About us Official information Privacy notice St Wilfrid's Hospice - Privacy notice St Wilfrid's Hospice is committed to being fair, open, honest and transparent in relation to the collection, processing and sharing of your personal data - in full accordance with the new General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This privacy notice covers all data collection (with the exception of data relating to applicants, employees and volunteers which is in a separate document) but includes core areas such clinical care (patients, relatives and carers), donors and fundraising and business and retail. Your data: the personal information we collect We will normally keep your information in an electronic format. This includes: Personal details, such as: Name, home address and email address Telephone number Date of birth Next of kin and relevant relationships For people referred for care: health information, including: Referral requests, health records and reports about your health condition Ethnicity, religion, disability, Your treatment and care including your medication Results of tests or investigations Your General Practitioner (GP) details Financial information (where you have shared this with our fundraising team), such as: Your credit card or bank account details For supporters - we collect personal data when you ask us to send you publications or newsletters, order products and services from us, make a donation to us, sign up for Gift Aid, fundraise on our behalf, or otherwise give us information. We can then ensure that we send information which matches personal interests (eg social or sporting fundraising events, campaigns and volunteering). Our fundraising team will ask supporters for their communication preferences. We usually contact you by post, occasionally by phone and, where you have specifically agreed to this, by email. We also collect information about your use of our website, including your Internet Protocol (IP) address, how much time you spend on the site, and what you like or view on our site. How we use your information We use data in many ways. A list of our reasons for processing data is shown below: Patients, relatives and carers Supporters Ongoing business Other For the care and treatment of a person using our hospice care services For the administration of all our supporters (eg donor acknowledgement, thank you letters) To plan for our future by carrying out internal analyses, reporting and monitoring To look into and respond to any complaint that has been raised To invite people to remembrance services To claim Gift Aid from Her Majesty’s Revenue and Customs (HMRC) where you have signed a declaration To satisfy Charity Commission and Companies House statutory requirements To respond to your general enquiries and messages For direct marketing (where you have consented) eg appeals, hospice updates and newsletters To monitor and analyse the use of our website To carry out appropriate governance of any accident, injury or near miss (AIMN) For the administration of an estate in order to obtain a legacy payment For the administration of training and education provision For the administration of room hire and associated bookings To log sales of donated items where Gift Aid process applies To contact organisation representatives (Patrons and Honorary presidents) To facilitate collection or delivery of customer goods by our retail company For the administration of a fundraising event (event pack) For the administration of work experience individuals To communicate regarding publications and editorials For the processing in the Hospice Lottery (eg to remind you when a subscription is due) To facilitate administration of the Hospice choir To provide data required in a third party claim via a solicitor, where consent provided (eg Mesothelioma) For the administration of those requiring Hair & Beauty treatments External faith leaders’ emergency contacts (including out of hours) If your information is to be used for any other purposes we will tell you about it and obtain the appropriate consent. Legal Basis for processing St Wilfrid’s Hospice processes personal information fairly by ensuring it has a legal basis to collect, hold and process that information: In many cases, an individual will have consented to the process, such as: Consent for medical treatment and processing your information in relation to health car (Art 9.2.h GDPR) When submitting a Gift Aid declaration, joining the Hospice Lottery or donating items where sales will go through the Gift Aid process Sometimes it is necessary to process your data for us to comply with our legal obligations, such as: Sending Gift Aid information to HMRC Any incidents, events or occurrences that require notification to the Care Quality Commission (CQC) Statutory requirements to register Trustees with the Charity Commission or Companies House The hospice will process certain information under the basis of ‘legitimate interests’ in circumstances where any individual would reasonably expect us to be using their information. St Wilfrid’s Hospice will still protect your rights and interests, ensuring that processing remains lawful, fair, and necessary, without causing harm and where there is no less intrusive way to achieve the same result. Examples include: Making a general enquiry Asking us to respond to a complaint Inviting people to remembrance services Holding contact details (and their relationship) to a patient under our care eg next of kin Holding contact details of those sponsoring a fundraiser on our behalf For the administration of those requiring hair and beauty treatments Sending you direct marketing in relation to donations and fundraising events in cases where you have supported us previously and are happy to continue receiving communications from us CCTV security Room hire booking Requesting some form of training or education Contacting choir members with regard to forthcoming activities The hospice will carry out a Legitimate Interest Assessment (LIA) for cases where legitimate interest is being used as the basis for processing information. Are you required to provide data and what happens if you don’t? For donors, you are not required to provide personal data to us. If you don’t provide personal data this may affect our ability to provide the services you request. For example, we may not be able to receive a donation from you if you do not provide your payment information and we would be unable to claim the potential addition of Gift Aid funding. If you register to receive services from our clinical teams then we have to obtain personal information from you in order for us to deliver safe care and treatment. Further processing of your data When you give us your personal information in connection with making a donation we will also use this information, apart from your financial information, for internal reporting and analysis. Patient data used for the care and treatment of a service user will be anonymised, aggregated and reported regularly (monthly, quarterly, annually) for analysis and planning of services. This will not identify individuals. We also engage third parties to provide us with data that helps us understand how we can provide the best experience for our supporters, how to best connect with them, and to give us insight so that we can provide supporters with information about topics which may be of interest. For example, we use a postcode profile classification system and may look at events that you have taken part in, sporting interests and information from trade directories and public records to create a profile of your interests and preferences. This information may be added to your supporter record accordingly. To opt out of profiling – please contact us. Data sharing and transfer Fundraising is essential to our organisation’s survival. To help us fundraise more efficiently (leaving us with more time and resources for the important work we do), we engage third parties to improve our address data eg to identify missing postcodes or to correct partial addresses. We will never sell, rent, or trade your personal data. The details of those joining the Hospice Lottery are shared with Local Hospice Lottery Ltd (who run the lottery on our behalf.) Donors making Gift Aid declarations will have their details passed to HMRC in order for us to claim these funds. Those making a regular donation will have the details of their standing order passed to our bank. In terms of ongoing patient care, if appropriate, it may be necessary to share information with organisations who provide care to ensure you continue to get the care and treatment you need. We will share information with your GP, District Nurse, NHS hospital or community teams, Adult Social Care, Continuing Healthcare and Community Care agencies. For patients requiring medical supplies or equipment, their contact details may be passed to the suppliers. In order to satisfy statutory requirements of the Charity Commission and Companies House, the hospice will pass on details of Trustees and Company Directors. The Care Quality Commission (CQC) has the powers under the Health and Social Care Act 2008 to access and use information necessary for them to carry out their functions as a regulator. As such, they may use legal powers to access information rather than consent. Holding and protecting your data Everyone working at St Wilfrid’s Hospice has a legal and professional duty to keep information about you confidential. We follow strict guidelines about how information is collected, stored and shared. Your information is further protected by St Wilfrid’s Hospice’s compliance with the requirements of the: Data Protection Act (2018) / General Data Protection Regulation (GDPR) Regulators Code of Fundraising Practice (2016) Care Quality Commission Patient confidentiality is monitored by our Caldicott Guardian, a senior clinician who ensures St Wilfrid’s Hospice protects patients’ right to confidentiality. Patient data is stored securely onsite, managed by our IT support company Ramsac. Our donor/supporter data is managed at a hosted datacentre in the EU(Amsterdam) by Blackbaud, the world’s largest cloud software company supporting non-profit organisations. Blackbaud, Inc. is the parent company of Blackbaud Europe Ltd and is a certified member of Privacy Shield, with headquarters in the United States of America. The terms and policy referring specifically to the relationship between Blackbaud and St Wilfrid’s Hospice’s, where Blackbaud is the data processor, can be found under the Business Solutions Agreement, with further specific detail under the Hosting Services agreement: https://www.blackbaud.com/terms How long do we hold your data for? We will follow national guidance or best practice and retention periods will vary according to the nature of the record. Record retention periods are: Patient records where they have received a blood transfusion under our care - 30 years Patient records - 8 years Finance records - 7 years Declarations of Gift Aid transactions - 6 years Legacy letters or copies of wills - 14 years Duty rosters - 4 years Any incidents, events of occurrences that require - 3 Yearsnotification to the CQC Donation letters/event forms/raffle tickets etc - 7 years Customer details for collection/delivery by the retail team- 3 months Your rights As an individual you have the following rights: Right of Access - Declare that we have your data. Give you a copy of your data.Right to Rectify - Correct your data.Right of Erasure - Delete your data.Right to Restrict Processing - Stop processing your data, but not delete. Right of Portability - Give you your data in a common, machine-readable format.Right to Object - to direct marketing, to processing for scientific, historical research or statistics, to processing based on legitimate interests or public interest Right not to be Profiled - Not be subject to a decision based on automated processing.Right to Withdraw Consent – if we rely on consent as the legal basis for processing.Right to Complain - to the Information Commissioners Office What should I do if I have concerns? If you have any questions or concerns about how we use your health, financial and personal information please contact us via email to [email protected] or via telephone 01323 434200. Subject access requests (for access to personal data ) can be made to Colin Twomey – Senior Information Risk Owner. Completion of a request form is required as per Appendix 1 of the Subject Access Policy & Procedure. Our Subject Access Policy & Procedure can be downloaded here. Whilst St Wilfrid’s Hospice is not currently required to appoint a legally defined role of Data Protection Officer, we continue to demonstrate our strong commitment to data protection, security and confidentiality with the following key IG roles in place: Dr David Barclay – Caldicott GuardianColin Twomey – Senior Information Risk Officer (SIRO )Steve Clarke – IG Lead For specific queries in relation to any donor and fundraising data concerns you can write to John Summers - Donor Development Manager at the address below, by email to [email protected], or by calling 01323 434281. Donor Development ManagerSt Wilfrid’s Hospice1 Broadwater WayEastbourneEast SussexBN22 9PZ For queries relating to our trading company you can email to [email protected] Changes to this information notice Our privacy notices are reviewed a minimum of every 2 years and updated when there is a known change to our systems or processes. This information notice was last updated in October 2018.