Privacy Policy
1. INTRODUCTION
1.1. At Great Oaks Hospice, we value our patients, staff volunteers, Directors, contractors and our donors and supporters and we are committed to protecting your privacy. Under the Data Protection Act 2018 and the UK General Data Protection Regulation processing of your personal information must be done fairly, lawfully and transparently. The purpose of this statement is to share with you our policy concerning your privacy.
1.2. At Great Oaks Hospice, we want you to be reassured that we will treat your donations and support in the best possible way to enable us to continue providing vital care to our community. We are only able to keep providing our services each year because of the kindness and generosity of people like you.
1.3. We want to ensure that you are comfortable with and understand how we use your data and promise to respect any personal data that you are happy to share with us or allow other organisations to give to us. It is important for us to have this information, so we can communicate with you in the way that you desire, to process your donations and to help us raise vital funds as reasonably and effectively as possible.
1.4. This Privacy Policy informs you how and why we process your personal information. We will also provide examples of the information, uses and organisations who we work with but please note these lists are not exhaustive and may change from time to time.
2. HOW AND WHY WE PROCESS YOUR PERSONAL INFORMATION
2.1. Great Oaks Hospice will only process information relating to you for as long as there is a lawful basis in line with the Data Protection Act 2018 and the UKGDPR.
2.2. Great Oaks Hospice processes personal data for the following reasons:
• Hire to Retire (Employees, Directors, Contractors, Volunteers)
• Patient Care and support
• Donations
• Purchase and Sales Ordering
• Events
• Marketing/ Fundraising
• Manage and audit our services
2.3. The following legal bases are the ones we will most commonly reply upon for delivery of our care and services.
• Public interest- to process information to deliver our care and support.
• Contractual -Provision of health and social care services in line with our contracts to deliver our care services.
• Legal obligation- to manage personal data in line with data protection legislation.
• Consent
2.4. Most of our data processing is for lawful / contractual obligations or for legitimate interests. For any purpose other than lawful / contractual obligations processing will only be made with clear, explicit and affirmative consent by the data subject.
3. EMPLOYEES, DIRECTORS, CONTRACTORS, VOLUNTEERS – HOW WE COLLECT YOUR PERSONAL DATA AND WHY
3.1. We may collect this information from you from a number of sources which includes but is not limited to, you, your personnel records, the Home Office, previous employers.
3.2. We will keep records of your application and personal information, whether successful or unsuccessful, in paper and electronic forms in accordance with our data retention policy. Details of the information we process include, but are not limited to:
• Name and contact details e.g. address, telephone number and e-mail
• Education and employment history
• References and their contact details
• Application form
• Interview notes
3.3. At the time of job offer, we will also collect further information from you and hold it on your HR file, for example:
• Forms of Identification
• Proof of eligibility to work in the UK
• Disclosure and Barring Service Checks
• Credit and Fraud Checks
• Occupational Health Assessments
• Driving licence, vehicle registration and insurance documents
• Equal Opportunities information
• Emergency contacts
• Bank details
• National Insurance / Social Security Numbers
• Pension details
3.4. Why do we process your information?
• We will use your personal data for:
• performing the contract of employment (or services) between us;
• complying with any legal obligation;
• if it is necessary for our legitimate interests (or for the legitimate interests of someone else). However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing.
3.5. We can process your personal data for these purposes without your knowledge or consent. We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
3.6. We may share your information with other organisations when we are required to do so by law, for example:
• If we are sent a request from the Police under the Crime and Disorder Act 1998
• If there is a need to protect and safeguard vulnerable children and adults
• If there is a public health need such as preventing the spread of infectious diseases
• If we receive a formal order from a court acting in their judiciary capacity
4. WHICH OTHER ORGANISATIONS DO WE WORK WITH? (EMPLOYEES, DIRECTORS, CONTRACTORS, VOLUNTEERS)
4.1. For Great Oaks Hospice to operate, we need to engage with other organisations for the provision of some services. All third-party contracts are assessed to ensure compliance with the UK General Data Protection Regulation. Examples of contracted services includes:
• HR Services
• Occupational Health Services
• Payroll and other payments
• Pensions
• Training
• Professional services which include Financial / Employment Services Health and Safety
4.2. The same legal obligations relating to Data Protection apply to employees, Directors, contractors, and volunteers.
4.3. You are obliged to report any breach of this policy to your line manager, SIRO, Caldicott Guardian or the CEO.
5. SUPPORTERS AND DONORS – HOW WE COLLECT YOUR PERSONAL DATA AND WHY
5.1. We collect your personal information when you ask about our activities, take part in our events, make donations, and sign up to our newsletters and updates. We keep records of your personal information in paper and electronic forms. Details of the information we process include, but are not limited to:
• Name, address, telephone number, email address, age
• Dietary Requirements (if applicable)
• Payment information and donation history
• Records of consent and correspondence preferences
• Records of activities attended
• Photographs, quotes, or video footage when you have taken part in our events
5.2. There are various ways that we might collect personal data from supporters and donors
5.3. You may give us your data indirectly through third parties like JustGiving, or you may pass on your details to enable us to fulfil your request, or you may agree for your information to be passed on. Many supporters use online fundraising pages such as JustGiving to raise sponsorship. If you agree to them sending us your details, they will do so and we will use the information to thank you or for other purposes you consent to. If you set up a regular gift via standing order or direct debit, your bank will send necessary details through to us to process or administer your donations. If someone registers you for an event on your behalf, you may agree for them to give us your details.
5.4. How do we use your information?
How we use your information will largely depend on why you are providing it. We use the personal information collected from supporters and donors for a number of purposes, including:
• To give you the information, support, services or products you have requested.
• To provide further information about our work, services, activities or products.
• To process donations or payments we have received from you.
• To further our charitable aims, including for fundraising activities.
• To fulfil sales made online or through our shops.
• To claim Gift Aid on your donations.
• To keep a record of your relationship with us and for internal administrative purposes (such as accounting and records), and to let you know about changes to our services or policies.
• To look into, and respond to complaints, legal claims or other issues.
• To invite voluntary participation in research or surveys.
• To register and administer your participation in events for which you have signed up.
• To analyse and improve our work, services, activities, products or information (including our website) or for our internal records;
• For fraud prevention, credit risk reduction or otherwise as required by law or regulation.
• We may also use your personal information for other purposes which we specifically notify you about and, where appropriate, obtain your consent.
• We may analyse your data for research purposes to improve our services, or to try to understand your preferences in order to contact you in the most appropriate and relevant way.
5.5. How do we process your information lawfully?
Great Oaks Hospice will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:
• Contract – to process your information in order to perform our contract with you, for example when you sign up to our fundraising events or make a donation.
• Legitimate interest – to process your data to support fundraising activities
• Consent – to send you direct marketing via electronic means in line with Privacy and Electronic Communications Regulation. You have the right to withdraw consent from this type of processing at and we will stop immediately.
• Legal obligation – to comply with the law, for example when we keep a record of donations and Gift Aid for the purpose of financial audit HMRC requirements.
6. WHICH OTHER ORGANISATIONS DO WE WORK WITH (SUPPORTERS AND DONORS)
6.1. All third-party contracts are assessed to ensure compliance with the UK General Data Protection Regulation. Examples of contracted services includes:
• Payment Processing – we work with organisations to process payments for donations.
• Griffiths Marshall – payroll and auditing
• Offa – IT
• Eproductive – shop tills
• Elavon
• Donorfy – supporter relationship management
6.2. It is our promise at Great Oaks Hospice to never share or sell your data to any third party for marketing purposes
7. PATIENTS AND CLIENTS – HOW WE COLLECT YOUR PERSONAL DATA AND WHY
7.1. Great Oaks Hospice collects your data to ensure the best possible service provision. The privacy and confidentiality of our patients is an organisational priority and we strive to maintain compliance with data protection legislation and and UK GDPR requirements to ensure the protection of your data.
7.2. All information held by Great Oaks Hospice is fully, fairly and transparently processed. We access your health records through a system called SystmOne, which you have the option on referral to consent to us accessing your GP records and other records held on this system. You will also be asked if you would like the sharing of information to be turned on, enabling other health care professionals who use SystmOne to see your Great Oaks Hospice records. You are within your right to decline to information being shared into us and out to other organisations.
7.3. We are also required to share information such as NHS numbers and service use with the local Integrated Care Board (ICB). This will be explained to you at the point of referral. All our staff who access SystmOne will have completed their GDPR training, read our Confidentiality Policy and will have signed a confidentiality disclaimer form.
7.4. If you have not consented for your information to be shared, however we feel we have a legal obligation, duty of care or a concern then we will share with the relevant body for example a GP or Mental Health Practitioner if this is in your best interests.
8. STORING YOUR INFORMATION
8.1. We will store your information on SystmOne (Patients and Clients), Eproductive (Gift Aid) and Donorfy (Supporters and Donors). This information will only be available to those who are authorised to access it. We will always ensure that we retain your information in accordance with legal and regulatory requirements. If we feel that there is no need to retain your data, unless you have requested otherwise, your data will be archived.
8.2. Employee, contractors and volunteer personnel files will be retained securely on-site at the Hospice for a period of 6 years after employments ceases at which point they are destroyed through confidential waste.
8.3. Clinical and Confidential notes will be held in line with the NHS Records Retention Process, for eight years, unless there was a medical reason to retain the records for a longer period.
8.4. *Donations made under ‘Gift Aid’ will require HMRC to store data for financial auditing purposes
9. YOUR RIGHTS REGARDING YOUR DATA
9.1. Under the Data Protection Act 2018 and the UK GDPR, you have the following rights relating to your personal information:
• Right to Access (Subject Access Request / Access to Health Records)
• Right to Rectification
• Right to Erasure (Right to be forgotten)
• Right to Object
• Right to Restrict Processing
• Right to Data Portability
• Right not to be subject to automated decision-making including profiling
• You have the right to information about what personal data we process, how and on what basis as set out in this policy.
• You have the right to access your own personal data by way of a subject access request (see above).
• You can correct any inaccuracies in your personal data. To do this you should contact the Caldicott Guardian
• You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the Caldicott Guardian.
• While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the Caldicott Guardian.
• You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop.
• You have the right to object if we process your personal data for the purposes of direct marketing.
• You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month.
• You have the right to be notified of a data security breach concerning your personal data.
• In most situations we will not rely on your consent as a lawful ground to process your data. If we do, however, request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact the Caldicott Guardian.
• You have the right to complain to the Information Commissioner. You can do this be contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.
10. SUBJECT ACCESS REQUESTS
10.1. Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing to the Caldicott Guardian who will coordinate a response.
10.2. We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
10.3. There is no fee for making a SAR. However, if your request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to respond to your request.
11. TRANSFERRING YOUR DATA
11.1. Great Oaks Hospice stores your personal data on our internal data bases, but we may use other third party organisations to help with fundraising and marketing services. Some of these providers may transfer your data outside of the UK for example – Zoom, MailChimp, Eventbrite, JustGiving, Donorfy, etc.
11.2. If your data is to be processed outside of the UK, we will ensure that that there is equivalent data protection legislation compliance and that your data will be kept secure. We will also ensure that any third-party organisation will keep your data safe when transferring any data outside the UK.
12. FUTURE CHANGES TO OUR PRIVACY POLICY
12.1. From time to time, it might be necessary to make changes to our privacy policy. Any updates will be indicated on this policy, and this will provide the most up to date and accurate information to our supporters. If we make any significant changes to how we use your data, we may contact you directly as well as making changes clear on this document.
13. COOKIES
13.1. You should also be aware that information can be obtained indirectly using Cookies.
13.2. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site.
13.3. We use several different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit http://www.aboutcookies.org for detailed guidance.
13.4. The list below describes the cookies we use on this site and what we use them for. Currently we operate an ‘implied consent’ policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete the cookies having visited the site, or you should browse the site using your browser’s anonymous usage setting (called “Incognito” in Chrome, “InPrivate” for Internet Explorer, “Private Browsing” in Firefox and Safari etc.)
13.5. First Party Cookies – These are cookies that are set by the Great Oaks Hospice website directly.
13.6. Google Analytics: We use Google Analytics to collect information about visitor behaviour on our website. Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. This Analytics data is collected via a JavaScript tag in the pages of our site and is not tied to personally identifiable information. We therefore do not collect or store your personal information (e.g. your name or address) so this information cannot be used to identify who you are. You can find out more about Google’s position on privacy as regards its analytics service at https://support.google.com/analytics/answer/6004245?hl=en
13.7. WordPress: Our website runs the popular WordPress CMS and cookies are used to store basic data on your interactions with WordPress, and whether you have logged into WordPress. We use a session cookie to remember your log-in for you if you are a registered user and we deem these as being strictly necessary to the working of the website. If these are disabled, then various functionalities on the site will be broken. More information on session cookies and what they are used for at http://www.allaboutcookies.org/cookies/session-cookies-used-for.html
14. ADMINISTRATION OF THE PRIVACY POLICY
14.1. The Registered Manager is responsible for the administration of the Privacy Policy. Should you have any feedback, please contact the Registered Manager.