Introduction
We want to make sure you feel confident about how your data will be collected and reasonably used as part of your journey with NCT. If you have any questions about how we use your personal data or believe any of your rights have been infringed, please contact our Data Protection Officer by emailing dataprotection@nct.org.uk.
This privacy notice was last updated October 2025.
Who we are
NCT is a registered charity (in England and Wales, no. 801395 and in Scotland, no. SC041592), and a company (in England and Wales, no.2370573). Our registered address is 27 Old Gloucester Street, London, WC1N 3AX.
We are registered with the Information Commissioner’s Office [ICO] as an organisation that collects and uses personal data, a “Data Controller”.
Personal data we collect about you and how we obtain it
Personal data is any identifiable information about you. NCT will obtain your personal data when you have given it to us (directly) or when someone else has given it to us (indirectly).
NCT provides our services in collaboration with Local Authorities and NHS Trusts. We work onsite in hospitals and, depending on the service being delivered, have restricted access to hospital systems to undertake our work.
We will need to collect and use some or all the following types of personal data depending on the service you are using:
- Name
- Postal address
- Email address
- Phone number
- Date of birth
- Gender
- Ethnicity
- Languages spoken (including if English is your first language)
- Country of origin
- Disability information
- Emergency contact information
- Images (e.g. photographs and videos) for social media, training use, etc.
- NHS number
Why we need your personal data and the lawful basis we rely on
| Why we need your data | Lawful basis |
|---|---|
| Make initial contact with you to inform you about NCT services available to you. | Consent; or Public Interest |
| Provide you with the relevant support you need depending on the NCT service you are using, e.g. breastfeeding/infant feeding, antenatal support, postnatal support. | Consent |
| Refer you to a different service provider to ensure you receive the best possible support and care. E.g. your GP, Health Visitor, Infant Feeding Team. | Consent |
| Send you invitations to take part in NCT surveys and research regarding the service(s) you accessed. | Consent |
| Send you invitations to share your experience as a service user in our internal and external communications, including on social media. | Consent |
| Deal with any safeguarding concerns. | Legal obligation |
| Share only the necessary information with emergency or care services if you are taken ill and you cannot provide the information yourself. | Vital interests |
| Provide anonymised statistical data to the commissioning body (e.g. Local Authority) to demonstrate the impact of the service NCT provides | Public Interest |
| Provide identifiable data to the commissioning body (e.g. Local Authority) - this is only in certain circumstances and forms part of NCT’s contractual obligations with the commissioning body. | Public Interest |
Special Category Personal Data
We will only collect and use “special category personal data”, which includes your health data, your racial and ethnic origin, your religious or philosophical beliefs, and your sexual orientation when:
- you have given your explicit consent for us to use it; or
- we are using it for health and social care purposes; or
- there is an emergency, and we need to share it with emergency services.
If our purposes of processing change
We will only use your personal data for the purposes set out above, unless we reasonably consider that we need to use it for another purpose that is compatible with any of the above. If we need to use your personal data for an unrelated purpose, we will always inform you about this and explain the GDPR lawful ground which allows us to do so.
Data Sharing
NCT will share your personal data with other organisations when we are required to by law or when GDPR allows us to do so. As a Service User, we will need to share some of your personal data with:
- Third parties – we may need to refer you to a different service provided, for example, by your GP, Health Visitor, or Infant Feeding Team.
- Commissioning bodies – we share anonymised demographic data with the commissioning body such as the Local Authority or NHS trust.
Data Processors
There may be times when we need to work with other trusted businesses to help us process your personal data along your journey with us. These other businesses are known as “data processors” or “sub-processors” as they are acting on our behalf and under strict instruction from us on what they can and cannot do with the personal data.
When we do use other businesses to process personal data on our behalf, we always ensure we have appropriate UK GDPR compliant contracts in place with each one. We also undertake due diligence checks of these businesses before entering into a contract and throughout the contract lifecycle. Some of your personal data will be processed and stored on systems by the following data processors:
- Microsoft 365
- Upshot
- 3CX (telephone system)
- Meta Platforms Inc – WhatsApp, Facebook, and Instagram
Transferring personal data outside of the UK
Sometimes it is not possible for us to process and store your personal data solely in the UK. When your personal data does need to be transferred or stored outside of the UK, we make sure we comply with the specific requirements set out in UK GDPR for us to undertake this. We will only transfer personal data outside of the UK when one of the following GDPR provisions are in place to safeguard your personal data:
- an “adequacy decision” is in place with the country where the personal data is being transferred to;
- an “appropriate safeguard” as set out in UK GDPR is in place - these include using Standard Contractual Clauses and the UK’s International Data Transfer Agreements; and
- an “exception” as set out in UK GDPR can be relied on if there is no adequacy decision or appropriate safeguard in place, for example, we could rely on your explicit consent to make the transfer of personal data.
How long we keep your personal data
We will only keep your personal data for as long as we need it to fulfil the reasons we originally collected it for. We may need to keep the personal data of service users for up to 21 years. This is because ante/post-natal records are as much the child's record as the parent.
We retain anonymised personal data for longer so that we can use it for long term trend analysis and statistical reporting. Anonymised personal data means you can no longer be identified.
Your rights
Depending on the purpose and GDPR lawful grounds we rely on for processing your personal data, there are various rights available to you. You can:
- request access to the personal data we keep about you and be given specific information about the processing - this right always applies regardless of the processing activity we undertake.
- request we rectify personal data we hold about you if you believe it to be inaccurate - this right always applies regardless of the processing activity we undertake.
- request us to delete your personal data - this right only applies in specific circumstances; this means we don’t always need to comply with this type of request.
- request a restriction of the processing of your personal data - this right only applies in specific circumstances; this means we don’t always need to comply with this type of request.
- object to the processing when we have relied on the “legitimate interest” lawful ground to undertake the processing activity and you believe we have infringed your rights - we don’t always have to comply with such objections if we can demonstrate compelling grounds to continue with the processing.
- transfer your personal data from us to another service provider or give it to you - this right only applies to personal data you have given to us and when the processing is based on your consent or contractual basis and the processing is automated.
We do not undertake any solely automated decision making, including profiling, about you.
To find out more about the rights that apply to individuals under GDPR please refer to the guidance on the Information Commissioner’s Office website - https://ico.org.uk/for-the-public/.
If you want to exercise one of your rights, please contact our Data Protection Officer by emailing dataprotection@nct.org.uk. We shall respond to a valid request within one month of receiving it.
How to make a complaint about us to the Information Commissioner’s Office
If you are not happy with how we are processing your personal data, or you believe we have not dealt with one of your rights correctly you are entitled to make a complaint to the ICO. The ICO has several ways in which you can get in touch with them, including post, email, and online forms. For full details how to make a complaint please refer to their website - https://ico.org.uk/make-a-complaint/.
Changes to our Privacy Notice
We keep our Privacy Notice under review to ensure it remains accurate and up to date and we reserve the right to modify it at any time.
