Privacy Notice St Michael’s Hospice (May 2018)
At St Michael’s Hospice, we are committed to protecting your personal information and privacy. This Privacy Notice describes how we collect and use personal information. We aim to be clear when we collect your data and not to do anything you wouldn’t reasonably expect.
We may make changes to this Privacy Notice from time to time so please check back periodically. We will notify you of significant changes by placing a notice on our website.
By visiting our website, using our services or participating in our activities, you agree to your personal information being collected and used in the manner set out in this Privacy Notice as updated from time to time.
This Privacy Notice is not exhaustive and we are always happy to provide any additional information or explanations where needed. Please contact Quality and Compliance by email, telephone or in writing, using the contact details below:
Quality and Compliance
St Michael’s Hospice
Telephone: 01432 851000
This Privacy Notice applies to all information held by St Michael’s Hospice relating to individuals, whether you are a patient, service user, member of staff, volunteer, supporter or contractor.
For staff,volunteers and job applicants
This explains why information about you is collected, how we keep it secure and confidential, how your information may be used and how you may gain access to your own records.
Who are ‘staff’
‘Staff’ for the purposes of this section include: applicants, employees, other workers (including agency, bank and contracted staff), volunteers, trainees and those carrying out work experience.
Why do we collect information about you?
We will only process your personal data where we have your consent or where the processing can be legally justified under UK law. These include circumstances where the processing is necessary for the performance of staffs’ contracts with us or for compliance with any legal obligations which applies to us as your employer. This includes, but is not limited to:
- Staff administration (inc. payroll and pensions)
- Education, training and development • Information and database administration
- Business management and planning
- Accounting and auditing
- Criminal prosecution and prevention
- Health administration and services
- National fraud initiatives
- Quality monitoring (such as staff surveys)
By signing your contract with the Hospice, you consent to us holding and processing any information about you which you provide to us, or which we may acquire as a result of employment.
How do we collect information about you?
Your information can be collected through a variety of means either directly from you i.e. via your application form or HR record. Alternatively it may come from external sources such NHS Jobs, previous employers, referees or from government bodies such as HMRC or the Disclosure and Barring Service.
What information do we collect?
The information that we collect about you may include details such as:
• Name, address, telephone, email, date of birth and next of kin/emergency contacts
• Recruitment and employment checks (i.e. professional membership, references, proof of identification and right to work in the UK, etc)
• Bank account and salary/wages, as well as pension, tax and national insurance details
• Trade union membership
• Personal demographics, including gender, race, ethnic origin, sexual orientation, religious or other beliefs, and whether you have a disability or require any additional support or adjustments for your employment
• Medical information relevant to your employment, including physical health, mental health and absence history
• Information relating to your health and safety at work, and any incidents or accidents
• Professional registration and qualifications, education and training history
• Information relating to employee relations (i.e. disciplinary proceedings, grievances and complaints, tribunal claims, etc) Depending on the position you hold with us, we may also collect information in relation to any current or previous criminal offences.
How do we keep your information secure?
Everyone working for the Hospice has a legal duty to keep information about you confidential and secure.
The use of information is strictly controlled and used by us in accordance with the Data Protection Act 1998, the Human Rights Act 1998, the General Data Protection Regulations, and the common law duty of confidence.
Electronic data is transferred either via internal secure networks or by encrypted file transfer methods.
We will not disclose your information to third parties without your permission unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.
We will only ever use information about you if others have a genuine need for it, and following assurances that the same safeguards on confidentiality and security are in place.
Anyone who receives information from us is also under a legal duty to keep it confidential and secure.
Do we share your data?
There may be some circumstances in which we will share your data for example, if we received a reference request.
To support you in your employment and to enable us to meet our legal responsibilities as an employer, sometimes we will need to share your information with others.
All information sharing with third parties is covered by a sharing agreement to ensure that only relevant information is shared, and this is done in a secure way which complies with the law.
We will not share your non-anonymised data with any other party without your consent unless there is an express legal obligation to do so. An example may be for the prevention of crime and disorder.
Sometimes we are required by law to disclose or report certain information, which may include details which identify you. For example, sending statutory information to government organisations such as HM Revenue and Customs, or releasing information to the police or counter fraud.
Where mandatory disclosure is necessary, only the minimum amount of information is released.
There may also be occasions when the Hospice is reviewed by an independent auditor, which could involve reviewing randomly selected staff information to ensure we are legally compliant. You have the right to refuse (or withdraw) consent to information sharing at any time (unless required under a strict legal basis).
Only organisations with a legitimate requirement will have access to your information and only under strict controls and rules. We will not sell your information for any purpose, and will not provide third parties with your information for the purpose of marketing or sales
What can I do?
St Michael’s Hospice is under a legal obligation to ensure that your information is accurate and up to date. In order for us to do this, please advise us of any updates to your personal information as soon as you become aware. This can be completed on Cascade, via HR or by giving those new details to your line manager.
Under the General Data Protection Regulations 2018 you are entitled to: ask for information about you that you believe to be incorrect, to be corrected; to have your information erased; or the processing of your information to be restricted.
Please note, this right may be overridden where there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires information to be shared. If you require an opt-out form then please contact the HR team on 01432 851000 or email: HR@smhospicehereford.org
How can I access my staff records?
You can access the information we hold about you by submitting a subject access request. This can be done by sending a letter to:
St Michaels Hospice
or by sending an email to: firstname.lastname@example.org
In some instances your right to view all of your records may be limited e.g. if relating to a third party. If these conditions apply, an explanation will be provided to you.
Where can I find out more information?
If you require any assistance or further information on the contents of this leaflet or on any matter relating to your information then please contact the: HR Team on 01432 851 000 or email: HR@smhospicehereford.org or the Quality Team on 01432 851 000 or email@example.com
You can also contact the Information Commissioners Office for more guidance on the Data Protection Act at https://ico.org.uk/
In this Privacy Notice, “St Michael’s Hospice” means St Michael’s Hospice (registered charity no 511179 and company limited by guarantee (registered company 1634942) and/or St Michael’s Hospice Trading Company Limited (registered company 06545386), whose registered offices are at Bartestree, Hereford, HR1 4HA.
How do we collect personal information?
We collect personal information about you when you interact with us (e.g. by phone, letter or online), register with us, enquire about our activities, make a donation to us, fundraise on our behalf, participate in an event, buy from our shops or order a product, enter our Lottery, tell us your story, apply to work or volunteer with us, visit our website or otherwise provide us with your personal information.
What is personal data?
Personal information is any information that can be used to identify you. For example, it can include information such as your name, date of birth, photo or video image or voice recording, email address, postal address, telephone number and credit/debit card details, as well as information relating to your health or personal circumstances.
Data Protection law recognises that certain categories of personal information are more sensitive. This is known as sensitive personal information and covers health information, racial or ethnic origin, religious beliefs or other beliefs of a similar nature, political opinion and trade union membership.
What personal information do we collect?
Personal information we collect about you may include your name, postal address, email address, phone numbers, photo or video image or voice recording, date of birth, credit or debit card details, and whether you are a taxpayer so that we can claim Gift Aid.
We do not collect “sensitive personal data” about our supporters unless there is a legitimate reason for this (e.g. if you participate in an event for which we may need to provide support, to ascertain what services are relevant to you or to cater other services and support to you). Before collecting any sensitive personal information about you we will make it clear to you what information we are collecting and the purposes for collecting it.
The Hospice processes several different types of information:
Identifiable – containing details that identify an individual. This may include but is not limited to such information as name, address, NHS number, full postcode, date of birth.
Pseudonymised – information where individuals can be identified by using a coded reference which does not show their ‘real world’ identity.
Anonymised – information about individuals with identifying details removed.
Aggregated – statistical information about a group of individuals that has been combined to show general trends or used for benchmarking purposes.
Our records may be held on paper or in electronic computer systems.
We also collect information about how our website is used and track which pages users visit when they follow links in St Michael’s Hospice emails. We use this information to monitor and improve our website, services and activities e.g. to personalise website presentation or to see which services or events are of most interest. Where possible we use anonymous or aggregated data that does not identify individuals. See further information about cookies below.
CCTV – crime prevention and/or staff monitoring
CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.
Legal obligations to collect and use information
In the circumstances where we are required to use personal identifiable data we will only do this if:
The information is necessary for your direct healthcare.
We have received written consent from you to use your information for a specific purpose e.g. employment, volunteering, fundraising, lottery membership etc.
There is an overriding public interest in using the information e.g. in order to safeguard an individual or to prevent a serious crime.
There is a legal requirement that will allow us to use or provide information e.g. a formal Court order or subpoena.
We have permission to do so from the Secretary of State for Health to use certain confidential patient identifiable information when it is necessary for our work.
Emergency Planning reasons such as protecting the health and safety of others. Typically, these relate to severe weather, outbreaks of diseases e.g. seasonal flu, and major transport incidents.
How do we use personal information?
- How we use your information will largely depend on why you are providing it.
- We use the personal information collected from users for a number of purposes, including:
- To give you the information, support, services or products you have requested.
- To gain a full understanding of your situation so we can develop and offer you the best possible personalised care.
- To provide further information about our work, services, activities or products.
- To process donations or payments we have received from you.
- To further our charitable aims, including for fundraising activities.
- To fulfil sales made online or through our shops.
- To claim Gift Aid on your donations.
- To keep a record of your relationship with us and for internal administrative purposes (such as accounting and records), and to let you know about changes to our services or policies.
- To look into, and respond to complaints, legal claims or other issues.
- To invite voluntary participation in research or surveys.
- To register, administer and personalise online accounts.
- To register and administer your participation in events for which you have signed up.
- To analyse and improve our work, services, activities, products or information (including our website) or for our internal records;
- To use IP addresses and monitor website use to identify locations, block disruptive use, record website traffic or personalise the way information is presented to you.
- To process your Lottery membership and ensure compliance.
- To process your application for a job or volunteer role with us.
- For fraud prevention, credit risk reduction or otherwise as required by law or regulation.
- We may also use your personal information for other purposes which we specifically notify you about and, where appropriate, obtain your consent.
- We may analyse your data for research purposes to improve our services, or to try to understand your preferences in order to contact you in the most appropriate and relevant way.
When you use our secure online donation or payment pages you will be directed to a specialist supplier company, who will receive your credit card number and contact information to process the transaction. We do not retain your credit or debit card details.
With your consent, we may use your information to send you communications about our work and how you can help us to help you, for example, information about our developments, volunteering and fundraising activities and how you can donate to us. You can let us know if you would prefer not to receive these communications at any time by emailing firstname.lastname@example.org, calling us on 01432 851000, or writing to our Data Protection Lead at the address above.
What is the Shared Care Record?
The Shared Care Record is a way of bringing together all your separate records from the different organisations involved in your health and care. It’s confidential and different to anything you might have heard of before.
It will let health and care professionals see relevant information about the care and treatment you’ve had across all services.
We know you only want to tell your story once when receiving care from any health or social care organisation across Herefordshire and Worcestershire. That’s why we’ve developed the Shared Care Record.
Who will be able to look at my information – and what will they see?
The first phase of the Shared Care Record will allow health and care professionals to view appropriate information contained in:
- your GP practice medical record
- information from secondary care, including hospitals, mental health and community services
- radiology and pathology results
- maternity records.
Being able to see this information will help them give you the best care as quickly as possible without having to make phone calls or wait for other organisations to forward details on.
Some of their administrative and secretarial staff will also be able to see information so they can support the professionals. An example would be to send you an appointment letter.
All staff must follow the law on keeping your information confidential. Each time they look at your records this will be recorded to make sure they’re only looking at the right information, for the right reasons.
We’ll bring together information from GPs and allow it to be seen by health professionals in hospitals, including Emergency Departments. If needed, we’ll let the Nightingale Hospital (the hospital set up to help manage COVID-19) see it. And we’ll add information from community and social care, ambulance and NHS 111 services.
We’ll carry on developing the Shared Care Record, allowing professionals across more health and social care settings to see information to support your care. We’ll also help services understand and find the best ways to meet people’s care needs.
There are strict rules around how we use your information. As part of this work, we’ll make sure it’s managed and viewed appropriately and in line with all legal requirements, including the General Data Protection Regulation and the Data Protection Act 2018. Official inspections, or audits, will check this is the case.
Which organisations are involved?
The organisations currently taking part in the programme are local health and care services:
- GP practices in Herefordshire and Worcestershire
- Worcestershire Acute Hospitals NHS Trust
- Wye Valley NHS Trust
- Herefordshire and Worcestershire Health and Care NHS Trust
- West Midlands Ambulance Service University NHS Foundation Trust
- Worcestershire County Council
- Herefordshire Council
- St Richards Hospice
- Primrose Hospice
- Kemp Hospice
- St Michael’s Hospice
What do I need to do?
You don’t need to do anything. For anyone who is registered with a GP in Birmingham and Solihull, Coventry and Warwickshire, or Herefordshire and Worcestershire, the change is taking place automatically as we now switch on the Shared Care Record across the organisations taking part in the programme.
As we now have the capability to include the details of people under the age of 18, their records will also be available for health and care professionals to view through the Shared Care Record.
The benefits to you include:
- not having to repeat your details every time you need care
- better and, potentially, faster treatment as the professionals caring for you will be able to quickly see your records
- not having to explain your social care support to health professionals
- clinicians being able to see what medications you’re taking, what you’ve taken in the past, and if you have any allergies – making your treatment safer
- more effective treatment should you need care for COVID-19, thanks to the fast availability of information about any pre-existing conditions you might have and your medications.
Can I say no to this?
Yes, you have the right to object at any time if you are 16 years of age or older.
From the age of 13 to 16, we will consider your right to object if your form has been signed on your behalf by someone with parental responsibility.
If it has not, we will ask a recognised health or care professional if they consider you to be competent to make such a decision.
If you are under the age of 13, we will only consider your right to object if your form has been signed on your behalf by someone with parental responsibility.
We don’t recommend objecting, as information that could be vital when you need health or social care support – for instance, during a visit to a hospital Emergency Department – might not be immediately to hand as a result.
Objecting will mean the services giving you care will be unable to view your records from other services.
However, the decision is entirely yours. If you do want to object, details on how to do this can be found on our Right to Object page.
Please note, the Shared Care Record is different to anything you might have said no to before. So, if you don’t want your records to be available to view through it, you’ll need to object.
Shared Care Record FAQs can be found here: https://herefordshireandworcestershireccg.nhs.uk/health-services/shared-care-record/shared-care-record-faqs
If you still have questions you can email us at: email@example.com or by calling 0345 6461163.
We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the General Data Protection Regulation (2018), the Common Law Duty of Confidentiality and the Human Rights Act 1998. The various laws and rules about using and sharing confidential information, with which St Michael’s Hospice will comply, are available in “A guide to confidentiality in health and social care” which is published on the NHS Digital website.
St Michael’s Hospice is a Data Controller and under the terms of the Data Protection Act 1998 and the General Data Protection Regulation (2018) we are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with this legislation.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z5391512 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website (https://ico.org.uk/).
Everyone working for St Michael’s Hospice has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, volunteers and Senior Management Team receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff are trained to ensure they understand how to recognise and report an incident ensuring that the organisation’s procedure for investigating, managing and learning lessons from incidents.
We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. The Hospice’s Records Management Policy includes guidance around the secure destruction of information in line with the Code of Practice.
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act. We will never sell any information about you.
Confidentiality advice and support
St Michael’s Hospice has a Caldicott Guardian who is a member of the Management Team responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing. Further information about the role of the Caldicott Guardian is available on request.
We will not use your information for other purposes without your permission. If you tell us about your own experience with terminal illness or the experience of someone else, we will explain how we will use that information. If you don’t want to use such information for other purposes or change your mind at any time, it will not affect any services we provide.
Privacy and our social media sites
Our social media sites are moderated and we do not display the full names of individuals (without their express permission) nor addresses.
When you post personal information on one of our social media sites or other messaging board on our websites, your information is publicly accessible. Such information can be viewed online and collected by third parties. We are not responsible for the use of information by such third parties.
When contributing to a social media site we strongly recommend you avoid sharing any personal information that can be used to identify you (such as your name, age, address, name of employer etc). We are not responsible for the privacy of any identifiable information that you post on our social media sites or other public pages of our websites.
Using our website
What information we may collect via our website:
Form submissions, for example registering interest for events, feedback forms and information requests.
Subscribing to receive communications from St Michael’s Hospice such as fundraising, education or other event updates.
Details of your visits to our site, including which pages you visit and what you do.
Shop, Tickets, Donations and Tribute microsites:
Personal information, such as but not limited to name, email address, billing and shipping address, when making a purchase or donation.
Details of transactions you carry out through our site and of the fulfilment of your orders.
Ticket registration details.
Third party software
Our third parties who receive data – directly or indirectly – from our website include:
The Raiser’s Edge – Customer Relationship Management (CRM) platform for our fundraising department. You can find their Privacy Shield Certification Notice here:
Online Express – event management software for our events
ComBase for our Lottery administration. You can find their Data Hosting and Processing Policy here.
E-productive for the processing of our Retail Gift Aid. You can find their Data Hosting and Processing Policy here.
What information is collected directly via third parties on our behalf:
Personal information such as name, registration details, billing and shipping address, when purchasing an events place (Online Express)
Personal information such as name, address and interests when registering to receive events updates (Online Express).
Personal information such as name, address, tax information when registering for Retail Gift Aid. (E-Productive).
Links and third parties
This policy only applies to St Michael’s Hospice and its subsidiary company, so when you go through to our partner companies (e.g. to donate or pay in the shop) please read their own privacy policies.
If you’re 16 or under
If you’re aged 16 or under, you must get your parent/guardian’s permission before you provide any personal information on our websites.
The Data Protection Act gives you certain rights over your data and how we use it. These include:
The right to have inaccurate personal data rectified.
The right in certain circumstances to have personal data blocked, erased or destroyed.
The right to prevent your data being used for direct marketing.
The right of access to a copy of the information we hold about you (known as a subject access request).
You have the right to privacy and to expect St Michael’s Hospice to keep your information confidential and secure.
You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
If you wish to exercise any of these rights please contact the Data Protection Lead in writing using the details below:
St Michael’s Hospice, Bartestree, Hereford HR1 4HA. Or email: firstname.lastname@example.org
For more information about your rights under the Data Protection Act go to the website of the Information Commissioner’s Office at https://ico.org.uk
St Michael’s Hospice aims to make sure that all their service users receive the best quality of care and service. We welcome comments, suggestions and complaints because they can be invaluable in achieving improvements in all our services. We will take them seriously, investigate carefully and report back fully.
What is a cookie?
A cookie is a simple text file of letters and numbers that is stored on to your computer or mobile device by a website’s server when you access certain websites. Only that server will be able to retrieve or read the contents of that cookie.
Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers
What does a cookie do?
A cookie is like a door key – cookies unlock a computer’s memory and allow websites to recognise users when they return to that particular site.
Cookies do many different jobs, like letting you navigate between pages efficiently, storing your preferences and generally improving your experience of a website. Cookies make the interaction between you and the website faster and easier.
Cookies have limited functionality and cannot browse or scan your computer or dig for information. Users always have the option of accepting or denying cookies.
Information received via web cookies is used to enhance your experience of our site and microsites, ascertain whether the website is functioning correctly and for logged-in members to ensure access to entitled resources.
The cookies we use are predominantly ‘analytical’ cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our web site when they’re using it. This helps us to improve the way our website works, for example by making sure users are finding what they need easily.
We have enabled Google Analytics Demographics and Interest Reporting so we better understand our demographics and our website users’ interests.
More information on Google Analytics can be found on Google’s support website https://support.google.com/analytics/answer/6004245
What to do if you don’t want Cookies to be set
Some people find the idea of a website storing information on their computer or mobile device a bit intrusive, particularly when this information is stored and used by a third party without them knowing.
The cookies St Michael’s Hospice use are harmless and we do not use them for advertising that has been targeted to your interests.
However, if you prefer, it is possible to block some or all cookies, or even to delete cookies that have already been set; but you need to be aware that you might lose some functions of the St Michael’s Hospice website.
You can control which types of cookies you allow by turning cookies on or off in your web browser’s settings. You can also delete cookies by clearing your browser’s cookie cache (history).
To find out how to turn cookies on and off in your browser, click on the relevant browser link below.
- Google Chrome*
- Internet Explorer*
- Safari IOS (iPad, iPhone, iPod Touch)*
- Google Android*
If you have any questions or concerns about the cookies we use, please email: email@example.com.