Each privacy statement outlines why, how, what, where and for how long Dorothy House processes (collects and uses) your personal data, including details of any sharing of data with third parties.
General Data Protection Regulation (GDPR), introduced in May 2018, provides six lawful bases under which personal information can be processed and we have highlighted in each privacy statement which lawful bases apply. In particular, we have highlighted where data is collected and used on the basis of “legitimate interest”. This means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis.
Dorothy House is registered as a Data Controller with the Information Commissioner’s Office (ICO) and our ICO registration number is Z7289749. Our Data Protection Lead is Tony De Jaeger, who is our Deputy Chief Executive and Finance Director. Our Caldicott Guardian is Penny Agent, Care Services Chief Operating Officer.
If you have a general query about data protection or would like to make a Subject Access Request as outlined in the ‘Your Rights’ section, please contact info.governance@dorothyhouse-hospice.org.uk
or call 01225 722 988.
If you are not happy with the way we have handled your data, and are unable to resolve the issue with us personally, you can complain to the ICO: https://ico.org.uk/make-a-complaint/
The privacy statements may be updated from time to time and we will alert you to any significant changes on the pages of this website.
The latest version will always be available here.
Patients, families and carers
Why do we collect personal information about patients, families and carers and how do we use it?
Personal information about patients, including information about other health and social care professionals and family and friends involved in providing support and care, is essential in enabling us to provide the care required and to ensure that the needs of patients and their family members and carers (ie close friends) are at the centre of all the care we provide. The lawful basis for collecting and using information to provide care to our patients, families and carers is “public task” ie the information is fundamentally necessary for us to provide our care. The fact that we are providing health and social care permits us to handle sensitive personal data. This lawful basis permits us to:
- Co-ordinate the care that we offer – both within our Dorothy House team and externally
- Offer wider Dorothy House support to a patient’s family members, including in bereavement
- Provide information to the NHS and other commissioners with whom we hold service contracts
- Audit, evaluate and develop our services.
Different levels of information are held depending on the extent of Dorothy House input.
What personal information do we collect about our patients, families and carers?
Based on the data processing reasons outlined above, we may collect all or some of the types of information below to help us provide the best care possible:
Basic details including name, postal/email address, telephone number, date of birth/death.
Demographic, equality and diversity data
Medical information including NHS number, detailed medical records, prescribed medications; investigation results and information from other professionals involved in care, patient/client service activity.
Other information includes personal and social history and documentation of consultations. Interactions with family members/carers are usually recorded within the patient’s record, but if a family member or carer is receiving more involved support from Dorothy House then a record will be created in their own right as a ‘client’ record – we will ensure that they are aware of this.
Some people will only attend group sessions, using our ‘Open Access’, but we are still providing a health and social care service. We therefore create a record for each person who attends one of our groups and we will update this with attendances and any relevant clinical notes.
Where do we store patient, family and carer’s information and for how long?
Patient and ‘client’ data is stored on our electronic patient record system called SystmOne. This is a secure clinical database used by many other health and social care providers including GPs in our area. SystmOne data is hosted off-site within the European Economic Area (EEA) which gives a high level of security as all data processed within the EEA is covered by the General Data Protection Regulations.
Under current data protection legislation, all organisations involved in a patient’s care have a duty to ensure that information held about them is accurate, up to date and kept secure at all times. Access to records can be audited and can always be traced back because users log in using unique identifiers and secure access methods.
Currently, SystmOne is not able either to archive or delete patient records as it is a system shared across many health and social care organisations. However, when a record of a patient who has died or has been discharged is accessed after 52 weeks from date of death or discharge, a reason must be provided and the system tracks access to these records.
Access within the Dorothy House team is on a need-to-know basis. Where volunteers are providing care and support they are regarded as part of the Dorothy House team. All staff and volunteers with access to confidential personal information receive information governance training.
Using cameras or other recording equipment during treatment and care
At Dorothy House Hospice Care (Dorothy House) we promote the open and honest recording of consultations or conversations with healthcare professionals.
Where this is done with everybody’s agreement, we believe this benefits the patient and the healthcare professional by:
- enabling patients to remember important advice, particularly where there are language barriers
- providing a copy of the consultations when patients may have been distressed
- giving patients more time to process information
- helping patients and their family members where patients may be experiencing memory loss or have some cognitive impairment
- including patients’ family members in their care and decision making
- helping patients to remember if the information is particularly complex.
- helping to set family member’s mind at ease about the care received or even help identify poor care or abuse.
To achieve this, we will work with you to ensure that:
- any recording is done openly and honestly with the express permission of the patient
- the recording process itself does not interfere with the consultation process or the treatment or care being administered
- the patient understands that a note will be made in their health record stating that they have recorded the consultation or care being provided
- the patient is reminded of the private and confidential nature of the recording and that it is their responsibility to keep it safe and secure
- any recording is only made for personal use
- you are aware that the misuse of a recording may result in criminal or civil proceedings
- you understand that the patient is entitled to see their notes
- we can consider providing the patient with a written record summary, and or a verbatim record (if practical) of their consultation for their own personal use if this is helpful.
We are aware that patients and families may be considering covertly recording a consultation. Using a hidden camera or other recording equipment is a big decision. It can affect people’s privacy and dignity. And it can have legal consequences as well. It may also be interpreted as a sign that trust is lacking or that the patient may be considering a complaint or legal action.
Both legally, and as a matter of courtesy, you should seek the health professionals’ agreement before recording a consultation/treatment. We strongly discourage covert recording.
If you are worried about yours or somebody’s treatment and/or care, you should first raise these concerns with us. We take proactive steps to investigate and address any issues regarding your treatment and care. You can do this by using our complaints procedure.
You can also raise concerns with the Care Quality Commission (CQC). They have very helpful guidance on this subject. Using cameras or other recording equipment to check somebody’s care.
It is important to note that the CQC state that an organisation should not ever refuse to treat someone or care for them properly because recording equipment or similar technology is being used.
Sharing personal information about patients and clients with third parties
Dorothy House works as part of a health and social care system in our community. To provide the safest, highest quality, most integrated patient and client care we can, sharing of health and social care information is encouraged, whilst confidentiality is prioritised. We believe that you would expect us to share relevant health and social care information with other services/organisations involved in your care, or those who you have agreed should become involved and you will inform us if you do not wish for this to happen. We do not generally share information about clients, or those who only attend our ‘Open Access’ groups, but for patients, we would anticipate sharing information with; as part of your care are
- Community care professionals eg GPs, District Nurses, multi-disciplinary teams, Specialist Nurses, Community Matrons
- Hospitals
- Public/private health and social care providers.
Although we would always aim to share only the minimum information required, when sharing is via SystmOne, this is not always technically possible. However, we can ensure that individual elements of information are not shared, so please tell us if there are particular areas that you wish to remain confidential. Patients do have the right to totally opt out of Dorothy House sharing their electronic patient record with other health and social care providers.
Very rarely we may be required to share confidential personal information without consent if we are required to do so by statutory law, such as with safeguarding concerns.
We are required to share information for commissioning, service planning and regulatory purposes with
- Clinical commissioners of local services
- Care Quality Commission and other regulatory bodies.
We will ask, specifically, for your consent (lawful basis) if personal data is to be used if:
- Referring our patients/clients on to other service providers (non-health/social care)
- Requested by solicitors or insurance companies.
In order for us to raise awareness of our work it is extremely useful to be able to use stories and photographs/video of our patients and their families. We will only ever do this with your specific consent (lawful basis).
[Updated December 2021]
Links & Downloads
- PS-PatientsFamiliesCarers (PDF, 123.78Kb)
Download a PDF version
Employees
Why do we collect personal information about staff and how do we use it?
As an employer there are lawful bases for the personal information that we collect about our staff, agency staff, our contracted consultants and those with an honorary contract such as those with medical placements. We have used the collective term “staff” for the purpose of this privacy statement.
Using personal information helps us provide the best support to our workforce, to ensure their health and safety and to make for a better employee experience.
The main lawful basis (legal reason) for collecting and using this personal information is because we hold a contract with that individual. Processing information under this legal basis enables us to:
- Recruit the right staff to Dorothy House
- Pay staff
- Develop and train staff
- Administer pensions
- Ensure health and safety of staff
- Manage the organisation (for example staff rotas and availability, maintenance requests, IT helpdesk requests, use of intranet/Dot2Dot and library)
- Analyse Dot2Dot use through OAK reporting (Intranet provider) facility
- Use photographs for security purposes.
We also process the personal data of staff to meet our legal obligations as an employer, including to:
- Meet immigration law obligations
- Meet medical registration obligations
- Keep staff safe using, for example, risk assessments or health and safety reports
- Where appropriate, processing DBS checks to keep safe everyone who comes into contact with Dorothy House
- Modify working conditions according to staff health conditions
- Paying tax and National Insurance contributions to HMRC.
We also collect and use some personal information regarding staff on the lawful basis of “legitimate interest” so that we can:
- Alert nominated emergency contacts for staff members if there are concerns for the health and safety of that staff member
- Monitor demographic, equality and diversity data to evidence fair recruitment and staffing
- Use staff photographs on Outlook and internal software for the purpose of staff identification and for presentations and publicity.
- Use CCTV cameras in the controlled drug room on the Inpatient Unit for safety and security purposes, as detailed in the CCTV privacy notice.
Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)
What personal information do we collect about our staff?
Based on the data processing reasons outlined above, we may collect some or all of the following information (this list is not exhaustive):
Basic details including name, postal/email address, telephone number, date of birth and emergency contact details
Demographic, equality and diversity data
Terms of employment information including letters of offer, employment contract, place of work, references, ID information
Skills and experience information including CVs, records of qualifications, training and professional membership/registration.
Financial information so that we can pay you including bank details, National Insurance documentation and social security numbers, where applicable
Identification information including photos, car driver information, copies of birth certificate/driving licence, CCTV footage where an employee has restricted access to the controlled drugs room on Inpatient Unit
Employment process information including absence from work and any disciplinary issues
Performance records such as appraisals and one-to-one’s
Personal health information such as occupational health advice or health and safety reports
Information on use of DH electronic devices including Dorothy House intranet, email data and back-up from Dorothy House servers, building access, printing history.
Where do we store personal staff information and for how long?
Staff information as outlined above is primarily stored on a secure Human Resources database managed by Dorothy House. For some functions it may be necessary to hold basic contact details on other internally-managed databases whereby the data can be stored off-site with the relevant software provider, for example training records, maintenance requests, printing history, library use, IT helpdesk.
All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to maintain confidentiality.
Some working documentation, such as personal development reviews, performance monitoring and one-to-one’s will be kept securely within the Dorothy House network. Currently the HR department also securely holds hard copy files within the department.
Staff record retention policy is for seven years after employment ceases unless exceptional circumstances apply.
Sharing personal information about staff
Dorothy House may need to share some of the information we hold on staff with:
- Statutory organisations such as HMRC, Child Support Agency, local authorities (for attachment of earnings), student loans
- Third-party communications services such as mailing houses, email marketers, survey providers, event booking systems
- External education system providers (eg Moodle, Training Tracker)
- Other external organisations such as credit card companies, pension companies (including NHS Pensions)
(UPDATED NOVEMBER 2021)
Links & Downloads
- PS-Employees (PDF, 148.19Kb)
Employees Privacy Statement PDF
Trustees and Volunteers Privacy Statement
Why do we collect personal information about volunteers?
We collect and process personal data about our volunteers in order to facilitate their volunteer role and for volunteer-related purposes (e.g. volunteer welfare, equal opportunities monitoring, administrative purposes, financial, regulatory, business development and for information strategy). Being a trustee is a distinct type of volunteering, and has additional data protection implications.
All volunteers should be familiar with this statement, which should be read in conjunction with the information governance handbook and information security policy.
What personal information do we collect about volunteers?
- Contact details such as: name, title, addresses, telephone numbers, mobile phone numbers and personal email addresses;
- Date of Birth;
- Gender;
- Next of kin and emergency contact information;
- Bank account details (when necessary) for example, to reimburse expenses;
- Copy of driving licence, passports and visas (when necessary);
- Recruitment information (including references and any other information enclosed in a CV or disclosed in the application process);
- Recording information to support volunteering
- Case studies, biographies, testimonies, quotes or opinions about volunteering;
- Information about your use of our information and communication systems;
- Photographs, video and audio footage;
- Information gathered from social media sources in the public domain eg Facebook.
- Volunteer satisfaction information.
- CCTV footage (if volunteer role determines)
We may collect, store and use the following sensitive information or “special categories” of personal data about you:
- Information about your ethnicity, disability, sexual orientation, gender reassignment, and religious beliefs
- Information about your health including any dietary requirements;
- Information about criminal convictions and offences (unspent if non-patient facing)
- Information required and related to ID/Disclosure and Barring Service (DBS) checks or any other background checks associated with vulnerable individuals if role appropriate.
How do we collect your information?
We collect personal data about volunteers through the volunteer/trustee management and recruitment process. We may sometimes collect additional information from third parties including former or current employers (e.g. referees or occupational health providers or background check agencies for example DBS)
On what basis do we collect store and use (process) your information?
We will only process personal data about our volunteers for the relevant purposes (when the law permits us to):
- if the processing is necessary for:
Updated June 2022
- the performance of the Volunteer Promise agreement we have entered with you (this does not amount to a contract of employment); or your trustee appointment
- our (or a third party’s) legitimate interests in particular:
– to administer our relationship with you;
– to build a picture of your skills, experience and interests in order to assess your suitability for volunteering projects;
- the protection of your vital interests (e.g. in a ‘life or death’ scenario);
- compliance with a legal obligation, or
- with your consent.
Where we process your personal data for our legitimate interests, we will make sure that we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. You have the right to object to this processing, and if you wish to do so, then please contact us at info.governance@dorothyhouse-hospice.org.uk
We will only process special categories of personal data with your explicit consent, or if there are other grounds for doing so, including (but not limited to) the processing being:
- necessary to carry out obligations or exercise rights regarding volunteering (for example, processing medical or health information to assess your suitability for volunteering with us and for being involved on specific projects and in order to accommodate you in a voluntary role);
- necessary to protect your vital interests (or someone else’s interests);
- necessary to comply with a legal obligation (for example, to protect vulnerable individuals or for insurance purposes);
- in relation to personal data which you have made public; or
- necessary for bringing, defending or conducting a legal claim.
We will take even greater care of this type of data as collecting and using it could create significant risks to the individual’s fundamental rights and freedoms or open someone up to discrimination.
Information about Criminal Convictions
This will usually be where such processing is necessary to carry out our obligations.
Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims; where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent; or where you have already made the information public.
Where appropriate we will collect this information as part of the recruitment process or we may be notified of such information directly by you in the course of your voluntary work.
Volunteer Communications
There is certain information which DH is required to send volunteers to support and facilitate their voluntary role and any related activities. Volunteers can expect to receive this communication via the Assemble message centre or News Hub, by email, or post.
If you are a volunteer and a supporter of Dorothy House, this does not affect your data protection rights as a supporter or the marketing preferences that you provided. If you have chosen not to receive marketing communications as a supporter, Dorothy House will continue to respect your preferences. Updated June 2022
Who has access to volunteer data?
Certain personal data about our volunteers will be made available to other DH employees, and volunteers which is limited to those who have access to volunteer information. We may publish limited personal data for example, case studies/testimonies/quotes and photographs which may be featured on our internal or external publications, e.g. our volunteer brochure.
Some content, including personal data, may also be held on other systems. Where appropriate, access to sensitive information is restricted only to those who have a legitimate business reason to see it.
On occasion we may be required to share your personal data with third parties, please see below.
Who do we share your data with?
Dorothy House may be required to share personal data (including, special categories of personal data) with third parties. For example, we may share information with:
- occupational health providers for undertaking necessary health checks;
- third party service providers (for example, those who carry out background checks for safeguarding purposes or driving licence checks);
- Governmental and regulatory bodies (including the police, DBS, Care Quality Commission, and in the case of trustees, the Charity Commission, Companies House, HMRC)
- Professional advisers (such as lawyers, accountants, auditors, health advisors and insurance brokers);
- Trusted suppliers and service providers who will process information on our behalf for administrative purposes;
- Trusted partners or organisations when necessary, for example if you are volunteering for a joint project with another organisation, we may need to share your personal data with it.
We will only share personal data with third parties if adequate security measures are taken and your rights are respected. We will never sell your personal data to anyone.
How do we store your data and for how long?
We only store information within the European Economic Area (EEA). If our trusted service providers (e.g. software providers like Microsoft) transfer any data outside of the EEA we will take steps to make sure adequate levels of privacy protection, in line with the General Data Protection Regulation and associated legislation, are in place.
We will only retain your personal data for as long as necessary to fulfil the purpose we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements. We will process personal data on volunteers for the duration of their voluntary work with DH. When a volunteer leaves DH, we will continue to retain data for as long as is necessary, seven years, routinely.
We continually review what information we hold and delete what we no longer required. Certain special categories of personal data on volunteers will be retained, and in some cases this personal data may be kept for very long periods of time. For example, we may retain information relating to health (e.g. if you have an accident whilst volunteering, in case of a future insurance claim). Updated June 2022
If you are suspected or convicted of a criminal offence, we may retain information from our own records, and also other publicly available sources. We do this because it is necessary to do so:
- in case it is required to bring, defend or conduct a legal claim;
- to assist in the detection or prevention of crime; and
- to protect the interests of the general public.
If you have any questions about this privacy statement please contact: Juliette Morgan, Head of Governance at info.governance@dorothyhouse-hospice.org.uk or Volunteer Services.
Links & Downloads
- Volunteers Privacy Statement - June 22 (PDF, 413.98Kb)
Trustees and Volunteers Privacy Statement PDF
Job Applicants and Referees
Why do we collect personal information about job applicants and referees and how do we use it?
As an employer, there are lawful bases for the personal information that we collect on our job applicants and referees.
Job applicants’ and referees’ data can also help us to support our workforce better and make for a better recruitment experience. A significant lawful basis (legal reason) for collecting and using certain personal information about job applicants is that of “legal obligation”. In other words, we have to collect this information to comply with the law. Processing information under this lawful basis enables us to:
- Meet immigration law obligations
- Verify the job applicant’s right to work
We also collect and use information about job applicants under the lawful basis of “contract” with a view to entering a contract with that individual as an employee. Processing information under this legal basis enables us to:
- Recruit the right staff to Dorothy House, understanding, for example, their skills, job history and background
We process some personal information on job applicants on the lawful basis of “legitimate interest” so that we can:
- Monitor demographic, equality and diversity data to evidence fair recruitment
Processing information on the basis of “legitimate interest” means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis (see Your Rights section below).
What personal information do we collect about job applicants and referees?
Based on the data processing reasons outlined above, we may collect all or some of the information below to help us ensure the best recruitment process (this list is not exhaustive):
Basic details: Name, postal/email address, telephone number, date of birth.
Demographic, equality and diversity data (this information is collected anonymously and separately from a job application form)
Job application information including references and contact details of referees.
NB: DBS checks take place once applications have been successful
Skills and experience information including CVs, records of qualifications, education, training and professional membership/registration
Identification information including photos, car driver information, copies of birth certificate/driving licence.
Where do we store personal job applicants and referees information and for how long?
Job applicant’s and referee’s personal information is stored on a secure database managed by Dorothy House. All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to maintain confidentiality.
If job applicants are unsuccessful in their application, their application details are kept on file by Dorothy House for six months and then deleted unless prior agreement has been obtained. Copies of official documentation are shredded immediately after an unsuccessful interview.
Successful job applicants’ personal information is retained – please see Employee Privacy Statement.
Sharing personal information about job applicants
Information on job applicants and referees will be shared internally with Dorothy House teams and line managers in order to make the best recruitment decisions.
Links & Downloads
- PS-JobApplicantsReferees (PDF, 117.57Kb)
Job Applicants and Referees Privacy Statement PDF
Fundraising donors
Why do we collect personal information about fundraising donors and how do we use it?
As a charity, there are lawful bases for the personal information that we collect on our fundraising donors.
Developing good relationships with donors is essential to successful and rewarding fundraising. By creating and maintaining up-to-date profiles of donors we can build and maintain those good relationships and contact you in the most appropriate way, promoting fundraising and event opportunities of interest.
Unless there is a clear and valid reason for doing so, we do not collect sensitive personal information about our donors.
A significant lawful basis (legal reason) for collecting and using certain personal information about fundraising donors is that of “legal obligation”. In other words, we have to collect this information to comply with the law. Processing information under this lawful basis enables us to:
- Record and monitor income both for internal audit and HMRC
- Administer probate process and audit trail for legacies
- Set up standing orders
- Record Gift Aid status
- Process legacies.
We also collect some of the personal data on the lawful basis of “legitimate interest” so that we can:
- Generate publicity such as sharing group photos/videos from events
- Conduct appropriate postal marketing to all fundraising channels (trusts, individuals, corporates)
- Make appropriate trust applications for grants
- Seek support by approaching potential corporate supporters.
Processing information on the basis of “legitimate interest” means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. See Your Rights section.
We will keep in touch with you by post to tell you about other ways you can fundraise or support us. We do this on the basis of “legitimate interest”. If you don’t want to hear from us in this way, then please let us know by visiting our webpage https://www.dorothyhouse.org.uk/staying-in-touch-with-you/, by phoning 01225 721480 or by emailing preferences@dorothyhouse-hospice.org.uk
If you sign up to receive our on-line newsletter, or to keep in touch with how to support us by email, we do this on the basis of “consent”. You can withdraw your consent any time by visiting our webpage Click here to share your preferences, by phoning 01225 721 480 or by emailing: preferences@dorothyhouse-hospice.org.uk
What personal information do we collect about our fundraising donors?
Based on the data processing reasons outlined above, we may collect all or some of the information for individuals and organisations (this list is not exhaustive):
Basic details including names, addresses and other contact details for individuals, legators, executors, Trusts and corporates
Donation information: Donation amounts and dates linked to donors, for all donations, including bank account details, if appropriate, Gift Aid declarations
Other: Donor relationship records, event participation registration and information supplied, photographs and video of event participants.
Where do we store personal fundraising donor information and for how long?
All fundraising donors’ personal information as outlined above is stored on a secure database, which only Dorothy House employees and volunteers with a username and password can access. Staff receive training so that they are aware of their professional responsibility to maintain confidentiality.
Your data is held on a database hosted at Dorothy House. It is used alongside a fundraising and email marketing toolset, which stores and captures online events registration and donations for us. We also use two event booking platforms, currently Eventbrite and Enthuse, to handle event registration information and ticket purchases on our behalf. Payments made through either of these systems are processed via the US and this is covered by the EU-US Privacy Shield Framework.
We retain all donation records for a minimum of seven years to comply with HMRC and audit requirements. There are important organisational reasons for retaining fundraising donors’ information longer than this, for example legacy records and statistical monitoring. If you do not wish us to keep your information longer than seven years, please contact us.
Sharing personal information about fundraising donors with third parties
The Fundraising department is responsible for storing fundraising donors’ information and will need to share some of this information with third parties as follows:
HMRC for Gift Aid purposes
Dorothy House’s bank for standing orders
Third-party communications services such as mailing houses, bulk email service providers, survey providers and event booking systems
Email marketing service: We currently use Email Octopus to manage some of our requested email marketing and crucial information dissemination. You can read the Email Octopus privacy information here: https://emailoctopus.com/legal/privacy
From time to time we may use trusted third parties to assist in ensuring our donors receive the most appropriate communications from us. When we use a third party in this way we require their assurance that data is handled in line with our policies.
We don’t use any external provider to undertake any wealth screening and we will not use any external provider for telephone marketing.
In turn, Partner organisations share data with us, for example:
- Event organisers eg Marathon companies, Challenge companies
- Event booking platforms eg Eventbrite
- Online giving organisations eg JustGiving, Virgin Giving, Facebook Donate, LocalGiving, or when you donate using QR codes
- Local Hospice Lottery
- Funeral directors.
Links & Downloads
- PS-FundraisingDonors (PDF, 115.24Kb)
Fundraising Donors Privacy Statement PDF
Retail Donors and Shoppers
Why do we collect personal retail donor and shopper information and how do we use it?
As a charity, there are various lawful bases for the personal information that we process on our retail donors and shoppers.
A lawful basis (legal reason) for collecting and using certain personal information about retail donors and shoppers is that of “legal obligation”. In other words, we have to collect and use this information to comply with the law.
Processing information under this basis enables us to submit Gift Aid claims to HMRC to write to donors regarding donation amounts for their HMRC compliance. We are also legally obliged to collect contact information so that we can provide refunds.
Dorothy House also collects contact information on retail donors for the purpose of appropriate postal marketing. We process this personal data on the lawful basis of “legitimate interest”.
Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis (see Your Rights section below).
What personal information do we collect about our retail donors?
Based on the data processing reasons outlined above, Dorothy House collects all or some of the following information, primarily for those who have signed up to Gift Aid:
Basic details: Name, postal/email address, telephone number
Retail information: Gift Aid declaration, retail sales data
Where do we store personal retail donor information and for how long?
Retail donors’ personal information as outlined above is stored on a secure database hosted at Dorothy House and which only Dorothy House employees and volunteers with a username and password can access. Staff receive training so that they are aware of their professional responsibility to uphold confidentiality.
We retain all donation records for a minimum of seven years to comply with HMRC and audit requirements. There are important organisational reasons for retaining retail donors’ information longer than this, for example legacy records and statistical monitoring. If you do not wish us to keep your information longer than seven years, please contact us.
Sharing personal information about retail donors with third parties
Dorothy House is responsible for storing retail donors’ information and will need to share some of this information with third parties as follows:
- HMRC for Gift Aid purposes
- Third-party communications services such as mailing houses, bulk email service providers.
Links & Downloads
- PS-RetailDonorsShoppers (PDF, 105.61Kb)
Retail Donors and Shoppers Privacy Statement PDF
Customers
Why do we collect service user’s (non-patient/client) information and how do we use it?
At Dorothy House, there are lawful bases for the information that we process on those who hire or use our non-patient/client services. This includes, but is not limited to, those who attend our training courses, hire our facilities, hire us for DBS checking, use our library or hire us for another non-clinical service.
As an education and service provider, the main lawful basis (legal reason) for collecting and using personal information on training course attendees is because we hold a contract with these individuals. Processing information on this basis enables us to:
- Deliver, administer and invoice for our courses
- Video and record our courses to play back to attendees, which is an integral part of delivering some of our courses.
Our library users and those hiring our facilities also enter into a “contract” with Dorothy House, giving us the lawful basis to process personal information, such as contact details, so that we can administer these services.
Dorothy House will ask, specifically, for “consent” if personal data for our service users (non-patient/client) is to be used for:
- Email marketing, for example of new training courses
- Ensuring adequate facilities to accommodate any special needs
- Marketing and publicity of future courses through the use of photos, videos and quotes.
What personal information do we collect about our service users (non-patient/client)?
Based on the data processing reasons outlined above, Dorothy House collects some of the following information:
Basic details: Name, postal/email address, telephone number
Organisation details: Job title, organisation/employer
Training: Course feedback comments, video footage, photos, any special needs data for course participants.
Where do we store service users (non-patient/client) information and for how long?
Service user’s (non-patient/client) information as outlined above is stored on secure databases, hosted at Dorothy House, which only Dorothy House employees and volunteers with a username and password can access. Staff receive training so that they are aware of their professional responsibility to uphold confidentiality. This information could be kept up to seven years for HMRC purposes.
Sharing personal information about service users (non-patient/client) with third parties
The Education, HR and Estates Teams at Dorothy House are responsible for storing service users (non-patient/client) information and will need to share some of this information with third parties as follows:
- External training facilitators
- External education system providers eg Moodle
- Third-party communications services such as email marketing, survey providers
- Email marketing provider: We currently use EmailOctopus to manage some of our requested email marketing and crucial information dissemination. You can read the EmailOctopus privacy information here: https://emailoctopus.com/legal/privacy
Links & Downloads
- PS-CustomersNonPatient (PDF, 106.45Kb)
Customers (Non Patient/Client) Privacy Statement
Suppliers
Why do we collect service providers’ information and how do we use it?
At Dorothy House, the lawful basis for the information that we process on our service providers — contractors and suppliers — is contractual. Processing information under this lawful basis enables us to:
- Process and pay invoices
- Contact emergency support providers in times of emergency.
What personal information do we collect about our service providers, for example contractors/suppliers?
Based on the data processing reasons outlined above, we may collect all or some of the information below to help us ensure the best relationship with our service providers:
Basic details: Name, postal/email address, telephone number
Organisation details: Job title(s), organisation/employer, bank account details, completed new supplier form.
Where do we store service providers’ information and for how long?
Service providers’ information as outlined above is stored on secure databases, hosted at Dorothy House, which only Dorothy House employees and volunteers with a username and password can access. Staff receive training so that they are aware of their professional responsibility to uphold confidentiality. This information could be kept up to seven years for HMRC purposes.
Sharing personal information about service providers (contractors/suppliers) with third parties
As valued service providers to Dorothy House we would look to share your details and include you in our communications as we feel there is legitimate interest, unless you request otherwise.
Links & Downloads
- PS-Suppliers (PDF, 97.42Kb)
Suppliers Privacy Statement PDF
Website Users
Why do we collect website users’ information and how do we use it?
At Dorothy House there are lawful bases for the information that we process on those who use our website. This includes, but is not limited to, those who access information, update their contact preferences, book places on our events, make donations and shop for our goods.
One lawful basis for the collection of personal information from website use is that of “contract” so that we can:
- Send engagement packs and information to those who register for events and activities via the website
- Deliver goods ordered through the Dorothy House website, administered by Shopify.
Specifically, we ask for your “consent” before we process personal information to help us:
- Send digital newsletters to those who have requested a digital format via the website.
We do process some personal data with regards to our website on the lawful basis of “legitimate interest” so that we can:
- Analyse website traffic via Google.
Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis (see Your Rights section below).
What personal information do we collect about our website users?
Based on the data processing reasons outlined above, the information below may be collected depending on a user’s reasons for accessing the website:
Basic details (e.g. for event registration, buying goods, engagement packs and responding to information requests): Name, postal/email address, telephone number. Sometimes we may ask for additional information about past event attendance or your interests to help us personalise your journey and our communications, however these fields may often optional. Any mandatory fields will be marked with an asterisk (*).
Where do we store website users’ information and for how long?
If you are registering for an event or making an online donation, your data is held on a database hosted at Dorothy House. It is used alongside a fundraising and email marketing toolset, which stores and captures online events registration and donations for us.
We retain all donation records for a minimum of seven years to comply with HMRC and audit requirements. There are important organisational reasons for retaining fundraising donors’ information longer than this, for example legacy records and statistical monitoring. If you do not wish us to keep your information longer than seven years, please contact us.
We use cookies to help us serve you the right information
A small computer file known as a “cookie” is placed on your computer when you use the Dorothy House website. It means that our system can learn from the content you view what content may be useful to you.
We use a third party provider, CookieYes, for our cookie consent solution. CookieYes provide a breakdown of how cookies are used on a website here. CookieYes does not collect, store, or process any other personally identifiable information, such as names, email addresses, or any other sensitive data that could directly identify individual users.
If you would like to learn more about CookieYes and and how your information is being used, please click here.
How we use cookies
Dorothy House may use cookies to:
- Store your preference information – the website can then curate more relevant information specifically for you
- Analyse the website traffic using Google Analytics – this cumulative data ensures our goal of constant development to improve the overall user experience of the website
- Recognise returning traffic to our website – we may therefore display relevant content specifically, to you or present previously used functionality
- Identify if you are signed in to the website.
However, please be assured that cookies do not allow us to access your computer or present any information about you, other than what you choose to share via your search engine browser preferences.
You have the right to object to this tracking and to stop it happening. To do this when visiting our website, click the ‘Reject All’ button on the cookier banner.
Cookies in use by Google Analytics (GA4)
The following GA4 JavaScript tags are used on our website:
- _ga (used to distinguish users and has a default expiration time of 2 years)
- _ga_<container-id> (used to persist session rate and has a default expiration time of 2 years)
How do I prevent being tracked by Google Analytics?
If you are uncomfortable with this tracking, you can take the following actions:
- Use a tracking-blocker, such as Privacy Badger
- Clear cookies after every browsing session
- Install the Google Analytics opt-out extension
Your rights re. Google Analytics
If you already have Google Analytics cookies, they will be updated with the latest information about your visit to the site. As we cannot access any personal data about you ourselves, we are not the Data Controller for your Google Analytics. You would need to contact Google directly for this information.
LHLL Meta Pixel
We currently have a Meta Pixel, issued by LHLL, which is active on our Local Hospice Lottery fundraising page. The pixel is a form of ‘cookie’ which will enable LHL to display ads to people on their Meta accounts (i.e. Facebook and Instagram). Information from this Meta Pixel will be shared with LHLL.
The pixel will track when a user of your website has accessed or clicked on links within specific lottery or fundraising pages. It will send this data securely to Meta in an encrypted ‘hashed’ format. Meta will then match this data up with people who have corresponding social media accounts. For people with a Facebook or Instagram account Meta will then display LHLL ads on their social media feeds. Any ‘unmatched’ data will be deleted. Meta will also use the information provided via the Meta Pixel to help LHLL create ‘lookalike’ audiences so that ads can be displayed on the social media accounts of potential new supporters who have similar characteristics to existing hospice supporters.
Further information about the operation of Meta Pixels can be found here – https://www.facebook.com/business/tools/meta-pixel/
The Meta Pixel is not activated until the user has consented to marketing/targeting cookies via the Dorothy House website cookie banner.
The Metal Pixel is restricted only to the Local Hospice Lottery webpage and no other pages on the Dorothy House website.
Controlling cookies
All web browsers have cookie settings. This will determine how our website uses these cookies. If you choose not to allow our website to store cookies on your device or computer, you will need to amend your web browser settings to refuse cookies. Please be aware that making these changes could affect the functionality of our website for you. For example, certain pages and services may appear unavailable to you. Our website issues cookies when you visit unless you carry out the web browser settings changes to refuse cookies.
Sharing personal information about service providers and website users with third parties
Dorothy House will never sell personal data to any third party.
We do share your data with organisations that work on our behalf or supply us with services that require your data to deliver these services. Companies that we work with include:
E-Commerce organisations e.g. Shopify
Email marketing service: We currently use Email Octopus to manage some of our requested email marketing and crucial information dissemination. You can read the Email Octopus privacy information here: https://emailoctopus.com/legal/privacy
Your Rights
As an individual whose personal data is processed by Dorothy House you have the following rights:
- the right to be informed – which is what this privacy statement is for
- the right to access the data we hold about you
- the right to object to direct marketing
- the right to object to processing carried out on the basis of legitimate interests
- the right to erasure (in some circumstances)
- the right to data portability (in some circumstances)
- the right to have your data rectified if it is inaccurate
- the right to have your data restricted or blocked from processing
Sharing personal information
We will never sell personal data. We use databases internally whereby the data is stored off-site with the relevant software provider. In some cases we also share information with third parties such as mailing houses who process information on our behalf including managing events and marketing by post and email. When we use a third party in this way we require their assurance that data is handled in line with our policies.
The Communications Team at Dorothy House will ask for consent to use photos, videos or quotes from individuals, for the sole purpose of promoting our services and raising awareness of our work. Publicity channels we use include our website, social media, local/national media, leaflets, exhibition displays and organisational publications.
If you attend one of our events, we might use photographs and video from the events in publicity, via the channels above. If you are not happy about this we will do our best to remove you from photographs/video if you make us aware of your objection before attending.
Sharing Records
Like a lot of the NHS, we use an electronic patient record system called SystmOne. If you decide to take up any offer of our support, for administrative and professional practice purposes we will need to record and store a certain amount of personal information about you on this database. This will include your name, address, date of birth, details of consultations with your GP and other healthcare professionals. We’re a multi-disciplinary team so all staff involved in your care need to have access to your records in order to provide co-ordinated and appropriate care and support.
If you are receiving support from us and if any of your healthcare professionals ie district nurses, GP practice and other health and social care staff — also use SystmOne as their clinical database system, we encourage full sharing of clinical information.
Any personal identifiable information Dorothy House records about you will be shared only with your permission. It will be shared only with relevant hospital teams or other health and social care staff involved in your care. We will always try to talk to you first if we need to share sensitive information.
If you would prefer us never to share any information with other health and social care professionals, please let us know and we will record and abide by this wish. It is only in exceptional circumstances that we are required by the law to share your information, without your permission, for instance, if there is a need to protect an individual from serious harm, or a crime has been committed.
The Data Protection Act (1998) gives you the right to see your records. For more information see the Information Commissioner’s Office website
Monitoring our standard of care
The Care Quality Commission, which has a legal duty to monitor the standard of the care we provide, asks that we give them the contact details of patients and their carer/close family member referred to us so that they are able before or following an inspection visit, to contact you to discuss the care a patient or relative has received. If you do not wish us to provide them with this information, please inform us by calling our Clinical Coordination Centre on 0345 0130 555 (Monday-Friday, 8-6pm; Saturday-Sunday 9am-5pm) or dhhc.dorothyhouse-referrals@nhs.net
NHS Data Management
In order to receive our proportion of NHS funding we are required to provide a limited amount of personal data to the Clinical Commissioning Groups (CCG) with whom we have a contract via the Commissioning Support Unit. Anonymised data is also used for audit and service improvement projects as we continually strive to improve and develop our services. If you have any questions relating to this please do contact us for more information – clinical.informatics@dorothyhouse-hospice.org.uk or call: 01225 722 988
Using cameras or other recording equipment during treatment
Using cameras or other recording equipment during treatment and care – Information for Patients and Families – November 2021
At Dorothy House Hospice Care (Dorothy House) we promote the open and honest recording of consultations or conversations with healthcare professionals.
Where this is done with everybody’s agreement, we believe this benefits the patient and the healthcare professional by:
- enabling patients to remember important advice, particularly where there are language barriers
- providing a copy of the consultations when patients may have been distressed
- giving patients more time to process information
- helping patients and their family members where patients may be experiencing memory loss or have some cognitive impairment
- including patients’ family members in their care and decision making
- helping patients to remember if the information is particularly complex.
- helping to set family member’s mind at ease about the care received or even help identify poor care or abuse.
To achieve this, we will work with you to ensure that:
- any recording is done openly and honestly with the express permission of the patient
- the recording process itself does not interfere with the consultation process or the treatment or care being administered
- the patient understands that a note will be made in their health record stating that they have recorded the consultation or care being provided
- the patient is reminded of the private and confidential nature of the recording and that it is their responsibility to keep it safe and secure
- any recording is only made for personal use
- you are aware that the misuse of a recording may result in criminal or civil proceedings
- you understand that the patient is entitled to see their notes
- we can consider providing the patient with a written record summary, and or a verbatim record (if practical) of their consultation for their own personal use if this is helpful.
We are aware that patients and families may be considering covertly recording a consultation. Using a hidden camera or other recording equipment is a big decision. It can affect people’s privacy and dignity. And it can have legal consequences as well. It may also be interpreted as a sign that trust is lacking or that the patient may be considering a complaint or legal action.
Both legally, and as a matter of courtesy, you should seek the health professionals’ agreement before recording a consultation/treatment. We strongly discourage covert recording.
If you are worried about yours or somebody’s treatment and/or care, you should first raise these concerns with us. We take proactive steps to investigate and address any issues regarding your treatment and care. You can do this by using our complaints procedure.
You can also raise concerns with the Care Quality Commission (CQC). They have very helpful guidance on this subject. Using cameras or other recording equipment to check somebody’s care.
It is important to note that the CQC state that an organisation should not ever refuse to treat someone or care for them properly because recording equipment or similar technology is being used.
Privacy Notice: Use of webcam to view Fireflies
Dorothy House operates a webcam which streams live images from a designated area of the Firefly Woods as part of its aim to allow supporters to experience the Fireflies remotely.
We have undertaken a Data Privacy Impact Assessment in order to fully comply with our obligations under data protection law when using the webcam.
There is no intention to capture personal images through the webcam and we have the following in place to ensure data subjects avoid having their image/personal data captured:
- The camera is positioned in such a way as to avoid capturing any image other than that of the designated firefly area.
- Clear signage is provided at the webcam site advising that live-streaming is in action.
- There is a notice on the appeal webpage and privacy section of the website indicating the use of webcams.
- No data is stored, live images are streamed only.
- No audio is captured.
- Parents/guardians are responsible for the safety of their children when viewing the fireflies and should be mindful at all times of the webcam operation.
- We will continue to monitor and review the output from the camera to ensure that we continue to avoid processing images and therefore personal data.
June 2023
Privacy Notice: Use of the Interactive Nature Trail
- Dorothy House uses a third party app called Good Thyngs to enable trail visitors to collect stamps, discover fascinating facts and take selfies with creatures.
- Upon scanning the qr code on the trail boards, the app will request access to your phone camera.
- Any selfies taken on the app are not stored by Good Thyngs or by Dorothy House.
- By taking a selfie with the creatures, you are accepting responsibility for where you share the photo and whether or not you wish to download it and store it in your camera library.
- Parents/guardians are responsible for the safety of their children when interacting with the trail app and should be mindful of other visitors at all times.
- Please ensure you do not share photographs of other visitors or site users if they appear in the background of your selfies – Dorothy House will not accept responsibility for the sharing of images without consent.
Find out more about the Interactive Nature Trail here.
May 2024
Privacy Notice: BSW ICR
Bath and North East Somerset, Swindon and Wiltshire Integrated Care Record (BSW ICR) is a digital care record system for sharing information in Bath and North East Somerset, Swindon and Wiltshire. It allows instant, secure access to your health and social care records for the professionals involved in your care.
Relevant information from your digital records is shared with people who look after you. This gives them up-to-date information making your care safer and more efficient.
Dorothy House uses the system in the following way:
- We can access your data stored within the system and provide relevant information about you and your health.
If you would like to learn more about BSW ICR and how your information is being used please click here.
July 2024