inclusion, where information is voluntarily provided – UK GDPR Article 9(2)(g) & Data Protection Act 2018 Schedule 1, Part 2 (Substantial Public Interest)
• Safeguarding, protecting individuals at risk, or preventing harm – Data Protection Act 2018 Schedule 1, Part 2[3]

For more information see “What are the conditions for processing special category data?”[4]

Criminal records
For certain volunteer and staff roles we are legally required to carry out criminal records checks (for example DBS, PVG, Disclosure Scotland or Access NI checks). We only request these checks where a role requires them.

What we record:

• the type of check carried out
• the certificate reference number
• the outcome
• the date of the check
• who verified it

How we store and access this information:

• Recorded information is stored in restricted-access systems
• Access is limited to staff who need it for safeguarding, recruitment or role management
• We never share this information for marketing, fundraising or general admin
• If a certificate contains information that requires discussion, this is always handled confidentially.

How long we keep it:

• Disclosure information is retained only for as long as necessary to make a recruitment or safeguarding decision
• After this, certificate information is securely deleted, and only the confirmation record (date, type, reference number, outcome) is kept

5. Who we share information with

We must share information in some situations, for example:

• Safeguarding concerns where someone may be at risk of harm
• Legal or regulatory requirements, such as HMRC, Companies House, charity regulators, or Health & Safety investigations
• Criminal record checks for roles that require DBS/PVG/Disclosure Scotland/Access NI checks

We share information to provide our services, for example:

• With NHS staff, infant feeding teams, or other health professionals supporting you
• With local authorities and commissioners who fund or oversee our services
• With banks or payment providers to process donations, fees or orders
• With our professional advisers (e.g. legal, accounts and HR) when needed

We will only share your personal information when it is necessary, lawful and proportionate to do so.

We may share anonymised, aggregated or statistical information with our commissioners, funders and partner organisations (e.g. local authorities) to report on service delivery and outcomes. Where we provide data for reporting or evaluation, it is processed in a way that individuals cannot be identified.

6. How long we keep your information

We keep personal data only for as long as necessary for the purpose it was collected, and to meet legal, contractual or reporting requirements. For more information, see our Information Governance Policy.

7. How we keep your information safe

We use appropriate technical and organisational measures to protect your information. These measures are informed by recognised security standards (including the Cyber Essentials framework and the NHS Data Security and Protection Toolkit) together with assessments of the nature of the data we hold and the risks linked to our activities. We review these safeguards periodically to ensure they remain suitable and proportionate.

• Limiting access so only staff and volunteers who need the information for their role can see it
• Requiring passwords and multi-factor authentication to access our systems
• Keeping paper records locked when they are used
• Regularly checking and updating our systems to fix vulnerabilities and keep security up to date
• Backing up our Microsoft 365 data securely using an approved third-party provider.
• Training staff and volunteers on confidentiality, safeguarding and data protection

8. Organisations who process data on our behalf

All organisations listed below process personal data on our behalf in accordance with UK data protection law, including the UK GDPR and the Data (Use and Access) Act 2025 (DUAA 2025).

• Microsoft 365 – used for email, document storage and collaboration. Data is stored in UK and EU data centres in line with UK GDPR.
• Venom IT – hosted desktop solution for payroll and accounts. For more information see – https://www.venomit.com/privacy-policy/
• Upstream IT – provide us with IT support services. For more information see – https://upstreamit.co.uk/privacy-policy/
• Call Handling – is the telephony platform used for the National Breastfeeding Helpline. For more information see – https://www.callhandling.co.uk/privacy-policy/
• Sage accounting and payroll systems. For more information see – https://www.sage.com/en-gb/legal/privacy/
• RaidHost – provide hosting services our website and Moodle training platform. For more information see – https://www.raidhost.co.uk/terms-and-conditions/privacy-policy/

• Eventbrite – used to manage registrations for some events. This may involve transfers to the US. Eventbrite is certified under the UK Extension to the EU–US Data Privacy Framework, which provides recognised data transfer safeguards. Privacy Policy: https://www.eventbrite.co.uk/help/en-gb/articles/460838/eventbrite-privacy-policy/
• Meta (Facebook and Instagram) – if you view, follow or engage with our content or access support through Facebook or Instagram, Meta may collect information about your interactions. Meta uses its own approved data-transfer safeguards. Privacy Policy: https://www.facebook.com/privacy/policy?locale=en_GB
• Google Analytics help us understand how our website is used. This involves collecting anonymous or pseudonymised website usage data. Google uses approved data-transfer safeguards. More information: https://support.google.com/analytics/answer/6004245
• TikTok – if you view or interact with our TikTok content, TikTok may collect information about that interaction and may transfer data outside the UK/EEA under its approved safeguards. Privacy Policy: https://www.tiktok.com/legal/page/eea/privacy-policy/en

9. Cookies and website use

We collect some information when you visit our website, such as your IP address, pages visited and how you found the site. We do this to understand how people use our services and to improve them. We use cookies for things like analytics, website performance, and (where relevant) online shop functionality. For more detail, including how to manage or disable cookies, please see our Cookies Policy.

10. Changes to this privacy notice

If we plan to use your personal information for a new purpose, we will update this privacy notice.

We review this notice every two years to make sure it is accurate and up to date. The most recent update date appears at the top of this page.

---

[1] https://ico.org.uk/for-organisations/advice-for-small-organisations/direct-marketing-and-data-protection/marketing-and-data-protection-in-detail/

[2] https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/part/2

[3] https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/part/2

[4] https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-conditions-for-processing/