Privacy

On this page, you will find information regarding: 

• What is personal data?
• Why is my personal information so important?
• What are my rights?
• What is your legal basis for processing my personal information?
• Why do you collect my information?
• Do you share my information?
• Has anything changed about sharing my information during COVID-19?
• Is my information processed by any third parties?
• How long do you hold my data for?
• How do you secure my information?
• What do I do if I have a question or concern?
• How do I access my information?
• How can I update my details or preferences?

What is personal data?

By personal data, we mean any information that might allow you to be identified, such as your name, address, date of birth, credit card details, I.P. address, photo or video image or voice recording. For our patients, staff and volunteers, some of this data will be sensitive and relate to their health and wellbeing, ethnicity and religious views.

You can read more about the use of cookies by clicking here.

Why is my personal information so important?

St Nicholas Hospice Care is obliged to protect the privacy rights of all individuals. This means when a person chooses to share their information with us. We strive to keep it safe with strong security measures.

It is the responsibility of the Hospice’s staff and volunteers to protect against unauthorised processing of information and against accidental loss, destruction and damage. We ask any third-party organisation that processes data on our behalf to match and demonstrate the same high standards. Contractors must comply with the law, as well as our data security and confidentiality procedures, and must sign a binding agreement.

We have signed up to the Digital Ethics Charter as part of our commitment to how we will use and protect data. You can read more information by clicking here.

What are my rights?

The rights of everyone protected by law are:

• the right to be informed about the processing of your personal information
• the right of access to your personal information and to obtain information about how we process it
• the right to have your personal information rectified if it is inaccurate and to have incomplete personal information completed
• the right to object to the processing of your personal information
• the right to restrict the processing of your personal information
• the right to erase your personal information (the ‘right to be forgotten)
• the right to move, copy or transfer your personal information (‘data portability’)
• rights in relation to automated decision making, which has a legal effect or otherwise significantly affects you

What is your legal basis for processing my personal information?

Health Purposes

GDPR Article 6 (1) (e) Public Task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

And special category data:

GDPR Article 9 (2) (h) Health or social care (with a basis in law)

Basis in Law:

DPA18 Schedule 1, Part 1, Section 2 (1) this condition is met if the processing is necessary for health or social care purposes.

Employment & Recruitment

GDPR Article 6 (1) (b) Contract: Employment, social security and social protection (if authorised by law)

And special category data:

GDPR Article 9 (2) (b) Employment, social security and social protection (if authorised by law)

Basis in Law:

DPA18 Schedule 1, Part 1, Section 1 (1) this condition is met if the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection

Fundraising, Events, Lottery and Donations

GDPR Article 6 (1) (a) Consent: Explicit consent

GDPR Article 6 (1) (f) Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

CCTV

GDPR Article 6 (1) (f) Legitimate Interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

And in accordance with the law:

Legitimate Interest Assessment and Data Protection Impact Assessment carried out justifying the use at St Nicholas Hospice sites.

Retail, eCommerce & GiftAid

GDPR Article 6 (1) (a) Consent: Explicit Consent

Why do you collect my information?

We may collect personal information about you when you take part in one of our fundraising events or challenges, make a donation, play our lottery or raffles, buy items in our shops, apply to work or volunteer with us or use our website. If you are referred to one of our clinical services, we will collect data from you and may also receive it from other healthcare providers.

Information collected on service users: Name, date of birth, address, phone number, email, next of kin, ethnicity, current and historical health information

Information collected on supporters: Name, date of birth, address, phone number, email and next of kin (in some circumstances).

Information collected on staff and volunteers: Name, date of birth, address, phone number, email, next of kin, ethnicity, bank details, pension and tax information, and current and historical health information.

Do you share my information?

On occasion, information will be shared with other health professionals, social care professionals, carers or organisations involved in your care.

We may also share information if there is a lawful basis to do so. Such as a court order, or a declaration from the Police stating it’s for the detection or prevention of crime or is required in the vital interests of the individual or the general public.

We are also part of the My Care Record scheme. You can read about this by clicking here.

We share information with the Record Once Share Insight project, which you can find more information about here.

Population Health will provide your care team with electronic access to the information they need to make the best decisions about your health and care. To learn more click here.

There is a national project that collates data from across the country to improve future health resources. Read more here.

Has anything changed about sharing my information during COVID-19?

During the COVID-19 pandemic, we may be required to share your medical information under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) for the purposes of research, protecting public health, providing healthcare services to the public and monitoring and managing the COVID-19 outbreak and incidents of exposure. This Notice is imposed on us by the Secretary of State for Health and Social Care and will be reviewed on or before 31st March 2022 and may be extended by The Secretary of State. If no extension is made, this Notice will expire on 31st March 2022.

Is my information processed by any third parties?

We use third-party systems and use third parties to carry out some processing on our behalf.

• SystmOne – Clinical System – The Phoenix Partnership
• Radar Healthcare – Compliance System – SmartGate Solutions Ltd
• Compass – HR System – CIPHR Ltd
• Mailchimp – Mailing House – The Rocket Science Group
• Office365 – Communication, data storage and administration – Microsoft
• NHS Mail – Secure communication – NHS Digital
• Stripe – Payment System – Stripe
• Better.care – ROSI application provider
• CARE IS – ROSI integration solution specialist
• Cohesion Medical – ROSI and Me app

How long do you hold my data for?

Information is retained in line with the NHS Records Management Code of Practice 2021, which you can read about on the NHSX website by clicking here.

How do you secure my information?

The security of your information is very important to St Nicholas Hospice. We use a range of security measures, including but not limited to:

• Hard Drive Encryption
• Encrypted links (such as the Health and Social Care Network)
• Anti-Virus Software, including Anti-Malware
• Firewalls
• Regular Security Patch Updating
• Staff Training
• Username and Password Access Control
• Role-Based Access Control (NHS Smartcards)
• HTTPS Website Encryption

What do I do if I have a question or concern?

You can contact our team by emailing governance@stnh.org.uk with your queries or concerns. Or you can write to:

St Nicholas Hospice Care, Hardwick Lane, Bury St Edmunds, Suffolk IP33 2QY

Our team is made up of:

Data Protection Officer – Michael Pollington (Cert EU GDPR practitioner)

Information Governance Lead – Michael Pollington (Cert EU GDPR practitioner)

Senior Information Risk Owner (SIRO) – James Rae – Head of Corporate Services

Caldicott Guardian – Dr Sarah Mollart – Palliative Care Consultant

You can also contact us by using this form.

You can also check out the Information Commissioners Office (ICO) website at www.ico.org.uk.

If any concerns are not answered to your satisfaction, you can directly contact the ICO. Details are available by clicking here.

How do I access my information?

Under the Data Protection Act, 2018, individuals have a right to access information recorded about you, e.g. patient records.

If you would like access to your records, please complete our online form by clicking here.

How can I update my details or preferences?

With your information, we can keep in touch with you. Also, if you’re a UK taxpayer, we can increase the value of your donations through GiftAid, at no extra cost to you.

Please share or update your preferences below, or use the form to ask us to stop using your information.