Privacy Policy

What personal information do we collect and process about you?

It is important for us to have a range of information about you to assist staff and volunteers in providing appropriate treatment, care and support plans to meet your individual needs safely and effectively.

If you are referred to one of our clinical or therapeutic services, we collect information related to your healthcare, treatment and support.

This information may include:

• Your name, address, phone number, email address, date of birth, NHS number.
• Healthcare and treatment records including for clinical and therapeutic services.
• Your GP details plus details of other healthcare professionals involved in your care and treatment.
• Sensitive information (special category personal data), such as about your physical and mental health, your sexuality, your racial and ethnic origins, your religion and your political opinions or philosophical beliefs. Incoming and outgoing voice recordings when we speak with you on the phone.
• We may also hold your image temporarily on our CCTV system if you have visited our premises.
• If you are a family member, next of kin, friend or carer of a service user or receive services directly from us, we may process your personal data and will always do so if you receive services directly from us.

The information we process about you can exist in different formats including paper records, electronic records such as images, voice recordings from our Advice Line, electronic patient health care records (SystmOne) and emails.

How do we collect / obtain your personal information?

We usually collect or obtain information from the professional referring you to our services and other healthcare professionals involved in your care and treatment such as your GP or District Nurse. This may include through the Somerset Integrated Digital electronic Record (SIDeR) or Somerset ICE OrderComms for diagnostic test results.

We also collect information directly from you through consultations and interactions to help us provide your care and support.

Your family, friends or carer may provide us with your personal information if they get in touch to update us on your welfare or seek advice about you.

Why do we collect and process your personal information?

Your personal information is used for several purposes including:

• Information relating to diagnosis, treatment, care and support to inform plans and decisions and ensure the best possible care and support for you.
• To enable us to review the quality of our services.
• To keep in touch with you about your appointments and healthcare.
• Medical research and educational purposes. This will generally be anonymised, other than where you have given specific informed consent for your identity to be processed as part of a particular piece of research.
• Planning and improving our services.
• Health, safety and security reasons.
• To investigate queries, complaints or legal claims
• To order medical supplies on your behalf and process payments.

Where appropriate we will anonymise personal data used for training and educating other health care professionals, health research and for statistical analysis of our activities, performance and outcomes.

What is our legal basis for processing your personal information?

The main legal bases we rely on to process your information for clinical care and support purposes are:

Public task – Article 6.1 (e) of the General Data Protection Regulations (GDPR) states ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. We can process your information where we are carrying out a specific task in the public interest which is laid down by law, such as, the clinical care and support we provide in line with the NHS Act 2006 as amended by the Health and Social Care Act 2012.

Preventative and Occupational medicine – Article 9.2 (h) of GDPR states ‘processing is necessary for the purpose of preventive or occupational medicine’. We use this legal basis to process ‘special category’ information relating to your health and other factors to decide how best to care for you and support you.

Are there other legal grounds that we can process your personal information under?

Our use of your information must be fair and balanced to ensure we consider your rights and interests as an individual and we communicate with you about things we legitimately feel will be of interest to you. We will only use your information in a way and for a purpose you would reasonably expect in accordance with this notice.

Other legal grounds we may use to process your personal information include:

Legitimate Interest – Article 6.1 (f) of the GDPR states ‘processing is necessary for the purpose of the legitimate interests of the hospice or a third party’. We might use this legal basis to contact a family member or carer in case of urgent need, or to send invitations to memorial events or offer spiritual or bereavement support. We must always balance your interests with our interests when relying on legitimate interests and you can ask us to stop processing this information at any time by contacting the Data Protection Officer.

Vital Interests – Article 6.1 (d) of the GDPR states ‘processing is necessary in order to protect the vital interests of the data subject or another natural person’. Where the data is of a sensitive nature, for example where we need to share health data in a medical emergency for the preservation of life, we may also rely on Article 9.2 (c) of the GDPR. After the emergency, we will always try to inform you about how we had to use your information in that extreme situation.

Legal obligation– Article 6.1 (c) of the GDPR permits processing where ‘processing is necessary for compliance with a legal obligation’. For example, this would cover our duty of care to you whilst you are on our premises under health and safety law. We ask visitors for their name at Reception, so we know who is on the premises in the event of an emergency. If you have an accident, we have a duty to maintain records for any legal claim.

Consent – Article 6.1 (a) of the GDPR states ‘the individual has given clear consent for you to process their personal data for a specific purpose’. This might include giving us consent to use photographs or stories for education and training purposes or for publications. If this includes data about your health, we will also rely on Article 9.2 (a). You may also give us explicit consent for us to use your clinical information in formal research projects, under Article 9.2 (a) of the GDPR. You may withdraw your consent at any time by contacting the Data Protection Officer.

Other – In exceptional circumstances we may process your information when the health or safety of others is at risk or there is an overriding public interest to do so. This includes actual or prospective legal proceedings, for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Wherever possible we will notify you of processing for these lawful purposes.

What would happen if we did not collect and process your personal information?

Without accurate, up-to-date information about your medical condition or welfare, prognosis, medication and treatment, we would be unable to deliver appropriate and safe clinical and therapeutic treatment and support that reflects your specific needs and preferences.

How long do we retain your personal information for?

Medical records are maintained for a minimum of 8 years after the conclusion of treatment and support.

Records relating to clinical research are retained for a minimum 15 years after the conclusion of treatment.

Who do we share your personal information with and why?

We share your personal data on a need-to-know basis within the hospice’s multi-disciplinary teams.

Where you have given your permission, we may share your health data with any representatives you may have such as next of kin, family members, carers or friends.

Your data is also shared with external healthcare and social care professionals involved in your care to ensure consistent, effective and safe ongoing care and support based on up-to-date information. This may include your GP, District Nurses, hospitals, ambulance services, pharmacy services and other organisations involved in, or funding, your care and support, such as Integrated Care Boards, and Somerset Council.

Some external healthcare organisations are able to access your records directly from our electronic SystmOne patient records. Where appropriate, information sharing agreements or arrangements are in place with these organisations to ensure your information is processed securely.

We may also share your information to:

• Assure and improve the quality of care, treatment and advice.
• Obtain translation services if English is not your first language.
• Safeguard children and vulnerable adults from harm.
• Assist in assessing and managing risks to you.
• Avoid duplication of information gathering.
• Investigate complaints or actual/potential legal claims.
• Assist teaching / staff development.
• Conduct research which is identifies data subjects.

We share information about your next of kin and family members with our Fundraising team so we can send invitations to memorial events and with our spiritual care and bereavement team to enable an offer of support to be made directly to loved ones.

What personal information do we collect and process about you?

We process a range of information about you depending on your role. This may include your:

• Name, address and contact details, including email address and phone number.
• Date of birth, sex and gender.
• Qualifications, skills, experience and employment history, including start and end dates, with previous employers and within the hospice.
• Nationality and right to work in the UK.
• Medical or health conditions including any disability for which we need to make reasonable adjustments or which is relevant to your use of our premises, including where we may need to make reasonable adjustments, create a personal emergency evacuation plan, or refer you for Occupational Health assessment and support.
• Relevant vaccination records.
• Diversity information including about your race, ethnic origin, sexual orientation, health and religion.
• Contract terms and conditions.
• Remuneration, including entitlement to benefits such as pensions or insurance cover.
• Banking details and national insurance number so that we can administer payments to you.
• Criminal conviction data.

Additional information we may process may include your:

• Marital status, next of kin, dependants and emergency contact details.
• Professional registration records.
• Schedule and attendance at work (days of work and working hours).
• Periods of leave taken, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave.
• Performance assessments, including appraisals, performance reviews and ratings, performance improvement plans and related correspondence.
• Education and training records.
• Disciplinary or grievance procedures in which you have been involved, including any correspondence or warnings concerning your capability or conduct.
• Confidential alerts from other regulatory bodies concerning your fitness to practice.
• Your image (temporarily) on our CCTV system.
• Information about driving licence, relevant health conditions and driving penalty points

How do we collect / obtain your personal information?

We collect information in a variety of ways, usually directly from you through:

• Application forms, CVs and information you submit to us when applying for paid or volunteer roles.
• Identity documents such as your driving licence, birth certificate etc.
• Forms completed by you to enable us to start your employee or volunteer role.
• Interaction with you or through correspondence, records of interviews, meetings or other assessments and recordings of meetings via Teams.
• Our CCTV systems operating for health and safety purposes on our premises.
• Telephone recordings, if your role involves providing health care and support.

In some cases, we collect information about you from third parties such as references supplied by former employers or character referees and information from criminal records checks agencies permitted by law.

The information we process about you can exist in different formats including paper records, electronic records such as in images, emails and other electronic systems including MS Teams recordings or other electronic systems such as the Hub, Talos recruitment system and volunteer management system. We may use artificial intelligence applications to transcribe meetings you attend.

Why do we collect and process your personal information?

Your information is used to manage your professional or volunteering role and facilitate effective general HR and business administration, including to:

• Operate effective recruitment processes to select suitable individuals for professional and volunteering roles.
• Exercise and document our rights and obligations in relation to employment, including pre-employment checks and onboarding processes.
• Ensure that professional registration and qualifications remain up to date. Ensure that mandated vaccinations are up to date.
• Manage our relationship with you and support you to ensure high standards of performance and conduct.
• Manage our workforce, undertake succession planning and create opportunities for career development.
• Ensure we can keep in contact with you, including in an emergency.
• Monitor performance and attendance.
• Ensure that pay and other benefits are administered including employee support and cashback services.
• Maintain and promote equality in the workplace.
• Ensure appropriate health, safety and security.
• Respond to and defend against actual or prospective legal claims.
• Provide references on request for current or former staff and volunteers.

What is our legal basis for processing your personal information?

The main legal bases we rely on to process your information are:

Contract – Article 6.1 (e) of the General Data Protection Regulations (GDPR) states ‘the processing is necessary for the performance of a contract to which [you are] party, or in order to take steps at [your request] prior to entering into a contract’. We can process your information when seeking to offer you a paid or volunteer role, for onboarding purposes and to ensure that you are paid in accordance with your contract, as well as to administer allowances and pension entitlements.

Legal Obligation – Article 6.1 (c) of the GDPR states that ‘processing is necessary for compliance with a legal obligation to which the Controller is subject.’ We use this legal basis to fulfil our legal duties, relating to your employments, such as entitlement to work and DBS checks and financial remuneration such as tax and National Insurance payments and pension information.

Legitimate Interest – Article 6.1 (f) of the GDPR states ‘the processing is necessary for the legitimate interests pursued by the controller or by a third party or the legitimate interests of a third party.’ We may use this legal basis for several purposes such as when you apply for a role with us, for maintaining certain kinds of records about you, capturing CCTV images to prevent and detect crime so that we can safeguard individuals using or visiting our premises and comply with health and safety procedures. When we rely on legitimate interests, we must first ensure that our interests are balanced against your interests and do not over-ride them.

Consent – Article 6.1 (a) of the GDPR says ‘that processing is lawful when [you[ have ‘given consent to the processing of [your] personal data for one or more specific purposes.’ This may apply to occupational health assessments or monitoring diversity information for equal opportunities purposes. You can decide whether to provide such information and there is no consequence of failing to do so. Where the processing involves ‘special categories’ of personal data, such as your race or ethnicity, sexual orientation, religion and disability status we also rely on Article 9.2(a) ‘explicit consent’.

Vital Interests – Article 6.1 (d) of the GDPR states ‘processing is necessary in order to protect the vital interests of the data subject or another natural person’. Where the data is of a sensitive nature, for example where we need to share health data in a medical emergency for the preservation of life, we may also rely on Article 9.2 (c) of the GDPR. After the emergency, we will always try to inform you about how we had to use your information in that extreme situation.

Employment, Social Security and Social Protection – Article 9.2(b) of the GDPR states that ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law’. We may use this to check your entitlement to work in the UK, ensure your health, safety and welfare and maintain sickness or maternity records, or to deduct trade union subscriptions.

Preventative or Occupational Medicine – Article 9.2 (h) specifies that processing can take place ‘if it is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee’. We would rely on this legal basis when seeking to understand any medical conditions you might have that require reasonable workplace adjustments or where we need to take health and safety considerations into account. We do this with your explicit consent as set out in Article 9.2 (a) of the GDPR.

Are there other legal grounds that we can process your personal information under?

In exceptional circumstances we may process your information when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so, including referrals to professional regulatory bodies. This includes legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. We will always do our best to notify you of this sharing.

What would happen if we did not collect and process your personal information?

You would not be able to undertake your role safely and efficiently and we would not be able to comply with our legal obligations if we did not collect your personal data.

How long do we retain your personal information for?

We hold your information for the duration of your employment or volunteering role. After the end of your contract, employment information is retained for a minimum of 7 years, volunteer information is retained for minimum of 3 years after leaving and only accessed for reference requests, subject access requests, or personal injury claims.

Data relating to unsuccessful applicants is retained for a minimum of 12 months.

What personal information do we collect and process about you?

We may process your:

• Name, address and contact details, including email address and phone number.
• Date of birth and gender.
• Financial details including credit, debit card and bank account details and eligibility for Gift Aid.
• Images captured on CCTV security systems operating on our premises.
• Where appropriate we may also ask for:
• Information relating to your health, for example if you are taking part in a high-risk event or sharing your story of care with us; or
• Emergency contact details when you are participating in one of our events.
• Your reason for making a donation to us; in particular whether you are donating in memory of someone who was cared for by us and your relationship with that person.

If you are a child (under 18), and have participated in a fundraising event, where there are no age restrictions, or made a donation to the hospice, you are entitled to the same rights as adult hospice supporters. We collect the same type of information about you as we do for over 18s, process it for the same reasons and hold your information in the same way. Your details are kept securely with restricted access and handled with the greatest respect for privacy.

Volunteers and Duke of Edinburgh participants under the age of 16 – we need authority from a parent or guardian if you volunteer for the hospice which will require sharing some of your personal data with them.

How do we collect / obtain your personal information?

We collect information in a variety of ways, usually directly from you when:

• You make a donation.
• Register for an event or course or sign up to receive our newsletter.
• Join our Weekly Prize Draw.
• Sign up to Gift Aid when you donate goods or book a furniture collection.
• Purchase merchandise or items for delivery.
• Volunteer for us.
• Share your story with us.

We may also obtain your data indirectly from:

• Cookies on our website – please see our Cookies and Web Privacy policy for further details.
• Your bank or the direct debit payment processor (e.g. Stripe or Access) for financial transactions relating to the hospice, including setting up standing orders, direct debits, or making a purchase or donation.
• An organisation working on our behalf or in partnership with usto promote our cause or fundraise professionally on our behalf.
• Event organisers such as the London Marathon or other online fundraising sites like JustGiving or Enthuse. (They will only pass this information on if you have given them permission to do so.)
• A friend or colleague if you have agreed to them giving us your details registering you for an event.
• Information you give us via social media platforms such as Facebook, X and Instagram. Companies like these use cookies within their systems which may, depending on your privacy settings, allow us to access some information from your accounts, such as, when you publicly tag us in an event photo.
• Universities if you are undertaking courses with us.
• Publicly available information from open sources to assist our Fundraising efforts.

Why do we collect and process your personal information?

Your information is used for several purposes, including to:

• Keep a record of your relationship with us.
• Provide you with the services, products or information you asked for.
• Process payments when you purchase goods for delivery.
• Administer a donation of money or goods or set up a regular gift or to support your own fundraising.
• Enter you into our Weekly Prize Draw.
• Register you for a fundraising or education event.
• Process payments or refunds.
• Update you on and process your Gift Aid.
• Contact you to tell you about news or events we believe you will be interested in based on your previous interactions with us. We will do this primarily through post, phone or email.
• Ensure you enjoy a first-class experience when dealing with us.
• Keep you connected to our cause, update you on our work and inform about how your support is having an impact.
• Gain a better understanding of our supporters to improve our fundraising methods, products and services.
• Manage how you want us to keep in touch with you.
• Ensure health, safety and security on our premises.
• Ensure we can comply with legal and regulatory requirements relating to our services and products, including where age restrictions apply.

What is our legal basis for processing your personal information?

Consent – Article 6.1 (a) states that ‘that processing is lawful when [you] have ‘given consent to the processing of [your] personal data for one or more specific purposes.’ We use this legal basis to contact you if you have opted in to receive information and marketing information from us, play our lottery, and for registration for events. We will also obtain your explicit consent for any electronic marketing under the Privacy and Electronic Communications Regulations. Your consent may be withdrawn at any time.

Legitimate interest – Article 6.1 (f) of the GDPR specifies that ‘the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests’. We use this basis to contact you about events and activities that we believe may be of interest to you. When we rely on legitimate interests, we must first ensure that our interests are balanced against your interests and do not over-ride them.

St Margaret’s will not rent, swap or sell your personal information to other organisations for them to use in their own marketing activities.

Are there other legal grounds that we can process your personal information under?

Other legal grounds we may use to process your personal information include:

Legal obligation – Article 6 of the GDPR states ‘the processing is necessary for you to comply with the law (not including contractual obligations), for example legal obligations to comply with HMRC. Should you have an accident at an event we have a duty to maintain records for any legal claim.

Contract – Article 6.1 (b) of the GDPR states ‘the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract’ such as, when you sign up to play our hospice Weekly Prize Draw, purchase merchandise through an online store or sign up for a fundraising or education event or course. Retail donors also enter a contract with us as we sell your goods via our shops and can then claim Gift Aid.

Vital Interests – Article 6.1 (d) of the GDPR states ‘processing is necessary in order to protect the vital interests of the data subject or another natural person’. Where the data is of a sensitive nature, for example where we need to share health data in a medical emergency for the preservation of life, we may also rely on Article 9.2 (c) of the GDPR. After the emergency, we will always try to inform you about how we had to use your information in that extreme situation.

In exceptional circumstances we may process your information when the health or safety of others is at risk, where the law requires it or there is an overriding public interest to do so. This includes legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. We will always do our best to notify you of this sharing.

How long do we retain your personal information for?

In most cases personal data is kept for a minimum of seven years after your last transaction with us if it has financial information connected with it. This would include donations, payments for a service or direct debit mandate.

If you have completed a Gift Aid declaration, we will retain your personal data whilst you are an active donor. HMRC require us to keep a copy for six full tax years after your most recent donation.

Who do we share your personal information with and why?

We may need to share your personal information with partner organisations with whom we run an event. We will always let you know this when you register for an event.

We also share personal data where we need to use other organisations to facilitate our activities or business process or who may process personal information on our behalf, such as a mailing house or printing company.

We may analyse or profile supporters on our database to ensure our communications are relevant and timely. We may analyse geographic, demographic and other information such as your previous support for the hospice, to better understand your interests and preferences. This may include wealth screening and we may share your personal data with external organisations including academic institutions who can help us identify individuals who may be interested in giving major gifts to charities or organisations like ours.

Specific companies we share your data with include, but may not be limited to:

• Access – processes direct debits on our behalf.
• Stripe – processes debit/credit cards.
• Organisations employing Weekly Prize Draw and regular giving fundraisers on our behalf.
• Combase – weekly prize draw players’ information is stored securely on St Margaret’s own server using password protected lottery management software for the purpose of maintaining players’ records and running the draws.
• Beacon – hosts our fundraising Customer Relationship Management data.
• Eproductive – provides the software for our retail database, runs our retail app, and supports our gift aid processing.
• A to B logistics and Instore – delivers goods purchased from our shops.
• Professional fundraisers – such as Ethicall who undertake occasional marketing and fulfilment activities on our behalf.
• Dotdigital – email mailing platform.
• Enthuse – fundraising platform that enables us to register participants for events.

We may also share your data with companies who maintain or update our software or assist in cleansing our records.

We have a legal duty to share personal data with other external bodies including HMRC, our auditors and other regulatory bodies.

Where we opt to share your data externally, we have confidentiality or sharing agreements in place to ensure that it is secure and protected.

Sharing your story

You may choose to tell us about your experience of St Margaret’s Hospice to help further our work. This may include you offering to share your story with the media or to support fundraising campaigns. Often this involves sharing sensitive personal information relating to your health and family life in addition to your standard contact information.

This information will be treated with strictest confidence. It will only be made public (through media work, at events, in materials promoting our fundraising work, or in documents such as our Impact Report) if you or your parent or guardian (if you are under 16) have explicitly agreed to this and completed our consent form. You may withdraw your consent at any time.

Your Communication Preferences

We want to ensure all information we hold about you is accurate and up to date so please do let us know if anything changes.

We follow the telephone preference service and will not contact you for marketing purposes if you are registered. We follow the Telephone Preference Service (TPS) and will not contact you for marketing purposes if you have registered with them.

You can change your marketing preferences or opt out of receiving email communication at any time by calling us on 01823 333822, emailing [email protected] or writing to us at St Margaret’s Hospice Care, Heron Drive, Bishops Hull, Taunton, Somerset TA1 5HA.

Withdrawing your consent to marketing communications does not mean we will never contact you. We may need to talk to you about administrative matters to process a transaction or for another business or legal reason.