General Data Protection Regulation (GDPR)
St Nicholas Hospice Care’s commitment to GDPR
St Nicholas Hospice Care strives to keep your data safe and used in a way that suits your interests. We follow the General Data Protection Regulations 2016 law. The General Data Protection Regulation (GDPR) came into force on 25 May, 2018, replacing the Data Protection Act 1998.
GDPR is designed to strengthen and unify individuals’ data protection. In simple terms, it means there will be a new set of standards to strengthen the control people have over their personal data.
There are lots of similarities between the current regulations and GDPR, but there will also be a range of new definitions, requirements of data controllers and processors, regulatory powers, and rights of data subjects.
If you wish to know more about GDPR please visit the ICO website https://ico.org.uk/
It is St Nicholas Hospice Care’s responsibility to ensure that we use the personal data you have given us is kept safe and only used in the correct way.
We have an obligation to only ever communicate with you in ways you have told us is ok and that we only talk with you about things you have said you want to hear about.
We update our records regularly to ensure our supporters that want to are getting the latest Hospice news, as well as information about our events and supporters.
What are the changes with GDPR?
One of the biggest changes is around obtaining consent to use personal data. The new requirement will impact on how the Hospice attains and renews consent but the GDPR also introduces the need to record the details for auditing purposes.
This may mean that we will be asking you questions about if you would like to keep receiving information from us in the future. This information could be anything from information about fundraising events, details about challenges and activities you have signed up to or the Hospice’s magazine for supporters St Nic’s.
Other changes include:
• A wider definition of personal data
• New categories of sensitive personal data
• Increased rights for data subjects
• Data Protection Officer Appointed
What is personal data?
Personal data is about living people and could be:
• their name
• medical details
• banking details
The GDPR applies to all personal data which it defines as:
“Personal data means any information relating to an identified or identifiable natural person.”
• It applies to both automated personal data and to manual filing systems
• Personal data that has been anonymised
• It also applies to sensitive personal data. This includes information like: racial or ethnic origin, political opinions, religion, or information about their health.
The GDPR does not change the duty we have to protect the personal and medical information you share with us. This will always remain a priority for St Nicholas Hospice Care.
The GDPR does create some new rights for individuals as well as strengthening some of the rights currently covered by the Data Protection Act.
What data do we record about you?
As an organisation we only ask for the information we need. This could be information to process donations or keep people informed about events and activities they have signed up to. We also record when people have fundraised for us, donated to a shop or supported us in another way.
As a general rule we will record your name, address and any contact information that you choose to give us. There may be occasions when further details are needed, but this will always be explained and you can always choose what to tell us.
We also never sell your information on to anyone – and there are no exceptions to this.
Sometimes we might share your information with companies that work on our behalf, for example when we use a mailing house to print and post some of our larger mailings, but all details are sent in a secure, encrypted form and are never kept by them.
We have also have contracts with them to ensure they treat your data as carefully as we do.
For more information please refer to our Privacy Notices https://stnicholashospice.org.uk/privacy/
How do we contact people?
You decide how and when we contact you and you can change this at anytime. You can also tell us not to contact you at all. We are very careful to keep our communication relevant and think about what we send to you.
If you would like to make changes to the way you receive information from St Nicholas Hospice Care please telephoning 01284 766133 or emailing email@example.com.
GDPR and consent
The GDPR’s definition of consent is similar to the 1998 Data Protection Act (DPA)’s, but adds detail about how it should be given.
The DPA’s definition is:
“Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”
Whereas, the GDPR definition is:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
Data Privacy Impact Assessments (DPIA’s)
DPIA’s are used when assessing the compliance with the General Data Protection Regulation 2016 (Article 35) of new projects, processes, software and hardware involving the processing of person identifiable data (PID).
Our DPIA’s follow a formal sign off process which include sign off from our Caldicott Guardian, Data Protection Officer, IT Manager and Senior Information Risk Owner
ICO Registration Number Z6835495
ICO Registration Trading Number: Z2774828
Accessing your health records
Under the Data Protection Act 2018 individuals have a right to access information recorded about themselves, e.g. patient records.
If you would like access to your records please write to:
Clinical Admin Office
St Nicholas Hospice Care,
Bury St Edmunds,
Suffolk IP33 2QY
Or you can download the application form here and send it to the address above.
Further background to the GDPR
The GDPR was proposed by the European Commission in 2012 and agreed by the European Parliament and Council in December 2015.
It was formally adopted and published in the Official Journal of the EU in May 2016, with the publication including a two year lead time for full implementation.
Despite the vote to leave the European Union, the Government has confirmed that they will adopt it.
The main aim of GDPR is to harmonise data protection law across Europe, and to bring it up to date with technological advancements.
GDPR will mean that the Information Commissioner’s Office (ICO) will have greater enforcement powers, including the ability to issue fines for a much wider range of breaches of the regulation.
The maximum available fine will be increasing significantly from the current level of £500,000 to €20 million or 4% of annual global turnover, whichever is higher.
More information on GDPR can be found on the ICO’s website here