Privacy policy

Meningitis Research Foundation and the Confederation of Meningitis Organisations (COMO)

Meningitis Research Foundation, including its member network CoMO, is committed to protecting and respecting the personal data that we hold.  

This privacy policy describes why and how we collect and use personal data and provides information about your rights.  

It applies to personal data given to us, both by individuals and by others. We may use the personal data given to us for the purposes described here, or as described when we collect your data. 

Meningitis Research Foundation is the data controller for the personal data processed by its member network the Confederation of Meningitis Organisations (CoMO). 

What is personal data? 

Personal data is any information relating to an identified or identifiable living person.  

When collecting and using personal data, we are transparent about why and how we process it.  We process personal data for a number or purposes. The way we collect this data, the lawful basis of processing, use, disclosure, and retention periods for each purpose are described in this policy.

The personal data given to us is provided either directly from you or from a third party acting on your behalf.  

Where we receive personal data that relates to a person from a third party, the third party should be aware that the person may be informed, so they know how we will use their data. Where necessary, we will refer to this policy.  

The types of personal data we process 

We collect and process the following types of personal data: 

  • Names 
  • Postal addresses 
  • Email addresses and other contact information 
  • Records of your contact with us 
  • Information you provide to us, such as medical history 
  • Details of your website use 
  • Information about your experience with us 
  • Personal information you provide when you apply to work for us, as part of our standard recruitment process  
  • Bank / credit card details (if you are providing these to make a payment to us) 
  • Health information, if you contact us with a meningitis experience you would like to share on any of our channels 
  • Any other information you give us 

How we collect personal data 

We collect personal data: 

  • Through your request for awareness material and other publications 
  • Through your job applications, when you want to work for us 
  • Through your request for information about our work and events 
  • Through your registration for events (in person and online) 
  • Through your contacting us with enquiries, comments and for support 
  • When you sign up for our email updates and newsletters 
  • When you make a donation on our websites 
  • When you request to become a member of CoMO, including completing the member application process 
  • Through our use of cookies and pixel tags 

Why do we process personal data and what is the lawful basis?  

There are several reasons why we will process the personal data that you provide to us: 

  • To provide advice and support 
  • To undertake recruitment 
  • To manage an ongoing relationship, such as attendance at events 
  • For marketing and communications purposes 

We may also combine information provided by supporters and others with information from publicly available sources. This is in order to identify individuals for potential research, fundraising, communications and marketing purposes. These may be public social media accounts for instance. In all instances we will only use reputable sources, where someone would expect their information to be read by the public.  

This allows us to be more efficient and cost-effective with our resources, so we can reach people who will benefit from engaging with us or who would be interested in supporting us. This targeted approach reduces the risk of someone receiving information that they might find irrelevant, intrusive or even distressing. 

Under the UK’s General Data Protection Regulation (GDPR), the standard lawful basis we rely on to process personal data is: 

  • Your consent 
  • We have a contract with you 
  • It is necessary to comply with a legal obligation 
  • Legitimate interest 

How long do we keep personal data for? 

Any personal data will not be retained for any longer than is necessary for the lawful purposes for which it was collected and processed.  

We may, in some cases, keep personal data for longer to establish, exercise, or defend our legal rights.  

In addition, personal data may be securely archived with restricted access and other appropriate safeguards, where there is a need to continue to retain it.  

When we retain your personal data, we will ensure that it is kept securely and protected from loss, misuse or unauthorised access and disclosure.  

Once the retention period is reached, we will delete your personal data. 

Sharing personal data  

We will only share personal data with others when we are legally permitted to do so.  

When we share data with others, we put arrangements and security mechanisms (a contract or a data-sharing agreement) in place to protect the data and to comply with our data protection, confidentiality and security standards.  

Occasionally, we may receive requests from third parties with authority to obtain disclosure of personal data, such as to check that we are complying with an applicable law and regulation; to investigate an alleged crime; or to establish, exercise or defend legal rights.  

We will only fulfil requests for personal data where we are allowed to do so, in accordance with applicable data protection legislation. 


We enter into contract with external data processors to provide system administration (including membership, email and payment), document management, website hosting and IT storage services.  

Any personal data shared with a data processor for this purpose will be governed by appropriate safeguards and contracts under data protection law. 

Processing location 

The personal data that we collect from you will be processed within the UK. It may be necessary, in some cases, to transfer personal data to the EEA. Any such transfers will be fully compliant with the requirements of the legislation.  

If personal data is to be transferred outside the UK or EEA to a country which is not designated as ‘adequate’ then (if we are not relying on consent) we will ensure that appropriate safeguards are in place. These include the International Data Transfer Agreement or EU Standard Contractual Clauses, with the UK Addendum. This is to ensure that we comply with the UK’s GDPR legislation.  

We will take all reasonable steps to ensure that your personal data is treated securely, in accordance with this privacy notice.  

Individual rights  

Individuals have certain rights over their personal data and data controllers are responsible for fulfilling these rights as follows:  

  • Individuals may request access to their personal data held by us, as a data controller.  
  • Individuals may ask us to rectify personal data submitted to us.  
  • Individuals may request that we delete their personal data from our systems.  
  • Individuals may have other rights to restrict or object to our processing of personal data and the right to data portability.  
  • Individuals may request information about, or human intervention into, any automated data processing that we undertake.  

Where we process personal data based on consent, individuals may withdraw their consent at any time by contacting us.  

If you wish to exercise any of these rights, please email 


We hope that you won’t ever need to but, if you do want to complain about our use of personal data, please send your complaint to our Director of Finance and Administration at Please include all details of your complaint in your email. We will investigate and respond to all complaints we receive.  

You also have the right to lodge a complaint with the UK data protection regulator, the Information Commissioner’s Office (ICO). For further information on your rights and how to complain to the ICO, go to the ICO website

Data controller and contact information  

If you have any questions about this privacy policy, or how and why we process personal data, please email Our postal address (if you cannot email) is Meningitis Research Foundation, Room 703, The Programme Building, The Pithay, Bristol BS1 2NB. 

Changes to our privacy policy 

Updates to this privacy policy will appear on our website ( This privacy policy was last updated in May 2024.