Need to talk?
Why your personal information is so important
St Nicholas Hospice Care is obliged to protect the privacy rights of all individuals. This means when a person chooses to share their information with us, we strive to keep it safe with strong security measures.
It is the responsibility of the Hospice’s staff and volunteers to protect against unauthorised processing of information and against accidental loss, destruction and damage. We ask any third party organisation that processes data on our behalf to match and demonstrate the same high standards. Contractors must comply with the law, as well as our data security and confidentiality procedures and must sign a binding agreement.
Terms and definitions
The General Data Protection Regulation (GDPR) defines the laws governing the protection of personal identifiable information (PII), throughout this privacy notice we may use words such as data and information in reference to PII.
When we draw specific attention to ‘sensitive information’ we are referring to the types of information highlighted by the law as requiring additional protection and consideration when processing. An example would be information relating to health and medical needs.
We also use the words process, share, record, use, collect and store to describe the handling of personally identifiable information.
What are your rights?
The rights of everyone protected by law:
- The right to be informed about the processing of your personal information
- The right to have your personal information corrected if it is inaccurate and to have incomplete personal information completed
- The right to object to the processing of your personal information
- The right to restrict the processing of your personal information
- The right to have your personal information erased (the ‘right to be forgotten’)
- The right to request access to your personal information and to obtain information about how we process it
- The right to move, copy or transfer your personal information (‘data portability’)
- Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you
If you wish to exercise your rights in relation to information being stored with the Hospice, please contact firstname.lastname@example.org or telephone 01284 766133 and request to speak to our Governance Lead.
If you wish to make a complaint about the Hospice’s use of your data, you can contact our data protection officer Sara Taylor by email, email@example.com or follow our complaints procedure by visiting https://stnicholashospice.org.uk/contact-us/complaints-and-feedback/
In general, the Hospice uses personal information when:
•We support people (patients and service users)
•People choose to support the Hospice through fundraising
•Recruiting and managing our staff and volunteers
•People visit our website
•People visit Hospice premises
This privacy notice handles each of these activities in turn; as the purposes and handling of information do vary, and we want to be as clear as possible. However, you will find the same type of information each time:
•Why we collect the information and under what lawful basis
•When do we collect the information
•What types of information
•How is it stored and who is it shared with
The information collected and used to support people
Why information is collected from those we support and under what basis
When supporting people we will always ask for their consent to use their information for the following purposes:
•To safely care for the people using Hospice services
•To show the Hospice’s impact to regulators and grant funders
•To develop insights on the quality and effectiveness of our services
What happens when a person provides information about other people
•If you provide personal data to us relating to any person other than yourself, they must be aware and understand how their personal data is used. You also must have their permission, to consent to its use on their behalf.
The instances when we process information without consent
•In situations where sharing data is necessary to protect the vital interests of the person, such as life-saving treatment, we may share records with other organisations without consent
•If we are presented with a warrant regarding an investigation, we may be legally obliged to provide information
•If a service user has indicated an intention to harm others, or for communicable disease reasons, data would be shared for public interest
•To respond to general requests we will contact the person on the basis of legitimate interest
When we care for children
The Hospice supports bereaved children and therefore records sensitive information about them.
•For the children’s bereavement programme, Nicky’s Way, consent is obtained from a parent or guardian
•For young people under-16 seeking bereavement support in their own right and without parental consent, their own competence will be assessed in-line with legal guidance
•In the case of referrals made under Safeguarding Adults or Safeguarding Children, consent is not needed, as the child’s vital interests are priority if abuse is suspected to have taken place or someone is in danger.
When do we collect your information and consent
•The first time a person contacts the Hospice seeking to be referred to services, our clinical team will ask for your consent to record your information, as well as specific permissions around how data is shared amongst health and social care providers
•If a person is not able to provide consent during their first contact, it will be noted, and a further request for consent will be made at the next point of contact
What types of information are collected
All information we collect will be necessary to delivering care to people, information such as:
Full name, address, internal ID numbers, questions and responses, date of birth, services used, healthcare services, gender identity, phone number, email address, government services and location data.
How do we store and share information of people we support
We use SystmOne, an electronic patient records system to store clinical information on the people supported by our services.
Hospice staff: Access is granted to those responsible for care, this includes health care professionals, doctors, chaplaincy, administrative roles and management.
Healthcare partners: If a patient has provided us with consent to share records with other organisations they should expect that GPs, community nurses and hospital will have access to the information they’ve provided to the Hospice.
Please read about sharing in/sharing out, below for more detail on how your health records are shared between organisations.
Sharing in/sharing out detailed information
The seamless exchange of information with healthcare partners is required to achieve seamless care. In addition, various kinds of legislation require the sharing of information between agencies.
We will only share patient data outside of the organisation when it is totally relevant and essential in the further or ongoing treatment of the patient.
SystmOne has two settings, allowing the people it cares for to control how their medical information is shared.
•Sharing out – The person decides whether their information recorded at the Hospice can be shared with other healthcare services, such as GPs
•Sharing in – The person decides whether their information recorded by other healthcare providers can be seen by Hospice staff. This means you can restrict which organisations and services have access to your records.
A person can request for individual entries in their records to be marked ‘PRIVATE’ and these will not be visible to any care service other than the one that recorded the information.
People who support us
Why information is collected from those who support the Hospice and under what basis
We are so fortunate to have many individuals in the community who support the Hospice by engaging in fundraising activities. We believe these people have shown a legitimate interest in our charity through their own choice to support us, and so we store and use their information to:
•Keep a record of their fundraising and communication
•We also analyse data to anticipate changing wants and needs in order to improve how we ask for support and the ways we can support people with their fundraising.
What we never do with a supporters information
•We will never sell your information on to anyone – and there are no exceptions to this.
The times when we process information under consent and legal obligation
•We often ask a supporter’s parent or guardians explicit consent for activities that involve people under the age of 18
•We process information on a contract basis in order to fulfil registrations to events, lottery membership or Gift Aid
•When using email in the context of marketing we will ask for explicit consent
When are we likely to collect the information from supporters
•When a supporter registers for an activity relating to fundraising or they make a donation, we will provide forms to collect their information. These forms always reference terms and conditions and provide opportunities to update their consent and communication preferences
•We like to ensure supporters have every opportunity to change their preferences, and so if we notice an individual has not engaged in a meaningful way in 24 months, we will seek to renew their preferences by contacting them.
How can supporters change their preferences
Please call 01284 766133 if you would like to change your preferences or preferably email your new details (please include your old details) to firstname.lastname@example.org.
Also, visit stnicholashospice.org.uk/yourdata to submit new details, as well as the opportunity to read more on how we look after your data.
What types of information do we tend to ask from supporters
We will only collect information which is necessary for the activities supporters participate or subscribe to, and/ or related to their communication preferences.
In general, we may ask and record types of information such as:
Full name, purchases, financial history, donations, date of birth, services used, promotions used, gender identity, email address, payment transactions, location data and marketing preferences
The instances where we may ask for sensitive information
For events where protecting the supporter’s health and safety is necessary, we will collect information to ensure we can look after them during their chosen activity:
Where data is stored and who is it shared with
We will take payment details from you if you choose to make a donation or support us in another way or financially.
Credit and debit cards
We never keep your credit card or debit card numbers on our databases. Once processed, these are destroyed and removed from any forms. We also no longer ask for your CSV code on paper forms either, as an extra security measure.
Direct debit and standing orders
If you give us your bank account and sort code to set up a direct debit or standing order we will keep these to process a recurring payment.
We use a company called Rapidata to process all direct debit payments, both on and offline. It is a leading direct debit processor based in the UK, and is bound by the same data protection laws that we are. All information Rapidata processes is confidential and all information we send to them is encrypted. You can read more about Rapidata here: http://rapidataservices.com/about-us/
We use Stripe, an international payment provider, to process card payments online. It’s very secure – Stripe has been audited by a PCI-certified auditor and has, in turn, been certified as a PCI Level 1 Service Provider, the most stringent level of certification available. You can confirm its certification in Visa’s registry of service providers. All information is encrypted and we never keep or store your card information on our databases.
We also take payments by cheque, cash and CAF voucher. We will record amounts and cheque information for processing purposes.
What about our shops?
If you donate goods to our shops, we may ask for your details in order to claim Gift Aid on your donation. It is your choice whether you give us this information. We may use these details to let you know about other fundraising events or campaigns, but you can tell us if you do not want this to happen
If a card payment is taken for goods in a shop, we never store the card number on our database.
Communicating with supporters
St Nicholas Hospice Care uses a third-party supplier called Mailchimp, to send emails to its supporters relating to fundraising activities. Mailchimp’s servers are based outside the EU and the company has confirmed that it takes the appropriate steps to comply with the GDPR regulation.
People who contact us via social media
We use a third party provider, Hootsuite to manage our social media interactions.
Recruiting and supporting staff and volunteers
Why information is collected from staff and volunteers and under what legal basis
The Hospice collects information necessary to begin and maintain its relationships (contractual or voluntary agreement) with staff and volunteers, for example:
•Recruitment (applications forms, CVs, DBS, verifications documents)
•Support health and wellbeing in the work environment
•Smooth operation of insurance policies and pension plans
•To provide equal opportunities to all members of the organisation
What we never do with staff and volunteer information
•Give out personal information without the employee or volunteer’s permission, unless if it is in the interest in protecting their safety.
We process your information for other purposes
•The Hospice will use legitimate interests in order to communicate about organisational developments and new activities
•We use third parties to manage pension and insurance activities we will ask a staff member’s consent to share information
•We work with third parties to provide staff benefits (childcare vouchers, westfield health), we will ask your consent to share your information
•A person’s consent will be required before we share information for occupational health assessments will be used
What types of information do we hold on people who work and volunteer for us
In general, we ask and record information such as:
Full name, internal ID numbers, financial history, date of birth, gender identity, passport numbers, email address, education services, location data, driving licence number and bank details
The instances where we may ask for sensitive information
For the purposes of our duty in supporting the health and wellbeing of our staff and volunteers in their roles:
•Medical or health information
•In relation to Disclosure Barring Service you maybe asked to disclose criminal offences and convictions
To provide fairness of opportunity during recruitment we ask people if they can provide information relating to:
Where data is stored and who is it shared with
CIPHR (Internally referred to as Compass)
The Hospice uses cloud-based service provided by CIPHR to store applicant, staff and volunteer information, this will include personal information. CIPHR, along with its data centres, is UK based and registered with the ICO. CIPHR is ISO27001:2013 accredited which means the data they store is secure and protected to an industry standard.
Role-based permissions are used to manage access to your data, so only appropriate Hospice staff can access your personal information.
You have a right to access your information, and so a Subject Access Request can be made to a line-manager or directly to HR who must honour your request within one month of your request.
The Hospice receives applications from a number of sources NHS jobs, website email, independent email and postal. Regardless of source, all applications are scanned onto the Hospice’s local server at the point of shortlisting.
All non-successful applications and associated data (identification documents, interview notes) will be held for six months and then destroyed.
Paper records – contract of employment (name address)
When people visit our website
Why information is collected from those who visit our website and under what basis
St Nicholas Hospice Care’s website helps members of the local community and the world learn more about how we support people and how they can support us.
In general, the website provides online forms which allow people to submit information to make contact or register for activities. At any point where a visitor is asked to share information, the reasoning will be clearly explained with reference to terms and conditions and privacy notices.
When someone visits stnicholashospice.org.uk we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to understand how people are using our website, such as identifying popular content or user experience issues.
We do try not to identify individuals, and do not allow Google to make any attempt to find out the identities of those visiting our website.
We use a third party company Rackspace to host our website and store personal information submitted by contact forms and event registration forms. At any time we ask for personal information we will explain its intended use and supply you with further information about how it will be processed.
Links to other websites
The St Nicholas Hospice Care website may refer to other websites and provide links. We are unable to control how these websites protect your rights as they are not managed by us.
Visiting the Hospice’s premises
The Hospice uses CCTV systems for the legitimate purposes of security and for the vital interests of employees and people in our care.
Recorded images are accessed by written request to the Hospice and deleted every 28 days, however in periods of increased activity, we increase the retention period to three months.
Data is only shared with the police and insurance companies in specific circumstances.
In general, the Hospice’s reception team use paper record systems to log calls, records of visitors, staff and volunteers present in the building with information being retained only for its purposes. Paper records are shredded when they’re no longer needed.
We process the information in relation to keeping people on the premises safe.