Privacy

We are committed to protecting all personal information and being transparent about what we do with it.  We use your personal information in accordance with all applicable laws concerning the protection of personal data and we will not do anything with your information you wouldn’t reasonably expect.

Listed in this section is a set of privacy statements which provide more detail as to how we process your personal data, depending on your relationship with us.

Each privacy statement outlines why, how, what, where and for how long Dorothy House processes (collects and uses) your personal data, including details of any sharing of data with third parties.

The General Data Protection Regulation (GDPR), introduced in May 2018, provides six lawful bases under which personal information can be processed and we have highlighted in each privacy statement which lawful bases apply.  In particular, we have highlighted where data is collected and used on the basis of “legitimate interest.” This means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis.

Patients, Families and Carers

Why do we collect personal information about patients, families and carers and how do we use it?

Personal information about the patient, including about other health and social care professionals and family and friends involved in providing support and care, is essential in enabling us to provide the care required and to ensure that the needs of patients and their family members and carers (i.e. close friends) are at the centre of all the care we provide. The lawful basis for collecting and using information to provide care to our patients, families and carers is “public task” i.e. the information is fundamentally necessary for us to provide our care. The fact that we are providing health and social care permits us to handle sensitive personal data. This lawful basis permits us to:

  • Co-ordinate the care that we offer – both within our Dorothy House team and externally
  • Offer wider Dorothy House support to a patient’s family members, including in bereavement
  • Provide information to the NHS and other commissioners with whom we hold service contracts
  • Audit, evaluate and develop our services

Different levels of information are held depending on the extent of Dorothy House input.

 

What personal information do we collect about our patients, families and carers?

Based on the data processing reasons outlined above, we may collect all or some of the types of information below to help us provide the best care possible:

Basic details including name, postal/email address, telephone number, date of birth/death.

Demographic, equality and diversity data

Medical information including NHS number, detailed medical records, prescribed medications; investigation results and information from other professionals involved in care, patient/client service activity.

Other information includes personal and social history and documentation of consultations. Interactions with family members/carers are usually recorded within the patient’s record, but if a family member or carer is receiving more involved support from Dorothy House then a record will be created in their own right as a ‘client’ record – we will ensure that they are aware of this.

Some people will only attend group sessions, using our ‘Open Access’, but we are still providing a health and social care service.  We therefore create a record for each person who attends one of our groups and we will update this with attendances and any relevant clinical notes.

 

Where do we store patient, family and carers information and for how long?

Patient and ‘client’ data is stored on our electronic patient record system called SystmOne. This is a secure clinical database used by many other health and social care providers including GPs in our area. SystmOne data is hosted off-site within the European Economic Area (EEA) which gives a high level of security as all data processed within the EEA is covered by the General Data Protection Regulations.

Under current data protection legislation, all organisations involved in a patient’s care have a duty to ensure that information held about them is accurate, up to date and kept secure at all times. Access to records can be audited and can always be traced back because users log‑in using unique identifiers and secure access methods.

Currently, SystmOne is not able to either archive or delete patient records as it is a system shared across many health and social care organisations. However when a record of a patient who has died or discharged is accessed after 52 weeks from date of death or discharge, a reason must be provided and the system tracks access to these records.

Access within the Dorothy House team is on a need to know basis. Where volunteers are providing care and support they are regarded as part of the Dorothy House team. All staff and volunteers with access to confidential personal information receive information governance training.

 

Sharing personal information about patients and clients with third parties

Dorothy House works as part of a health and social care system in our community.  To provide the safest, highest quality, most integrated patient and client care we can, sharing of health and social care information is encouraged, whilst confidentiality is respected. We believe that you would expect us to share relevant health and social care information with other services/organisations involved in your care, or who you have agreed should become involved and will inform us if you do not wish for this to happen. We do not generally share information for clients, or for those who only attend our ‘Open Access’ groups, but for patients, those we would anticipate sharing information with as part of your care are

  • Community care professionals, e.g GPs, District Nurses, Multi-disciplinary teams; Specialist Nurses; Community Matrons
  • Hospitals
  • Public/private health and social care providers

Although we would always aim to only share the minimum information required, when sharing is via SystmOne, this is not always technically possible. However, we can ensure that individual elements are not shared, so please tell us if there are particular areas that you wish to remain confidential. Patients do have the right to totally opt out of Dorothy House sharing their electronic patient record with other health and social care providers.

Very rarely we may be required to share confidential personal information without consent if we are required to do so by statutory law, such as if safeguarding concerns

We are required to share information for commissioning; service planning and regulatory purposes with

  • Clinical commissioners of local services
  • Care Quality Commission and other regulatory bodies

We will ask, specifically, for your consent (lawful basis) if personal data is to be used for the following:

  • Referring our patients / clients on to other service providers (non-health/social care)
  • Requested by solicitors or insurance companies

In order for us to raise awareness of our work it is extremely useful to be able to use stories and photographs/video of our patients and their families.  We will only ever do this with your specific consent (lawful basis).

Links & Downloads

Employees

Why do we collect personal information about staff and how do we use it?

As an employer there are lawful bases for the personal information that we collect about our staff, agency staff, our contracted consultants and those with an honorary contract such as medical placements. We have used the collective term “staff” for the purpose of this privacy statement.

Using personal information helps us provide the best support to our workforce, to ensure their health and safety and to make for a better employee experience.

The main lawful basis (legal reason) for collecting and using this personal information is because we hold a contract with that individual.  Processing information under this legal basis enables us to:

  • Recruit the right staff to Dorothy House
  • Pay staff
  • Develop and train staff
  • Administer pensions
  • Ensure health and safety of staff
  • Manage the organisation (for example staff rotas and availability, maintenance requests, IT helpdesk requests, use of intranet/Dot2Dot and library)
  • Analyse Dot2Dot use through OAK reporting (Intranet provider) facility
  • Use photographs for security purposes

 

We also process the personal data of staff to meet our legal obligations as an employer, including:

  • Meet immigration law obligations
  • Meet medical registration obligations
  • Keep staff safe using, for example, risk assessments or health and safety reports
  • Where appropriate, we process DBS checks to keep everyone safe who comes into contact with Dorothy House
  • Modify working conditions according to staff health conditions
  • Paying tax and national insurance contributions to HMRC

 

We also collect and use some personal information regarding staff on the lawful basis of “legitimate interest” so that we can do the following:

  • Alert nominated emergency contacts for staff members if there are concerns for the health and safety of that staff member
  • Monitor demographic, equality and diversity data to evidence fair recruitment and staffing
  • Use staff photographs on outlook and internal software for the purpose of staff identification and for presentations and publicity.
  • Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)

 

What personal information do we collect about our staff?

Based on the data processing reasons outlined above, we may collect some or all of the following information (note, this list is not exhaustive):

Basic details including name, postal/email address, telephone number, date of birth and emergency contact details.

Demographic, equality and diversity data

Terms of employment information including letters of offer, employment contract, place of work, references, ID information

Skills and experience information including CVs, records of qualifications, training and professional membership / registration.

Financial information so that we can pay you including bank details, National Insurance (NI) documentation and social security numbers where applicable.

Identification information including photos, car driver information, copies of birth certificate/driving licence

Employment process information including absence from work and any disciplinary issues.

Performance records such as appraisals and 1 to 1s

Personal health information such as occupational health advice or health and safety reports.

Information on use of DH electronic devices including DH intranet, email data and back up from DH servers, building access, printing history.

 

Where do we store personal staff information and for how long?

Staff information as outlined above is primarily stored on a secure HR database managed by Dorothy House.  For some functions it may be necessary to hold basic contact details on other internally-managed databases whereby the data can be stored off-site with the relevant software provider, for example training records, maintenance requests, printing history, library use, IT helpdesk.

All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to respect confidentiality.

Some working documentation, such as personal development reviews, performance monitoring and 1 to 1s will be kept securely within the Dorothy House network.  Currently the HR Department also securely holds hard copy files within the department.

Staff record retention policy is for 7 years after employment ceases unless exceptional circumstances apply.

 

Sharing personal information about staff

Dorothy House may need to share some of the information we hold on staff with the following:

  • Statutory organisations: HMRC, Child Support Agency, local authorities (for attachment of earnings), student loans
  • Third party communications services: Mailing houses, email marketing, survey providers, event booking systems
  • External education system providers (e.g. Moodle, Training Tracker)
  • Other external organisations: Credit card company, pension companies (incl. NHS Pensions)

Links & Downloads

Trustees and Volunteers

Why do we collect personal information about Trustees and Volunteers and how do we use it?

As a charitable organisation, there are lawful bases for the personal information that we collect about our Trustees and Volunteers, including those who volunteer as Ambassadors, undertake Work Experience whilst studying, or volunteer through the Duke of Edinburgh Scheme.

Trustees’ and Volunteers’ data can also help us to support our volunteer workforce better, ensure their health and safety and make for a better volunteering experience.

A significant lawful basis (legal reason) for collecting and using certain personal information about Trustees and Volunteers is that of “legal obligation”.  In other words, we have to collect this information to comply with the law.  Processing information under this lawful basis enables us to:

  • Make sure we comply with Charities Commission regulation for the appointment of suitable Trustees
  • Keep Trustees and volunteers safe (for example, risk assessments, health and safety reports, parental consent for working with minors who volunteer through the Duke of Edinburgh Scheme)
  • Provide, monitor and report on mandatory training of Trustees/Volunteers
  • Where appropriate, we process DBS checks to keep everyone safe who comes into contact with Dorothy House
  • Understand health information regarding our volunteers, relevant to the role for which they are applying

 

We also collect some personal information regarding Trustees and Volunteers on the lawful basis of “legitimate interest” so that we can do the following:

  • Manage volunteers using rotas and availability as part of the DH workforce
  • Monitor demographic, equality and diversity data to evidence fair recruitment of volunteers
  • Pay expenses
  • Communicate forthcoming events and fundraising activities by post
  • Identify volunteers’ skills sets which could be used at Dorothy House
  • Monitor demographic, equality and diversity data to evidence fair recruitment and staffing
  • Manage the organisation by monitoring Trustee / Volunteer usage of Dorothy House intranet (Dot2Dot), printers, maintenance requests and IT helpdesk requests
  • Analyse Dot2Dot use through OAK reporting (Intranet provider) facility
  • Identify volunteers’ skills sets which could be used at Dorothy House
  • Email survey links to our volunteers

Processing information on the basis of legitimate interest means that DH deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)

 

What personal information do we collect about our Trustees and Volunteers?

Based on the data processing reasons outlined above, we may collect some or all of the following information (note, this list is not exhaustive):

Basic details including name, postal/email address, telephone number, date of birth.

Bank account details so we can pay expenses

Financial information on Trustees including list of disqualified Directors/Trustees, other company interests, bankruptcy.

Background volunteering information including training records, skills information, work history, emergency contact details, DBS verification

Health data where applicable for volunteering role, risk assessments, health and safety accident reports,

Information on use of DH electronic devices including DH intranet, email data and back up from DH servers, building access, printing history.

 Personal health information applicable to volunteering role.

 

Where do we store personal Trustees and Volunteers information and for how long?

The Chief Executive’s office is responsible for the management of Trustees’ personal information. Other volunteer information as outlined above is primarily stored on a secure database managed by Human Resources or securely held in the shops.  For some functions it may be necessary to hold basic contact details on other internally managed databases whereby the data can be stored off-site with the relevant software provider, for example training records, maintenance requests, printing history, library use, IT helpdesk.

All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to respect confidentiality.

Trustee and volunteers record retention policy is for 7 years after departure unless exceptional circumstances apply.

If you don’t wish us to keep your information, please contact us.

 

Sharing personal information about Trustees and Volunteers

The Chief Executive’s Office and HR Departments respectively at Dorothy House are responsible for storing Trustees and Volunteers information and will need to share some of this information with third parties as follows:

  • Charities Commission (Trustees)
  • Companies House (Trustees)
  • Third party communications services: mailing houses, email marketing, survey providers, event booking systems
  • External education system providers (e.g Moodle, Training Tracker)

Links & Downloads

Job Applicants and Referees

Why do we collect personal information about job applicants and referees and how do we use it?

As an employer, there are lawful bases for the personal information that we collect on our job applicants and referees.

Job applicants’ and referees’ data can also help us to support our workforce better and make for a better recruitment experience.  A significant lawful basis (legal reason) for collecting and using certain personal information about job applicants is that of “legal obligation”.  In other words, we have to collect this information to comply with the law. Processing information under this lawful basis enables us to:

  • Meet immigration law obligations
  • Verify the job applicant’s right to work

We also collect and use information about job applicants under the lawful basis of “contract” with a view to entering a contract with that individual as an employee. Processing information under this legal basis enables us to:

  • Recruit the right staff to Dorothy House, understanding for example their skills, job history and background

We process some personal information on job applicants on the lawful basis of “legitimate interest” so that we can:

  • Monitor demographic, equality and diversity data to evidence fair recruitment

Processing information on the basis of “legitimate interest” means that DH deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)

 

What personal information do we collect about job applicants and referees?

Based on the data processing reasons outlined above, we may collect all or some of the information below to help us ensure the best recruitment process (note, this list is not exhaustive):

Basic details: Name, postal/email address, telephone number, date of birth.

Demographic, equality and diversity data (This information is collected anonymously and separately from a job application form.)

Job application information including references, contact details of referees.
NB: DBS checks take place once applications have been successful

Skills and experience information including CVs, records of qualifications, education, training and professional membership/registration.

Identification information including photos, car driver information, copies of birth certificate/driving licence.

 

Where do we store personal job applicants and referees information and for how long?

Job applicants’ and referees’ personal information is stored on a secure database managed by Dorothy House. All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to respect confidentiality.

If job applicants are unsuccessful in their application, their application details are kept on file by Dorothy House for 6 months and then deleted unless prior agreement has been obtained. Copies of official documentation are shredded immediately after an unsuccessful interview.

Successful job applicants’ personal information is retained – please see Employee Privacy Statement.

 

Sharing personal information about job applicants

Information on job applicants and referees will be shared internally with Dorothy House Teams and Line Managers in order to make the best recruitment decisions.

Links & Downloads

Fundraising Donors

Why do we collect personal information about fundraising donors and how do we use it?

As a charity, there are lawful bases for the personal information that we collect on our fundraising donors.

Developing good relationships with donors is essential to successful and rewarding fundraising.  By creating and maintaining up-to-date profiles of donors we can build and maintain those good relationships and contact you in the most appropriate way, promoting fundraising and event opportunities of interest.

Unless there is a clear and valid reason for doing so, we do not collect sensitive personal information about our donors.

A significant lawful basis (legal reason) for collecting and using certain personal information about fundraising donors is that of “legal obligation”.  In other words, we have to collect this information to comply with the law.  Processing information under this lawful basis enables us to:

  • Record and monitor income both for internal audit and HMRC
  • Administer probate process and audit trail for legacies
  • Set up standing orders
  • Record Gift Aid status
  • Process legacies

We also collect some of the personal data on the lawful basis of “legitimate interest” so that we can do the following:

  • Generate publicity such as sharing group photos/videos from events
  • Conduct appropriate postal marketing to all fundraising channels (trusts, individuals, corporates)
  • Make appropriate trust applications for grants
  • Seek support by approaching potential corporate supporters

Processing information on the basis of “legitimate interest” means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. See Your Rights section.

We will keep in touch with you by post to tell you about other ways you can fundraise or support us.  We do this on the basis of ‘legitimate interest’.  If you don’t want to hear from us in this way, then please let us know by visiting our webpage https://www.dorothyhouse.org.uk/staying-in-touch-with-you/, by phoning 01225 721480 or by emailing preferences@dorothyhouse-hospice.org.uk

If you sign up to receive our on-line newsletter, or to keep in touch with how to support us by email, we do this on the basis of ‘consent’.  You can withdraw your consent any time by visiting our webpage Click here to share your preferences, by phoning 01225 721 480 or by emailing: preferences@dorothyhouse-hospice.org.uk

 

What personal information do we collect about our fundraising donors?

Based on the data processing reasons outlined above, we may collect all or some of the information for individuals and organisations (note this list is not exhaustive):

Basic details including names, addresses and other contact details for individuals, legators, executors, Trusts and corporates.

Donation information: Donation amounts and dates, linked to donors, for all donations, including bank account details if appropriate, Gift Aid Declarations

Other: Donor relationship records, event participation registration and information supplied, photographs and video of event participants

 

Where do we store personal fundraising donor information and for how long?

All fundraising donors’ personal information as outlined above is stored on a secure database, which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to respect confidentiality.

Your data is held on a database hosted at Dorothy House. It is used alongside a fundraising and email marketing toolset, which stores and captures on-line events registration and donations for us.  We also use an event booking platform, currently Eventbrite, to handle event registration information and ticket purchases on our behalf. Payments made through either of these systems are processed via the US and this is covered by the EU-US Privacy Shield Framework.

We retain all donation records for a minimum of 7 years to comply with HMRC and audit requirements.  There are important organisational reasons for retaining fundraising donors’ information longer than this, for example legacy records and statistical monitoring.  If you do not wish us to keep your information longer than 7 years, please contact us.

 

Sharing personal information about fundraising donors with third parties

The Fundraising Department is responsible for storing fundraising donors’ information and will need to share some of this information with third parties as follows:

HMRC for Gift Aid purposes

DH’s bank for standing orders

Third party communications services: mailing houses, bulk email service providers survey providers, event booking systems

Email marketing provider: We currently use Mailchimp to manage some of our email marketing. Mailchimp stores its data in the US, although it complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework.  Mailchimp uses personal data for its own purposes.  You can read Mailchimp’s privacy information by clicking here.  We are currently in the process of moving to a UK/EU hosted email marketing provider.

From time to time we may use trusted third parties to assist in ensuring our donors receive the most appropriate communications from us.  When we use a third party in this way we require their assurance that data is handled in line with our policies.

We don’t utilise any external provider to undertake any wealth screening and we will not utilise any external provider for telephone marketing.

Partner organisations share data in turn with us, for example:

  • Event organisers (e.g. Marathon companies, Challenge companies.)
  • Event booking platforms e.g. Eventbrite
  • Online giving organisations (e.g JustGiving, Virgin Giving, Facebook Donate, LocalGiving, or when you donate using QR codes)
  • Local Hospice Lottery
  • Funeral Directors

Links & Downloads

Retail Donors and Shoppers

Why do we collect personal retail donor and shopper information and how do we use it?

As a charity, there are various lawful bases for the personal information that we process on our retail donors and shoppers.

A lawful basis (legal reason) for collecting and using certain personal information about retail donors and shoppers is that of “legal obligation”.  In other words, we have to collect and use this information to comply with the law.

Processing information under this basis enables us to submit Gift Aid claims to HMRC and write to donors regarding donation amounts for their HMRC compliance. We are also legally obliged to collect contact information so that we can provide refunds.

Dorothy House also collects contact information on retail donors for the purpose of appropriate postal marketing.  We process this personal data on the lawful basis of “legitimate interest.”

Processing information on the basis of legitimate interest means that DH deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)

 

What personal information do we collect about our retail donors?

Based on the data processing reasons outlined above, Dorothy House collects all or some of the following information, primarily for those who have signed up to Gift Aid:

Basic details: Name, postal/email address, telephone number.

Retail information: Gift Aid declaration, retail sales data

 

Where do we store personal retail donor information and for how long?

Retail donors’ personal information as outlined above is stored on a secure database hosted at Dorothy House and which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to respect confidentiality.

We retain all donation records for a minimum of 7 years to comply with HMRC and audit requirements.  There are important organisational reasons for retaining retail donors’ information longer than this, for example legacy records and statistical monitoring.  If you do not wish us to keep your information longer than 7 years, please contact us.

 

Sharing personal information about retail donors with third parties

Dorothy House is responsible for storing retail donors’ information and will need to share some of this information with third parties as follows:

  • HMRC for gift aid purposes
  • Third party communications services: mailing houses, bulk email service providers

Links & Downloads

Customers

Why do we collect service users (non-patient/client) information and how do we use it?

At Dorothy House, there are lawful bases for the information that we process on those who hire / use our non-patient / client services. This includes, but is not limited to, those who attend our training courses, hire our facilities, hire us for DBS checking, use our library or hire us for another non-clinical service.

As an education and service provider, the main lawful basis (legal reason) for collecting and using personal information on training course attendees is because we hold a contract with these individuals. Processing information under this basis enables us to:

  • Deliver, administer and invoice for our courses
  • Visual and audio recording of our courses to play back to attendees within the course, which is an integral part of delivering some of our courses

Our library users and those hiring our facilities also enter into a “contract” with Dorothy House, giving us the lawful basis to process personal information, such as contact details, so that we can administer these services.

Dorothy House will ask, specifically, for “consent” if personal data for our service users (non-patient/client) is to be used for the following:

  • Email marketing, for example of new training courses
  • Ensuring adequate facilities to accommodate any special needs
  • Marketing and publicity of future courses through the use of photos, videos and quotes.

 

What personal information do we collect about our service users (non-patient/client)?

Based on the data processing reasons outlined above, Dorothy House collects some of the following information:

Basic details: Name, postal / email address, telephone number.

Organisation details: Job title, organisation/employer

Training:  Course feedback comments, video footage, photos, any special needs data for course participants

 

Where do we store service users (non-patient/client) information and for how long?

Service users’ (non-patient/client) information as outlined above is stored on secure databases, hosted at Dorothy House, which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to respect confidentiality.  This information could be kept up to 7 years for HMRC purposes.

 

Sharing personal information about service users (non-patient/client) with third parties

The Education, HR and Estates teams at Dorothy House are responsible for storing service users (non-patient/client) information and will need to share some of this information with third parties as follows:

  • External training facilitators
  • External education system providers (e.g. Moodle)
  • Third party communications services: email marketing, survey providers
  • Email marketing provider: We currently use Mailchimp to manage some of our email marketing.  Mailchimp stores its data in the US, although it complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework.  Mailchimp uses personal data for its own purposes.  You can read Mailchimp’s privacy information by clicking here.  We are currently in the process of moving to a UK/EU hosted email marketing provider.

Links & Downloads

Suppliers

Why do we collect service providers’ information and how do we use it?

At Dorothy House, the lawful basis for the information that we process on our service providers, i.e. contractors and suppliers is contractual.  Processing information under this lawful basis enables us to:

  • Process and pay invoices
  • Contact emergency support providers in times of emergency

 

What personal information do we collect about our service providers, for example contractors/suppliers?

Based on the data processing reasons outlined above, we may collect all or some of the information below to help us ensure the best relationship with our service providers:

Basic details: Name, postal / email address, telephone number.

Organisation details: Job title(s), organisation/employer, bank account details, completed new supplier form.

 

Where do we store service providers’ information and for how long?

Service providers’ information as outlined above is stored on secure databases, hosted at Dorothy House, which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to respect confidentiality.  This information could be kept up to 7 years for HMRC purposes.

 

Sharing personal information about service providers (contractors/suppliers) with third parties

As valued service providers to DH we would look to share your details and include you in our communications as we feel there is legitimate interest unless you request otherwise.

Links & Downloads

Website Users

Why do we collect website users’ information and how do we use it?

At Dorothy House there are lawful bases for the information that we process on those who use our website.  This includes, but is not limited to, those who access information, update their contact preferences, book places on our events, make donations and shop for our goods.

One lawful basis for the collection of personal information from website use is that of “contract” so that we can do the following;

  • Send engagement packs to those who register for events and activities via the website
  • Deliver goods ordered through the Dorothy House website, administered by Shopify

Specifically we ask for your “consent” before we process personal information to help us do the following:

  • Send digital newsletters to those who have requested a digital format via the website

We do process some personal data with regards to our website on the lawful basis of “legitimate interest” so that we can do the following:

  • Analyse website traffic via Google

Processing information on the basis of legitimate interest means that DH deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)

 

What personal information do we collect about our website users?

Based on the data processing reasons outlined above, the information below may be collected depending on a user’s reasons for accessing the website:

Basic details (e.g. for event registration / buying goods / engagement packs responding to information requests): Name, postal / email address, telephone number.

Other: Details of purchases through Shopify, payment details, IP addresses and cookies.

 

Where do we store website users’ information and for how long?

If you are buying goods, information collected from your use of our website may be collected and stored by Shopify. Payments are processed via Dublin and this is covered by the EU-US Privacy Shield Framework.  This organisation in turn shares back with us the data collected on our behalf, so that we can run our retail services.

Shopify retains all data records for the entirety of Dorothy House’s contractual relationship with Shopify. If you do not wish Shopify to keep your information, please visit: https://www.shopify.com/legal/privacy and specifically point 14. Control over and access to your personal information.

If you are registering for an event or making an online donation, your data is held on a database hosted at Dorothy House. It is used alongside a fundraising and email marketing toolset, which stores and captures on-line events registration and donations for us. Payments are processed via the US and this is covered by the EU-US Privacy Shield Framework.

We retain all donation records for a minimum of 7 years to comply with HMRC and audit requirements.  There are important organisational reasons for retaining fundraising donors’ information longer than this, for example legacy records and statistical monitoring.  If you do not wish us to keep your information longer than 7 years, please contact us.

We retain all Google analytics website data for 50 months. If you do not wish us to keep your information for this length of time, please see the section on ‘How do I prevent being tracked by Google Analytics?’

 

We use cookies to help us serve you the right information

A small computer file known as a ‘cookie’ is placed on your computer when you use the Dorothy House website. It means that our system can learn from the content you view what content may be useful to you.

How we use cookies

Dorothy House may use cookies to:

  • Store your preference information – the website can then curate more relevant information specifically for you.
  • Analyse the website traffic using Google Analytics – this cumulative data ensures our goal of constant development to improve the overall user experience of the website.
  • Recognise returning traffic to our website – we may therefore, display relevant content specifically to you or present previously used functionality.
  • Identify if you are signed in to the website.

However, please be assured that Cookies do not allow us to access your computer or present any information about you, other than that you choose to share via your search engine browser preferences.

Site cookies

This site uses Google Analytics and so the following cookies are in use:

Cookie Name: _ga Use: This cookie is used by Google Analytics, a third party application (provided by Google) that we use to understand how visitors use our site. You can learn more about this cookie and what Google has to say about it, and others, by logging on to:

https://developers.google.com/analytics/devguides/collection/gajs/cookie-usage

Cookie Name: notice Use: This cookie is used to remember whether or not you have closed the notice which appears at the top of your browser to inform you of the use of cookies on this site. Once set, it is saved on your computer for 45 days or until you delete your cookies.

Cookie Name: PHPSESSID Use: This cookie is used to distinguish you from other users of the site. It is deleted as soon as you leave our website. We also use social media platforms such as Facebook and Twitter. Companies like these use cookies within their systems which may, depending on your privacy settings, allow us to access some information from your accounts.

You have the right to object to this tracking and to stop it happening.

 

How do I prevent being tracked by Google Analytics?

If you are uncomfortable with this tracking, you can take the following actions:

Use a tracking-blocker, such as Privacy Badger

 

Your rights re: Google Analytics

If you already have GA cookies, they will be updated with the latest information about your visit to the site. As we cannot access any personal data about you ourselves, we are not the Data Controller for your Google Analytics. You would need to contact Google directly for this information.

 

Controlling cookies

All web browsers have cookie settings. This will determine how our website uses these cookies. If you choose not to allow our website to store cookies on your device or computer you will need to amend your web browser settings to refuse cookies. Please be aware that making these changes could affect the functionality of our website for you. For example certain pages and services may appear unavailable to you. Our website issues cookies when you visit unless you carry out the web browser settings changes to refuse cookies.

 

Sharing personal information about service providers website and users with third parties

Dorothy House will never sell personal data to any third party.

We do share your data with organisations that work on our behalf or supply us with services that require your data in order to deliver these services. Companies that we work with include:

E-Commerce organisations (e.g. Shopify)

Email marketing service We currently use Mailchimp to manage some of our requested email marketing and crucial information dissemination. Mailchimp stores its data in the US, although it complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework.  Mailchimp uses personal data for its own purposes.  You can read Mailchimp’s privacy information here: https://mailchimp.com/legal/privacy/ . We are currently in the process of moving to a UK/EU hosted email marketing provider.

Links & Downloads

Your Rights
Sharing Records

Like a lot of the NHS, we use an electronic patient record system called SystmOne. If you decide to take up any offer of our support, for administrative and professional practice purposes we will need to record and store a certain amount of personal information about you on this database. This will include your name, address, date of birth, GP and consultations with professionals. We’re a multi-disciplinary team so all staff involved in your care need to have access to your records in order to provide co-ordinated and appropriate care and support.

If you are receiving support from us and if any of your healthcare professionals i.e.  district nurses, GP practice and other health and social care staff also use SystmOne as their clinical database system, we encourage full sharing of clinical information.

Any personal identifiable information Dorothy House records about you will only be shared with your permission. It will only be shared with relevant hospital teams or other health and social care staff involved in your care. We will always try to talk to you first if we need to share sensitive information.

If you would prefer us never to share any information with other health and social care professionals, please let us know and we will record and abide by this wish. It is only in exceptional circumstances, that we are required by the law to share your information, without your permission, but this is a rare scenario e.g. if there is a need to protect an individual from serious harm, or a crime has been committed.

The Data Protection Act (1998) gives you the right to see your records, for more information see the Information Commissioner’s Office website

 

Monitoring our standard of care

The Care Quality Commission, which has a legal duty to monitor the standard of the care we provide, asks that we give them the contact details of patients and their carer/close family member referred to us so that they are able, prior, or following an inspection visit, to contact you to discuss the care you or your relative have received. If you do not wish us to provide them with this please can you inform us by calling our Clinical Coordination Centre on 0345 0130 555 (Monday-Friday, 8-6pm; Saturday-Sunday 9am-5pm) or dhhc.dorothyhouse-referrals@nhs.net

 

NHS Data Management

In order to receive our proportion of NHS funding we are required to provide a limited amount of personal data to the Clinical Commissioning Groups (CCG) with whom we have a contract via the Commissioning Support Unit. Anonymised data is also used for audit and service improvement projects as we continually strive to improve and develop our services. If you have any questions relating to this please do contact us for more information – clinical.informatics@dorothyhouse-hospice.org.uk or call: 01225 722 988