We do this not just because we are legally required to do so in line with data protection regulations but because we believe it is the right thing to do and it is one of our four organisational Values which is to be “trusted with your information and your care and to be respected for our professionalism”.
Keech Hospice Care provides free, specialist care for adults in Luton and south Bedfordshire, and children from Bedfordshire, Hertfordshire and Milton Keynes, who have life-limiting and terminal illnesses.
We aim to support adults and children to live pain and symptom free, to spend untroubled time with their families and friends, to understand what’s happening to them, to stay out of hospital and to make the most of the time they have.
We raise funds through generous donations from our local community and supporters, and the sale of donated goods in our charity shops. In addition, a funding contribution is made by the NHS.
Keech Hospice Care is registered as a charity in England and Wales (registered charity number: 1035089) and we are also registered as a company limited by guarantee (registered company number: 2904446). We have two wholly owned business subsidiary companies which trade on our behalf: Keech Hospice Care (Trading) Limited (registered company number: 6941924) and Pasque Charity (Trading) Limited (registered company number: 2362985). Within the context of this notice, ‘we’ means both the charity and its subsidiaries. Each of these organisations are data controllers under data protection regulations.
Under data protection regulations, we are required to appoint a Data Protection Officer who ensures your information is handled securely at all times, in accordance with the law. Our Data Protection Officer is Paula Welsh, Head of Quality and Governance.
Should you wish to contact us about the way we use your information, you can contact our Data Protection Officer by telephone on 01582 492339, by email at email@example.com, or by post at: Keech Hospice Care, Great Bramingham Lane, Luton, LU3 3NT.
What information do we collect and how do we use it?
Personal information is any information that can be used to identify you, such as a name, address, telephone number, email address, or more rarely - bank account details, NHS number, and even electronic identifiers such as your internet protocol (IP) address. The amount of information we collect and use about you will vary depending on your relationship to the hospice. We always make sure there is a legal basis in data protection law before we start collecting and using your information. The main legal bases we rely on are:
Consent Where you have given us clear and informed permission
Contractual Where there is a contract between you and us
Legal obligation Where a law says we have to
Legitimate interests Where it is necessary for our charitable aims and the benefits have been carefully balanced against respect for your privacy, your information rights and your expectations
Patients and service users
If you are a patient accessing care services, we collect information about your health and wellbeing in order to manage your care needs. This may include details about your diagnosis, medical history, medication, test results and notes from other care providers about the care and support they have given you in the past. This information is usually provided to us by other care providers who have referred you to our services. When you start accessing our services, we check this information with you to make sure it is accurate, and we ask your permission to continue sharing your health information with other care providers into the future, so that everyone involved in your holistic care has accurate details about you. The types of care providers we normally share with include GPs, hospitals, community nursing services, counsellors, therapists, social workers and care co-ordinators. We may also need to share some of your details with local NHS partners, such as Clinical Commissioning Groups, to support planning of local health services and funding. Where possible, information shared with NHS partners will be anonymised or pseudonymised to protect your privacy.
If you are a relative of a patient accessing support services, we collect information about your health and wellbeing in order to manage your support needs. This may include details about your emotional wellbeing, mental health, family circumstances and welfare entitlements. We will only collect this information from you directly, and we won’t share it with anyone unless you give us your permission.
We collect your health information on the basis of legitimate interests. Using this information enables us to deliver the best possible care to you and your loved ones, and improve our services going forward. You have the right to object to us collecting and using this information, however it may not be possible to continue providing care and support services to you and your family without it.
We recognise your health information is sensitive and take great care to keep it secure. Only those who need to use your information to deliver effective and high-quality care are allowed access to it. This will include clinicians such as nurses, doctors and officers, but also non-clinicians such as administrators, auditors and data analysts. When sharing your information with other care providers, we make sure the recipient needs that information for care purposes before doing so, and only send it using secure channels.
Donors, supporters and customers
If you donate money or goods to us, or participate in fundraising or publicity activities in our aid, we collect administrative information about the support you have provided to us. This may include contact details, payment history (including bank details in some cases), communication history, event participation details, pledges you have made and publicity photos or case studies you have provided. This information is always given to us by you, either directly or indirectly (with your permission) via online giving services (such as JustGiving). We may share your fundraising information (but not publicity information) with companies who support us in our fundraising activities, such as mailing houses who are acting on our behalf to circulate our publicity materials. We will never sell your information.
If you are a customer in one of our retail shops, we will process your payment card details if you choose to pay by credit card or debit card. Your payment card details are only used for the immediate payment being made, the details are destroyed immediately afterwards. Only trained staff and volunteers are allowed to handle your payment card details. We may ask you if you wish to register for GiftAid as a way of increasing the value of your donation. This can apply to either the monetary sales value of a stock donation, or a straightforward monetary donation. These are managed through two separate GiftAid systems. For your GiftAid registrations to be valid, we will require your name and address details. Information from GiftAid forms is only ever shared with HM Revenue and Customs.
To keep your information up to date, we may from time to time use publicly available sources. For example, the Royal Mail’s National Change of Address Update if we get a piece of direct mail returned to us marked as gone away/not at this address.
To help build a snapshot of the type of people who support us currently or may support us in the future and to help us with our planning and fundraising, we may profile you or your company based on publicly available data, such as your demographics, your geographical location and, in rare cases, your estimated wealth. If you don’t wish to be included in this, you can opt out at any time by contacting us on 01582 707940 or firstname.lastname@example.org.
We collect your fundraising information on the basis of legitimate interests. Using this information enables us to build a lasting relationship with you and the community at large and make financial forecasts. You have the right to object to us collecting this information or restricting the way we use it, although this may limit the amount of fundraising you are able to do for us.
If you choose to support us by getting involved in publicity work, we collect your photographs and case studies on the basis of consent. Using this information helps us communicate our charitable aims to the public and build support. You can withdraw your consent for your photographs or case studies to be used at any time by contacting us. We will not use a photograph or case study for longer than two years without renewing your consent.
We like to keep our donors and supporters updated with news about the charity and upcoming events. If you would rather not receive marketing information from us, you can let us know at any time, either by contacting us directly on 01582 707940 or email@example.com. Alternatively, you can register your communication preferences with the Fundraising Preference Service. We will give you the opportunity to update your communication preferences whenever we send you marketing by email or post. If your preferences are not known to us and we do not hear from you for two years, we will assume you no longer want to receive marketing from us.
Staff and volunteers
If you work or volunteer for us, as a staff member or a volunteer, we collect information during your recruitment and ongoing work. This may include your contact details and those of your next-of-kin, bank details (for paying salaries or out-of-pocket expenses), personnel references and background checks, sickness and occupational health records, pension information and disciplinary records. This information is mainly provided directly by you but may be obtained from your manager or a past employer. We only share your work information when it is necessary for the fulfilment of your employment contract and to provide the benefits and support promised to you as a worker. For example, if you are a staff member, your bank details will be shared with our payroll provider, so your salary is always accurate and arrives on time. In order to comply with pension automatic enrolment legislation, we will supply our pension provider Aegon with information on all employees in order for them to make an assessment of pension eligibility.
We collect work information about paid staff on the basis of contractual obligation. Using this information enables us to comply with employment law and act as a responsible and supportive employer. In most cases you do not have the right to object to us collecting your work information, or restricting how we use it, because to do so would cause a breach of the employment contract between you and us. However in the rare cases where you do have this right, we will inform you and give you the choice.
We collect work information about volunteers on the basis of legitimate interests. Using this information enables us to build a lasting relationship with you and maximise the benefits of your volunteering. You have the right to object to us collecting your work information or restricting the way we use it, although this may limit the ways in which you are able to volunteer for us.
During recruitment, you may be asked to provide sensitive personal details, such as your ethnicity, religious belief and sexual orientation. This information is collected solely for the purpose of equality monitoring, helping us ensure we have an inclusive and diverse workforce. Only authorised staff may access this type of information, and whenever it is used, we make sure it is kept anonymous. You are under no obligation to provide this information, and if you choose not to do so your application will not be affected.
Information about business associates
If you are a company who has a business relationship with us, we collect administrative information about your representatives, plus your payment details and history. This may include contact information, communication history and bank details. This information is always provided by you directly. We do not share your information with anyone externally, except our external financial auditors who may need to look at payment histories to carry out their regulatory audit.
We collect your information on the basis of purchase agreements, which are a type of contract. Using this information ensures the goods and services we are buying from you, or selling to you, are delivered in the agreed way and paid as required. You do not have the right to object to us collecting this information, or restricting how it is used, because you have already agreed to us having and using it as part of the purchase agreement.
Information about website visitors
We love cookies. And we think that you should too. Cookies are not just tasty snacks, but also very clever pieces of code that help us provide a better experience to you on our website. Cookies allow us to improve our website, in turn; improving our fundraising to help us raise the £6 million needed each year to run the hospice.
There are four broad types of cookies, these include:
- Necessary – Necessary cookies help make our website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. These are set automatically. They contain no information about you as an individual.
- Statistics – Statistics cookies are used to track visitors on our website. They allow for reports to be generated on user behaviour, on what pages are accessed, interaction with the site and session duration, as well as general demographic data that is not personally identifiable. These are only set if you choose to ‘accept’ cookies to be set on your device.
- Marketing – Marketing cookies are used to track visitors across different websites. To measure the effectiveness of our advertising. And, to display ads that are more relevant and engaging for you as a user on third party websites. These are only set if you choose to ‘accept’ cookies to be set on your device.
- Preferences – Preference cookies help store a user’s preferences after leaving a website. This is to help provide a better experience when they return, such as their language preferences. These are only set if you choose to ‘accept’ cookies to be set on your device.
You can learn more about cookies by visiting www.allaboutcookies.org.
As well as our own website cookies, we also use Google Analytics to allow us to track how popular our website is and record visitor trends over time. We analyse this data to help us improve the way that our website works and provide you with a better experience. Google Analytics uses a cookie to help track which pages are accessed. This information will only be shared with Google if you choose to accept cookies on our website. Find out more about Google Analytics.
Some of the pages on our website may have embedded features from third-party services, such as Facebook or YouTube. These services may collect their own cookies. For information about how these other third parties use their cookies, and how you can disable them if you wish, please refer to their own Privacy Notices, available on their websites.
We collect information from your cookies on the basis of consent. You can withdraw your consent at any time by updating your cookie preferences on our website. Your cookies will only last 30 days from the date you last visited our website, so we may need to ask for your consent again if you visit after this timeframe.
Keeping your information secure
We take the security of your personal information very seriously. All staff and volunteers who handle personal information are required to complete training on information security once per year at a minimum. We also carry out regular audits and inspections to make sure our security controls are effective and reliable. Within the organisation, access to information is controlled, so that no one can use personal information unless they have a business reason to do so. If information needs to be taken outside our premises, we take extra precautions to keep it as safe as we can. When information is no longer required, it is archived or securely destroyed in accordance with the law.
Only those who have been trained on the Payment Card Industry Data Security Standard (PCI DSS) are allowed to handle credit or debit card information. Credit and debit card details are used immediately and securely destroyed as soon as the payment has been processed.
Responsibilities and accountabilities for information security are clearly defined. As mentioned in the ‘Who we are’ section, we have a Data Protection Officer responsible for compliance with data protection regulations. We also have a Caldicott Guardian who is responsible for protecting people’s confidentiality, in accordance with NHS information sharing rules. Our Caldicott Guardian is Elaine Tolliday, Clinical Director. At the top, we have an Information Governance Lead, who is overall responsible for fostering a culture of information security throughout the organisation. Our Information Governance Lead is Liz Searle, Chief Executive Officer.
We value transparency and improvement. If we think your personal information may have been misused, we will investigate the incident and let you know about it. In the most severe cases, we may also notify regulatory bodies such as the Information Commissioner’s Office or the Care Quality Commission, as required by law. As a regulated healthcare provider, we have a Duty of Candour to inform you about mistakes, apologise for them, and support you while we work to resolve them.
Sharing your information
Where we have indicated information may be shared, we always ensure the people receiving your information uphold the same information security standards as we do. This will often be specified in writing as part of a contract or information sharing agreement. All staff, volunteers and agents of Keech Hospice Care are bound by strict duties of confidentiality.
In rare circumstances, we may be obliged to share your information without forewarning. For example, if we believe you may be at risk of harm or there is a public health risk, we may have a legal or professional duty to share information about you with the authorities. In all such cases, the sharing will be reviewed by our Caldicott Guardian and will only happen if they believe it is absolutely necessary. There may also be times when we are legally required to share information about you with the authorities. For example, if you come to harm due to a work-related accident at the hospice or one of our shops, we are required to give your name, address and age to the Health & Safety Executive under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations (RIDDOR).
We affirm here that your information will never be swapped, shared with or sold to any third parties for the purpose of marketing or monetisation.
Keeping your information
We only keep your information as long as is necessary for the purpose it was collected for. Depending on the details, your information could be used and securely disposed of very quickly, or it could be necessary for us to keep your information for many years to comply with archiving or insurance requirements. As a general guideline:
- Healthcare information about patients and other service users will be kept for eight years from the date of discharge or death, or in the case of children, until their 25th birthday, whichever is longer
- Financial information about donors, supporters, customers and suppliers will be kept for seven years from the date of last entry into the record
- Publicity photographs and case studies will be kept for two years from the date permission was granted to use them by the subjects
- Employment and volunteering information about staff and volunteers will be kept for six years from the date employment or volunteering ceases.
There may be exceptions to these timeframes, such as records of patients diagnosed with industrial disease which we have to keep for 40 years, and certain employment and incident records which we have to keep for 25 years.
A third party may be involved in the storage or destruction of your records. For example, we may use a company to digitise paper records so they can be retained more securely and easily, or we may use a company to bring shredding equipment to the hospice for secure disposal of paper records in bulk. Whenever we use a third party, the companies are vetted and are bound by contracts containing strict confidentiality and data protection requirements.
However long we need to keep information, we ensure that only the minimum amount of data required will be kept.
Your individual rights
Under data protection regulations, you have rights over how your personal information is used by others.
Right to access: You have the right to access the personal information we hold about you. If you wish to see it, you can submit a request to our Data Protection Officer (see ‘Who we are’ section for contact information) who will respond within one month. Depending on the nature of your request, we may need to seek further clarification from you or gain confirmation of your identity before the information can be provided.
Right to rectification: If the information we hold about you contains errors, you have the right for it to be corrected. We have measures in place to keep our information updated, but if you notice anything wrong with the information we are using, please let us know and we will update it as soon as we can.
Right to erasure: You have the right to request we erase the information we hold about you from our records if you think it is no longer required. Where possible, we will always comply with a request for erasure, however in many cases it will not be possible to erase all information about you, because there may be legal or contractual reasons why we need to keep certain details. If any of your details cannot be erased, we will tell you and explain the reasons.
Right to restriction: If you think your personal information is being used for things it shouldn’t be, you have the right to request we stop using it that way. As with erasure, there may be legal or contractual obligations why we need to continue using information in particular ways.
Right to portability: There may be times when you want a particular portion of the information we hold about you to be moved or made portable. For example, if you’re an employee, you might want us to give you a list of all the training courses you have attended, to put on your CV perhaps. You have a right to receive information you have provided to us in a structured, commonly used and machine-readable format. This right only applies when the information has been collected and used on the basis of consent or a contract.
Right to objection: You have the right to object to us collecting and using your information when it is being done on the basis of legitimate interests, or for direct marketing, or research. We will inform you at the point we start collecting your information if this right applies. Any objections will be considered and complied with, unless there is a lawful exemption.
We will endeavour to inform you about your rights and uphold them at all times. If you believe we have infringed your rights, we encourage you to contact our Data Protection Officer who will work with you to resolve the matter in a way that satisfies both you and the law. If for any reason you are unable to resolve the matter with us, you can escalate your concerns to the Information Commissioner’s Office, who is the UK’s independent authority responsible for upholding information rights in the public interest.
Protecting children and vulnerable adults
As an organisation who cares for children and adults with life-limiting and terminal illnesses, we are acutely aware of the risks faced by children and vulnerable adults. All our staff are trained to notice the signs of vulnerability in children and adults and respond appropriately. Our fundraising staff work to the guidance issued by the Institute of Fundraising on treating donors fairly.
We take extra care to make the information we give to children easy to understand. When a child gives their consent for us to use their information, we double-check they have understood what they are consenting to, or we seek consent from those who hold parental responsibility for the child. Marketing will never be sent to a child unless they have expressly requested it and we have made certain they understand the implications.
When we collect and use information about children who have limited capabilities to understand, such as those who are very young or have a life-limiting condition affecting their development, we will ensure their parents understand and give the parents choices about how we use their child’s information. Unless we have reasons to believe otherwise, we presume that anyone over the age of 16 has the capability to understand and make their own decisions about how we use their information.
The recruitment of all volunteers under 18 years of age is subject to risk assessment and adequate support. The recruitment of all volunteers under 16 years of age would also require parental permission. This information will only be used by Volunteering staff and the child’s supervisor. In the event of a child participating in a scheme such as work experience, VInspired or Duke of Edinburgh, information may be required by the organiser of the scheme in relation to hours and tasks carried out and risk assessment processes. We do not employ anyone under the age of 16.
If you, or someone you know, wish to receive this privacy notice in a different format, such as large print, braille, audio recording, or translated into a different language, please contact us by telephone on 01582 492339, by email at firstname.lastname@example.org, or by post at: Keech Hospice Care, Great Bramingham Lane, Luton, LU3 3NT.
Changes to this notice
From time to time, we may need to change this notice in response to different ways of working, or new regulations. The version number and revision date at the bottom of this notice will tell you when it was last reviewed. As a matter of course, we will review the notice no less than once per year.
We will notify you if there are any substantial changes to this notice that could affect your information rights.
Version 2, last updated 29/01/2020