Dove Cottage Day Hospice is a registered charity (1057941) that provides palliative care services to people living in Nottinghamshire, Leicestershire and Rutland. We are also a company limited by guarantee registered in England and Wales (3240240). We operate from two sites, Canal Lane, Stathern, Melton Mowbray LE14 4EX and Jubilee Lodge, Brooke Road, Ridlington, Rutland LE15 9AJ and also operate from a number of shop premises.
- POLICY STATEMENT
Dove Cottage Day Hospice (DC) is fully committed to protecting the privacy and rights of individuals, in accordance with the General Data Protection Regulation. Information about our supporters, patients, staff, volunteers, Trustees, Third Parties and others engaged with DC will only be processed in line with current law and in supporting DC processes. Personal data will be collected, recorded and used fairly, stored safely and securely and not disclosed to any Third Party unlawfully. The legally compliant treatment of personal information is a critical element of maintaining confidence and contributes to our success.
We collect personal data, e.g. name, postal and email addresses and telephone numbers when you give them to us for various purposes such as making a donation, signing up for an event or applying for a job or becoming a volunteer.
If you have been referred to DC as a patient (guest) you will also be asked for your date of birth, next of kin/main carer details and sensitive data such as medical history and ethnicity. If it is in your best interests to do so, this information may be shared with other health care professionals.
The Trustees are responsible for ensuring that this policy is published and accessible to all those mentioned who engage with DC.
This policy is effective from 25 May 2018.
This policy applies to supporters, patients, staff, volunteers, Trustees, Third Parties and those others who engage with DC, and explains how any personal information collected is used by DC in any regard.
We will only send you marketing information electronically (by email or text) if you specifically agree to us doing so.
We may send marketing information by post, unless you have previously opted out or said that you don’t want to be contacted.
If you ask us to stop sending marketing information, we will update our records with immediate effect.
You can change your mind at any time about how you wish to be contacted by emailing firstname.lastname@example.org or telephoning 01949 860303.
- GLOSSARY OF TERMS
Data Controller: The person or organisation who decides the purposes for which, and the way in which, any personal data is processed. The Data Controller is Dove Cottage Day Hospice, Canal Lane, Stathern, Melton Mowbray LE14 4EX who is committed to protecting and respecting your privacy.
Data Processing: Any operation, or operations, performed upon personal data, or sets of it, be it by automated systems or not. Examples include: collection, recording, organising, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing by transmission, disseminating or making available, aligning or combining, restricting, erasure or destruction.
Data Processor: A person or Third Party organisation, not being an employee of the Data Controller, which processes personal data for the Controller. DC staff, volunteers and trustees, may not be a Data Processor, however they may process data on behalf of the Data Controller.
Data Subject: An identified or identifiable natural person (an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name or an identification)
DBS: The Disclosure and Barring Service who conduct statutory criminal screening checks, for any DC staff or volunteers who will work with vulnerable adults.
GDPR: The General Data Protection Regulation.
Personal Data: any information about a natural person that makes them identifiable such as (not limited to):
- Names and contact information i.e. emails, addresses and telephone numbers
- National Insurance Numbers
- Employment details
- Credit History
- Personal tax declarations for DC donations
Sensitive Personal Data: In addition to the above includes genetic data and biometric data. For example (not limited to):
- Medical conditions
- Religious or philosophical beliefs and political opinions
- Racial or ethnic origin
- Criminal convictions
Stakeholders: Supporters, staff, volunteers, Trustees, patients, Third Parties and others engaged with DC.
- PERSONAL DATA PRIVACY ACCOUNTABILITY AND RESPONSIBILITY
Personal data privacy is the responsibility of everyone who works on behalf of, or is engaged with, DC in any capacity, paid or voluntary, including third parties. Aside from this DC have specific accountabilities and responsibilities for personal data privacy. Specific appointed roles have particular responsibilities as follows:
- Privacy Leader
Broadly these role holders carry out the following functions:
- Privacy Leader: To be knowledgeable regarding privacy law and to provide advice and counsel to DC Trustees, and other stakeholders, regarding policy, security and housekeeping. To advise Trustees on the appropriate response to data privacy enquiries. To speak with members of staff and others regarding data privacy as necessary and act as the front for DC privacy matters. Our nominated person for data protection is the Registered Manager who can be contacted at the Stathern address.
- LAWFUL BASIS AND HOW DC MAY PROCESS PERSONAL DATA
DC, as Data Controller, is bound by the requirements of GDPR and may process personal data where there is a ‘lawful basis’ to do so. These include:
- Lawful Basis
- Legitimate Interest
As a part of providing quality services and for administering DC in all its legal and required functions, the personal data may be processed for the following purposes (not limited to):
- Creating and maintaining DC supporters’ database
- Patient healthcare records
- Payroll records
- HMRC & Pensions records
- Gift aid declarations
- Staff records
- Volunteer records
- Writing annual reports
- Minutes of Trustee meetings
- Conducting statutory checks with the DBS
- Statutory returns such as DC accounts and tax including Gift Aid
- Legal and regulatory compliance in any regard
- For the purposes of arranging or conducting training
- Inclusion on the DC website
- Reporting of crime
- Social media
- PERSONAL DATA ACCESS AND AMENDMENT
Access to Data: Requests by Data Subjects to obtain a copy of some, or all, of the information that DC hold about them will be responded to promptly and within one month of receipt of the request.
DC will make sure personal data held is accurate and up to date by regular periodic checks. Any inaccuracy will be promptly rectified.
Objections to processing of personal data: DC will respond positively to any objection to the processing of a person’s data. The only reasons DC will deny a request to cease processing is if there are compelling legitimate grounds for the processing, which override the Data Subjects interest, rights and freedoms, or the processing is for the establishment, exercise or defence of a legal claim.
Data Portability: DC do not employ automated processing of data and are unable to comply with requests from a Data Subject to transfer personal data, in a structured, commonly used and readable format to another controller.
Right to be Forgotten: Should a request be received from a Data Subject for DC to completely delete all information that is held about them this will be complied with promptly and within one month of receipt of the request, unless there is any legal or regulatory hold on that personal data.
Change to Inaccurate Personal Data: Requests by Data Subjects to have any inaccuracy to some, or all, of their personal data, processed by DC, changed to reflect accurate information will be responded to promptly, and within one month of receipt of the request.
- PROCESSING THROUGH CONSENT
Where DC rely upon consent as the basis for processing, collecting that consent, and periodically checking it is current, will ensure all consent is freely given, specific and easily withdrawn. It will not rely upon pre-ticked boxes or implied consent and individuals will positively opt-in. Children under 16 will require the consent of a verified parent or guardian for processing of their data.
- PRIVACY NOTICES
DC will post a Data Privacy Notice prominently in all DC properties. This notice will inform DC stakeholders in an easy to understand way how we intend to use their data, state how long we will keep their data and on what lawful basis we process personal data.
- SECURITY OF PERSONAL DATA HELD BY DC
DC takes the security of personal data entrusted to its care very seriously and takes all reasonable steps to safeguard it. The security of personal data is in two forms:
- Physical records
- Computer based records
Physical Records: All records containing personal data which are held in physical form, such as paper records, are held in a secure cabinet or cupboard with a substantial locking mechanism, within a secure internal room on DC premises, all with restricted access.
Computer based records: All records containing personal data which are held on computers will be limited to the computers of individuals who perform specific functions, authorised by the Trustees, in the management and administration of DC. All computers are password protected.
All DC computers are equipped with anti-virus protection and an enabled and up to date firewall.
Role holders are also expected to change their password on a regular basis, using alpha numeric passwords, with special symbols, which do not contain personally identifiable information such as dates of birth.
General Security: DC will always build protective measures into existing, and new, retention of personal data ensuring GDPR requirements of ‘privacy by design’ and ‘privacy by default’ are adhered to, to the extent possible. DC will deliver against safe and secure storage of personal data and will only hold such data that is essential to fulfil the processing purpose. DC will not hold anything ‘just in case’ it may be needed for some undefinable purpose. This applies equally to physical (paper) and computer records.
A Data Impact Assessment will be conducted where a particular vulnerability is necessitating this.
DC will maintain a handover process for changes of key role holders.
DC will maintain a ‘Business Recovery’ protocol in the event of any significant data loss which impacts a legal requirement or operational function.
- PERSONAL DATA RETENTION PERIODS AND DESTRUCTION
Personal data will be kept for no longer than is necessary or legal required: e.g.
- Nursing records
- Annual reports
- Minutes of Trustee meetings
- Statutory returns such as DC accounts and tax including Gift Aid
- Income and expenditure records
- Consent forms under GDPR (12 months following the individual ceasing to be an active member of DC or 12 months following the original consent being replaced by a new consent)
- Criminal screening checks through DBS (6 months)
- Any records held under any Court Order or other legal or regulatory requirement (for the duration of the Court Order) (2 years)
- Previous staff and volunteer records (6 months)
- Unsuccessful staff applications (6 months)
- TRANSFERRING PERSONAL DATA TO THIRD PARTIES OR OUTSIDE OF THE EUROPEAN UNION
DC, from time to time, engage with third-party service providers, agents, subcontractors and other organisations for the purposes of completing tasks such as providing building supplies, utilities or maintenance. When we use third party service providers, we disclose only the personal information that is necessary to deliver these services and we expect them to keep personal data secure and not to use it for direct marketing purposes. Provision of personal data to such third parties affects only a very small number of DC people.
DC does not transfer any personal data to countries outside the European Union (“EU”).
DC will not use personal data to send stakeholders marketing material without their prior consent nor will personal data be shared for marketing purposes with companies so that they may offer their products and services.
- SOCIAL MEDIA
If you make comments or posts on social media (our Facebook or Twitter page, for example), then the rules of that platform apply, so please be aware that your comments or reactions could be made public.
If you add a comment to any of our own blogs or reviews, these will be shared with other users and the wider general public. So please don’t be offensive, insulting or defamatory. In addition, you’re responsible for ensuring that any comments you do make comply with relevant policies on acceptable use.
We don’t control Facebook and Twitter so please make sure you review the privacy notices as well as the terms and conditions of any social media platforms you use. It’s important that you understand what they do with your information – and it means you can adjust your privacy settings if you don’t want things shared or in the public domain.
We use Google Analytics to analyse how our website is used. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store this information. View Google’s privacy notice.
We use StatCounter to analyse the use of this website. StatCounter generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. StatCounter will store this information. View StatCounter’s privacy notice.
- PERSONAL DATA BREACHES
DC will protect against and investigate, as far as that is possible, and report to authorities where necessary, any detected or reported data breaches. These include any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. DC will report certain types of data breaches to the ICO in accordance with GDPR and, in some cases, to the individuals concerned. All processors of DC personal data will be educated on personal data breach avoidance, and on what to do in the event that a breach occurs. Examples of personal data breaches may include:
- Emails and attachments being sent to the wrong person
- Loss or misuse of a memory stick usage
- Malware attack
- Equipment or data theft
Where a Data Subject feels that their personal data has been processed in a way that does not meet the GDPR, they have a specific right to lodge a complaint with the relevant supervisory authority. The supervisory authority will then tell them of the progress and outcome of their complaint. The supervisory authority in the UK is the Information Commissioner’s Office.
All Trustees, staff, volunteers and others who process data for DC will complete basic GDPR awareness or a training course, approved by the Trustees, within three months of appointment.
- AUDIT AND RECORD DESTRUCTION
Destruction will take place of all records which exceed the stated periods on a rolling basis. This will be conducted by secure shredding, using local arrangement, or other equivalent secure destruction and will be verified to the Trustees and the Privacy Leader by those completing the destruction.
The Trustees will additionally ensure an annual GDPR compliant privacy audit, in May each year, is conducted with related housekeeping and destruction of personal data records held beyond then periods stipulated in this Policy. This audit will be verified by all processors of DC personal data and noted in the Minutes of the next Trustee meeting.
- WHAT ARE YOUR RIGHTS?
Right of access: You have a right to ask us to confirm whether we are processing information about you, and to request access to this information.
Right to rectification: You may ask us to get data changed if it is incorrect.
Right of portability: You can ask for a copy of the data held on you.
Right to be forgotten: If there is no legitimate reason for us to hold your data, you can ask for it to be securely deleted.
Right to be informed: You can ask us why and how your data is being used, where it is stored and who it is shared with.
Right to restrict processing: You can pick and choose how your data is used, accept for legal reasons.
- HOW TO CONTACT DC
DC points of contact for privacy matters are as follows:
- By email: email@example.com
- Or write to The Registered Manager, Dove Cottage Day Hospice, Canal Lane, Stathern, Melton Mowbray, LE14 4EX
- Telephone 01949 860303 and ask to speak to the Registered Manager.
- POLICY DOCUMENT CREATED
- 1 May 2018 by Chris Gatfield
Review date May 2019