Privacy

We are committed to protecting all personal information and being transparent about what we do with it.  We use your personal information in accordance with all applicable laws concerning the protection of personal data and we will not do anything with your information you wouldn’t reasonably expect.

Listed in this section is a set of privacy statements which provide more detail as to how we process your personal data, depending on your relationship with us.

Each privacy statement outlines why, how, what, where and for how long Dorothy House processes (collects and uses) your personal data, including details of any sharing of data with third parties.

General Data Protection Regulation (GDPR), introduced in May 2018, provides six lawful bases under which personal information can be processed and we have highlighted in each privacy statement which lawful bases apply.  In particular, we have highlighted where data is collected and used on the basis of “legitimate interest”. This means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis.

Dorothy House is registered as a Data Controller with the Information Commissioner’s Office (ICO) and our ICO registration number is Z7289749. Our Data Protection Lead is Tony De Jaeger, who is our Deputy Chief Executive and Finance Director. Our Caldicott Guardian is Rebecca Bhatia, Medical Consultant.

If you have a general query about data protection or would like to make a Subject Access Request as outlined in the ‘Your Rights’ section, please contact info.governance@dorothyhouse-hospice.org.uk
or call 01225 722 988.

If you are not happy with the way we have handled your data, and are unable to resolve the issue with us personally, you can complain to the ICO: https://ico.org.uk/make-a-complaint/

The privacy statements may be updated from time to time and we will alert you to any significant changes on the pages of this website.

The latest version will always be available here. (Updated November 2021)

Patients, families and carers

Why do we collect personal information about patients, families and carers and how do we use it?

Personal information about patients, including information about other health and social care professionals and family and friends involved in providing support and care, is essential in enabling us to provide the care required and to ensure that the needs of patients and their family members and carers (ie close friends) are at the centre of all the care we provide. The lawful basis for collecting and using information to provide care to our patients, families and carers is “public task” ie the information is fundamentally necessary for us to provide our care. The fact that we are providing health and social care permits us to handle sensitive personal data. This lawful basis permits us to:

  • Co-ordinate the care that we offer – both within our Dorothy House team and externally
  • Offer wider Dorothy House support to a patient’s family members, including in bereavement
  • Provide information to the NHS and other commissioners with whom we hold service contracts
  • Audit, evaluate and develop our services.

Different levels of information are held depending on the extent of Dorothy House input.

 

What personal information do we collect about our patients, families and carers?

Based on the data processing reasons outlined above, we may collect all or some of the types of information below to help us provide the best care possible:

Basic details including name, postal/email address, telephone number, date of birth/death.

Demographic, equality and diversity data

Medical information including NHS number, detailed medical records, prescribed medications; investigation results and information from other professionals involved in care, patient/client service activity.

Other information includes personal and social history and documentation of consultations. Interactions with family members/carers are usually recorded within the patient’s record, but if a family member or carer is receiving more involved support from Dorothy House then a record will be created in their own right as a ‘client’ record – we will ensure that they are aware of this.

Some people will only attend group sessions, using our ‘Open Access’, but we are still providing a health and social care service.  We therefore create a record for each person who attends one of our groups and we will update this with attendances and any relevant clinical notes.

 

Where do we store patient, family and carer’s information and for how long?

Patient and ‘client’ data is stored on our electronic patient record system called SystmOne. This is a secure clinical database used by many other health and social care providers including GPs in our area. SystmOne data is hosted off-site within the European Economic Area (EEA) which gives a high level of security as all data processed within the EEA is covered by the General Data Protection Regulations.

Under current data protection legislation, all organisations involved in a patient’s care have a duty to ensure that information held about them is accurate, up to date and kept secure at all times. Access to records can be audited and can always be traced back because users log in using unique identifiers and secure access methods.

Currently, SystmOne is not able either to archive or delete patient records as it is a system shared across many health and social care organisations. However, when a record of a patient who has died or has been discharged is accessed after 52 weeks from date of death or discharge, a reason must be provided and the system tracks access to these records.

Access within the Dorothy House team is on a need-to-know basis. Where volunteers are providing care and support they are regarded as part of the Dorothy House team. All staff and volunteers with access to confidential personal information receive information governance training.

 

Using cameras or other recording equipment during treatment and care

At Dorothy House Hospice Care (Dorothy House) we promote the open and honest recording of consultations or conversations with healthcare professionals.

Where this is done with everybody’s agreement, we believe this benefits the patient and the healthcare professional by:

  • enabling patients to remember important advice, particularly where there are language barriers
  • providing a copy of the consultations when patients may have been distressed
  • giving patients more time to process information
  • helping patients and their family members where patients may be experiencing memory loss or have some cognitive impairment
  • including patients’ family members in their care and decision making
  • helping patients to remember if the information is particularly complex.
  • helping to set family member’s mind at ease about the care received or even help identify poor care or abuse.

To achieve this, we will work with you to ensure that:

  • any recording is done openly and honestly with the express permission of the patient
  • the recording process itself does not interfere with the consultation process or the treatment or care being administered
  • the patient understands that a note will be made in their health record stating that they have recorded the consultation or care being provided
  • the patient is reminded of the private and confidential nature of the recording and that it is their responsibility to keep it safe and secure
  • any recording is only made for personal use
  • you are aware that the misuse of a recording may result in criminal or civil proceedings
  • you understand that the patient is entitled to see their notes
  • we can consider providing the patient with a written record summary, and or a verbatim record (if practical) of their consultation for their own personal use if this is helpful.

We are aware that patients and families may be considering covertly recording a consultation. Using a hidden camera or other recording equipment is a big decision. It can affect people’s privacy and dignity. And it can have legal consequences as well. It may also be interpreted as a sign that trust is lacking or that the patient may be considering a complaint or legal action.

 

Both legally, and as a matter of courtesy, you should seek the health professionals’ agreement before recording a consultation/treatment. We strongly discourage covert recording.

 

If you are worried about yours or somebody’s treatment and/or care, you should first raise these concerns with us. We take proactive steps to investigate and address any issues regarding your treatment and care. You can do this by using our complaints procedure.

You can also raise concerns with the Care Quality Commission (CQC). They have very helpful guidance on this subject. Using cameras or other recording equipment to check somebody’s care.  

It is important to note that the CQC state that an organisation should not ever refuse to treat someone or care for them properly because recording equipment or similar technology is being used.

 

Sharing personal information about patients and clients with third parties

Dorothy House works as part of a health and social care system in our community.  To provide the safest, highest quality, most integrated patient and client care we can, sharing of health and social care information is encouraged, whilst confidentiality is prioritised. We believe that you would expect us to share relevant health and social care information with other services/organisations involved in your care, or those who you have agreed should become involved and you will inform us if you do not wish for this to happen. We do not generally share information about clients, or those who only attend our ‘Open Access’ groups, but for patients, we would anticipate sharing information with; as part of your care are

  • Community care professionals eg GPs, District Nurses, multi-disciplinary teams, Specialist Nurses, Community Matrons
  • Hospitals
  • Public/private health and social care providers.

Although we would always aim to share only the minimum information required, when sharing is via SystmOne, this is not always technically possible. However, we can ensure that individual elements of information are not shared, so please tell us if there are particular areas that you wish to remain confidential. Patients do have the right to totally opt out of Dorothy House sharing their electronic patient record with other health and social care providers.

Very rarely we may be required to share confidential personal information without consent if we are required to do so by statutory law, such as with safeguarding concerns.

We are required to share information for commissioning, service planning and regulatory purposes with

  • Clinical commissioners of local services
  • Care Quality Commission and other regulatory bodies.

We will ask, specifically, for your consent (lawful basis) if personal data is to be used if:

  • Referring our patients/clients on to other service providers (non-health/social care)
  • Requested by solicitors or insurance companies.

In order for us to raise awareness of our work it is extremely useful to be able to use stories and photographs/video of our patients and their families.  We will only ever do this with your specific consent (lawful basis).

[Updated December 2021]

Links & Downloads

Employees

Why do we collect personal information about staff and how do we use it?

As an employer there are lawful bases for the personal information that we collect about our staff, agency staff, our contracted consultants and those with an honorary contract such as those with medical placements. We have used the collective term “staff” for the purpose of this privacy statement.

Using personal information helps us provide the best support to our workforce, to ensure their health and safety and to make for a better employee experience.

The main lawful basis (legal reason) for collecting and using this personal information is because we hold a contract with that individual.  Processing information under this legal basis enables us to:

  • Recruit the right staff to Dorothy House
  • Pay staff
  • Develop and train staff
  • Administer pensions
  • Ensure health and safety of staff
  • Manage the organisation (for example staff rotas and availability, maintenance requests, IT helpdesk requests, use of intranet/Dot2Dot and library)
  • Analyse Dot2Dot use through OAK reporting (Intranet provider) facility
  • Use photographs for security purposes.

 

We also process the personal data of staff to meet our legal obligations as an employer, including to:

  • Meet immigration law obligations
  • Meet medical registration obligations
  • Keep staff safe using, for example, risk assessments or health and safety reports
  • Where appropriate, processing DBS checks to keep safe everyone who comes into contact with Dorothy House
  • Modify working conditions according to staff health conditions
  • Paying tax and National Insurance contributions to HMRC.

 

We also collect and use some personal information regarding staff on the lawful basis of “legitimate interest” so that we can:

  • Alert nominated emergency contacts for staff members if there are concerns for the health and safety of that staff member
  • Monitor demographic, equality and diversity data to evidence fair recruitment and staffing
  • Use staff photographs on Outlook and internal software for the purpose of staff identification and for presentations and publicity.
  • Use CCTV cameras in the controlled drug room on the Inpatient Unit for safety and security purposes, as detailed in the CCTV privacy notice.

Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. (See Your Rights section below)

 

What personal information do we collect about our staff?

Based on the data processing reasons outlined above, we may collect some or all of the following information (this list is not exhaustive):

Basic details including name, postal/email address, telephone number, date of birth and emergency contact details

Demographic, equality and diversity data

Terms of employment information including letters of offer, employment contract, place of work, references, ID information

Skills and experience information including CVs, records of qualifications, training and professional membership/registration.

Financial information so that we can pay you including bank details, National Insurance documentation and social security numbers, where applicable

Identification information including photos, car driver information, copies of birth certificate/driving licence, CCTV footage where an employee has restricted access to the controlled drugs room on Inpatient Unit

Employment process information including absence from work and any disciplinary issues

Performance records such as appraisals and one-to-one’s

Personal health information such as occupational health advice or health and safety reports

Information on use of DH electronic devices including Dorothy House intranet, email data and back-up from Dorothy House servers, building access, printing history.

 

Where do we store personal staff information and for how long?

Staff information as outlined above is primarily stored on a secure Human Resources database managed by Dorothy House. For some functions it may be necessary to hold basic contact details on other internally-managed databases whereby the data can be stored off-site with the relevant software provider, for example training records, maintenance requests, printing history, library use, IT helpdesk.

All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to maintain confidentiality.

Some working documentation, such as personal development reviews, performance monitoring and one-to-one’s will be kept securely within the Dorothy House network.  Currently the HR department also securely holds hard copy files within the department.

Staff record retention policy is for seven years after employment ceases unless exceptional circumstances apply.

 

Sharing personal information about staff

Dorothy House may need to share some of the information we hold on staff with:

  • Statutory organisations such as HMRC, Child Support Agency, local authorities (for attachment of earnings), student loans
  • Third-party communications services such as mailing houses, email marketers, survey providers, event booking systems
  • External education system providers (eg Moodle, Training Tracker)
  • Other external organisations such as credit card companies, pension companies (including NHS Pensions)

(UPDATED NOVEMBER 2021)

Links & Downloads

Trustees and Volunteers Privacy Statement 

Why do we collect personal information about volunteers? 

We collect and process personal data about our volunteers in order to facilitate their volunteer role and for volunteer-related purposes (e.g. volunteer welfare, equal opportunities monitoring, administrative purposes, financial, regulatory, business development and for information strategy). Being a trustee is a distinct type of volunteering, and has additional data protection implications. 

All volunteers should be familiar with this statement, which should be read in conjunction with the information governance handbook and information security policy. 

What personal information do we collect about volunteers? 

  • Contact details such as: name, title, addresses, telephone numbers, mobile phone numbers and personal email addresses; 
  • Date of Birth; 
  • Gender; 
  • Next of kin and emergency contact information; 
  • Bank account details (when necessary) for example, to reimburse expenses; 
  • Copy of driving licence, passports and visas (when necessary); 
  • Recruitment information (including references and any other information enclosed in a CV or disclosed in the application process); 
  • Recording information to support volunteering 
  • Case studies, biographies, testimonies, quotes or opinions about volunteering; 
  • Information about your use of our information and communication systems; 
  • Photographs, video and audio footage; 
  • Information gathered from social media sources in the public domain eg Facebook. 
  • Volunteer satisfaction information. 
  • CCTV footage (if volunteer role determines) 

We may collect, store and use the following sensitive information or “special categories” of personal data about you: 

  • Information about your ethnicity, disability, sexual orientation, gender reassignment, and religious beliefs 
  • Information about your health including any dietary requirements; 
  • Information about criminal convictions and offences (unspent if non-patient facing) 
  • Information required and related to ID/Disclosure and Barring Service (DBS) checks or any other background checks associated with vulnerable individuals if role appropriate. 

How do we collect your information? 

We collect personal data about volunteers through the volunteer/trustee management and recruitment process. We may sometimes collect additional information from third parties including former or current employers (e.g. referees or occupational health providers or background check agencies for example DBS) 

On what basis do we collect store and use (process) your information? 

We will only process personal data about our volunteers for the relevant purposes (when the law permits us to): 

  • if the processing is necessary for: 

Updated June 2022 

  • the performance of the Volunteer Promise agreement we have entered with you (this does not amount to a contract of employment); or your trustee appointment 
  • our (or a third party’s) legitimate interests in particular:
    – to administer our relationship with you;
    – to build a picture of your skills, experience and interests in order to assess your suitability for volunteering projects; 
  • the protection of your vital interests (e.g. in a ‘life or death’ scenario); 
  • compliance with a legal obligation, or 
  • with your consent.

Where we process your personal data for our legitimate interests, we will make sure that we consider and balance any potential impact on you (both positive and negative), and your rights under data protection laws. You have the right to object to this processing, and if you wish to do so, then please contact us at info.governance@dorothyhouse-hospice.org.uk 

We will only process special categories of personal data with your explicit consent, or if there are other grounds for doing so, including (but not limited to) the processing being: 

  • necessary to carry out obligations or exercise rights regarding volunteering (for example, processing medical or health information to assess your suitability for volunteering with us and for being involved on specific projects and in order to accommodate you in a voluntary role); 
  • necessary to protect your vital interests (or someone else’s interests); 
  • necessary to comply with a legal obligation (for example, to protect vulnerable individuals or for insurance purposes); 
  • in relation to personal data which you have made public; or 
  • necessary for bringing, defending or conducting a legal claim. 

We will take even greater care of this type of data as collecting and using it could create significant risks to the individual’s fundamental rights and freedoms or open someone up to discrimination. 

Information about Criminal Convictions 

This will usually be where such processing is necessary to carry out our obligations. 

Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims; where it is necessary to protect your interests (or someone else’s interests) and you are not capable of giving your consent; or where you have already made the information public. 

Where appropriate we will collect this information as part of the recruitment process or we may be notified of such information directly by you in the course of your voluntary work. 

Volunteer Communications 

There is certain information which DH is required to send volunteers to support and facilitate their voluntary role and any related activities. Volunteers can expect to receive this communication via the Assemble message centre or News Hub, by email, or post. 

If you are a volunteer and a supporter of Dorothy House, this does not affect your data protection rights as a supporter or the marketing preferences that you provided. If you have chosen not to receive marketing communications as a supporter, Dorothy House will continue to respect your preferences. Updated June 2022 

Who has access to volunteer data? 

Certain personal data about our volunteers will be made available to other DH employees, and volunteers which is limited to those who have access to volunteer information. We may publish limited personal data for example, case studies/testimonies/quotes and photographs which may be featured on our internal or external publications, e.g. our volunteer brochure. 

Some content, including personal data, may also be held on other systems. Where appropriate, access to sensitive information is restricted only to those who have a legitimate business reason to see it. 

On occasion we may be required to share your personal data with third parties, please see below. 

Who do we share your data with? 

Dorothy House may be required to share personal data (including, special categories of personal data) with third parties. For example, we may share information with: 

  • occupational health providers for undertaking necessary health checks; 
  • third party service providers (for example, those who carry out background checks for safeguarding purposes or driving licence checks); 
  • Governmental and regulatory bodies (including the police, DBS, Care Quality Commission, and in the case of trustees, the Charity Commission, Companies House, HMRC) 
  • Professional advisers (such as lawyers, accountants, auditors, health advisors and insurance brokers); 
  • Trusted suppliers and service providers who will process information on our behalf for administrative purposes; 
  • Trusted partners or organisations when necessary, for example if you are volunteering for a joint project with another organisation, we may need to share your personal data with it. 

We will only share personal data with third parties if adequate security measures are taken and your rights are respected. We will never sell your personal data to anyone. 

How do we store your data and for how long? 

We only store information within the European Economic Area (EEA). If our trusted service providers (e.g. software providers like Microsoft) transfer any data outside of the EEA we will take steps to make sure adequate levels of privacy protection, in line with the General Data Protection Regulation and associated legislation, are in place. 

We will only retain your personal data for as long as necessary to fulfil the purpose we collected it for, including the purposes of satisfying any legal, accounting or reporting requirements. We will process personal data on volunteers for the duration of their voluntary work with DH. When a volunteer leaves DH, we will continue to retain data for as long as is necessary, seven years, routinely. 

We continually review what information we hold and delete what we no longer required. Certain special categories of personal data on volunteers will be retained, and in some cases this personal data may be kept for very long periods of time. For example, we may retain information relating to health (e.g. if you have an accident whilst volunteering, in case of a future insurance claim). Updated June 2022 

If you are suspected or convicted of a criminal offence, we may retain information from our own records, and also other publicly available sources. We do this because it is necessary to do so: 

  •  in case it is required to bring, defend or conduct a legal claim; 
  •  to assist in the detection or prevention of crime; and 
  •  to protect the interests of the general public. 

If you have any questions about this privacy statement please contact: Juliette Morgan, Head of Governance at info.governance@dorothyhouse-hospice.org.uk or Volunteer Services. 

Links & Downloads

Job Applicants and Referees

Why do we collect personal information about job applicants and referees and how do we use it?

As an employer, there are lawful bases for the personal information that we collect on our job applicants and referees.

Job applicants’ and referees’ data can also help us to support our workforce better and make for a better recruitment experience.  A significant lawful basis (legal reason) for collecting and using certain personal information about job applicants is that of “legal obligation”.  In other words, we have to collect this information to comply with the law. Processing information under this lawful basis enables us to:

  • Meet immigration law obligations
  • Verify the job applicant’s right to work

We also collect and use information about job applicants under the lawful basis of “contract” with a view to entering a contract with that individual as an employee. Processing information under this legal basis enables us to:

  • Recruit the right staff to Dorothy House, understanding, for example, their skills, job history and background

We process some personal information on job applicants on the lawful basis of “legitimate interest” so that we can:

  • Monitor demographic, equality and diversity data to evidence fair recruitment

Processing information on the basis of “legitimate interest” means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis (see Your Rights section below).

 

What personal information do we collect about job applicants and referees?

Based on the data processing reasons outlined above, we may collect all or some of the information below to help us ensure the best recruitment process (this list is not exhaustive):

Basic details: Name, postal/email address, telephone number, date of birth.

Demographic, equality and diversity data (this information is collected anonymously and separately from a job application form)

Job application information including references and contact details of referees.
NB: DBS checks take place once applications have been successful

Skills and experience information including CVs, records of qualifications, education, training and professional membership/registration

Identification information including photos, car driver information, copies of birth certificate/driving licence.

 

Where do we store personal job applicants and referees information and for how long?

Job applicant’s and referee’s personal information is stored on a secure database managed by Dorothy House. All databases are username and password protected and staff receive training so that they are aware of their professional responsibility to maintain confidentiality.

If job applicants are unsuccessful in their application, their application details are kept on file by Dorothy House for six months and then deleted unless prior agreement has been obtained. Copies of official documentation are shredded immediately after an unsuccessful interview.

Successful job applicants’ personal information is retained – please see Employee Privacy Statement.

 

Sharing personal information about job applicants

Information on job applicants and referees will be shared internally with Dorothy House teams and line managers in order to make the best recruitment decisions.

Links & Downloads

Fundraising donors

Why do we collect personal information about fundraising donors and how do we use it?

As a charity, there are lawful bases for the personal information that we collect on our fundraising donors.

Developing good relationships with donors is essential to successful and rewarding fundraising.  By creating and maintaining up-to-date profiles of donors we can build and maintain those good relationships and contact you in the most appropriate way, promoting fundraising and event opportunities of interest.

Unless there is a clear and valid reason for doing so, we do not collect sensitive personal information about our donors.

A significant lawful basis (legal reason) for collecting and using certain personal information about fundraising donors is that of “legal obligation”.  In other words, we have to collect this information to comply with the law.  Processing information under this lawful basis enables us to:

  • Record and monitor income both for internal audit and HMRC
  • Administer probate process and audit trail for legacies
  • Set up standing orders
  • Record Gift Aid status
  • Process legacies.

We also collect some of the personal data on the lawful basis of “legitimate interest” so that we can:

  • Generate publicity such as sharing group photos/videos from events
  • Conduct appropriate postal marketing to all fundraising channels (trusts, individuals, corporates)
  • Make appropriate trust applications for grants
  • Seek support by approaching potential corporate supporters.

Processing information on the basis of “legitimate interest” means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis. See Your Rights section.

We will keep in touch with you by post to tell you about other ways you can fundraise or support us.  We do this on the basis of “legitimate interest”.  If you don’t want to hear from us in this way, then please let us know by visiting our webpage https://www.dorothyhouse.org.uk/staying-in-touch-with-you/, by phoning 01225 721480 or by emailing preferences@dorothyhouse-hospice.org.uk

If you sign up to receive our on-line newsletter, or to keep in touch with how to support us by email, we do this on the basis of “consent”.  You can withdraw your consent any time by visiting our webpage Click here to share your preferences, by phoning 01225 721 480 or by emailing: preferences@dorothyhouse-hospice.org.uk

 

What personal information do we collect about our fundraising donors?

Based on the data processing reasons outlined above, we may collect all or some of the information for individuals and organisations (this list is not exhaustive):

Basic details including names, addresses and other contact details for individuals, legators, executors, Trusts and corporates

Donation information: Donation amounts and dates linked to donors, for all donations, including bank account details, if appropriate, Gift Aid declarations

Other: Donor relationship records, event participation registration and information supplied, photographs and video of event participants.

 

Where do we store personal fundraising donor information and for how long?

All fundraising donors’ personal information as outlined above is stored on a secure database, which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to maintain confidentiality.

Your data is held on a database hosted at Dorothy House. It is used alongside a fundraising and email marketing toolset, which stores and captures online events registration and donations for us. We also use two event booking platforms, currently Eventbrite and Enthuse, to handle event registration information and ticket purchases on our behalf. Payments made through either of these systems are processed via the US and this is covered by the EU-US Privacy Shield Framework.

We retain all donation records for a minimum of seven years to comply with HMRC and audit requirements.  There are important organisational reasons for retaining fundraising donors’ information longer than this, for example legacy records and statistical monitoring.  If you do not wish us to keep your information longer than seven years, please contact us.

 

Sharing personal information about fundraising donors with third parties

The Fundraising department is responsible for storing fundraising donors’ information and will need to share some of this information with third parties as follows:

HMRC for Gift Aid purposes

Dorothy House’s bank for standing orders

Third-party communications services such as mailing houses, bulk email service providers, survey providers and event booking systems

Email marketing provider: We currently use Mailchimp to manage some of our email marketing. Mailchimp stores its data in the US, although it complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework.  Mailchimp uses personal data for its own purposes.  You can read Mailchimp’s privacy information by clicking here.  We are currently in the process of moving to a UK/EU hosted email marketing provider.

From time to time we may use trusted third parties to assist in ensuring our donors receive the most appropriate communications from us.  When we use a third party in this way we require their assurance that data is handled in line with our policies.

We don’t use any external provider to undertake any wealth screening and we will not use any external provider for telephone marketing.

In turn, Partner organisations share data with us, for example:

  • Event organisers eg Marathon companies, Challenge companies
  • Event booking platforms eg Eventbrite
  • Online giving organisations eg JustGiving, Virgin Giving, Facebook Donate, LocalGiving, or when you donate using QR codes
  • Local Hospice Lottery
  • Funeral directors.

Links & Downloads

Retail Donors and Shoppers

Why do we collect personal retail donor and shopper information and how do we use it?

As a charity, there are various lawful bases for the personal information that we process on our retail donors and shoppers.

A lawful basis (legal reason) for collecting and using certain personal information about retail donors and shoppers is that of “legal obligation”.  In other words, we have to collect and use this information to comply with the law.

Processing information under this basis enables us to submit Gift Aid claims to HMRC to write to donors regarding donation amounts for their HMRC compliance. We are also legally obliged to collect contact information so that we can provide refunds.

Dorothy House also collects contact information on retail donors for the purpose of appropriate postal marketing.  We process this personal data on the lawful basis of “legitimate interest”.

Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis (see Your Rights section below).

 

What personal information do we collect about our retail donors?

Based on the data processing reasons outlined above, Dorothy House collects all or some of the following information, primarily for those who have signed up to Gift Aid:

Basic details: Name, postal/email address, telephone number

Retail information: Gift Aid declaration, retail sales data

 

Where do we store personal retail donor information and for how long?

Retail donors’ personal information as outlined above is stored on a secure database hosted at Dorothy House and which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to uphold confidentiality.

We retain all donation records for a minimum of seven years to comply with HMRC and audit requirements.  There are important organisational reasons for retaining retail donors’ information longer than this, for example legacy records and statistical monitoring.  If you do not wish us to keep your information longer than seven years, please contact us.

 

Sharing personal information about retail donors with third parties

Dorothy House is responsible for storing retail donors’ information and will need to share some of this information with third parties as follows:

  • HMRC for Gift Aid purposes
  • Third-party communications services such as mailing houses, bulk email service providers.

Links & Downloads

Customers

Why do we collect service user’s (non-patient/client) information and how do we use it?

At Dorothy House, there are lawful bases for the information that we process on those who hire or use our non-patient/client services. This includes, but is not limited to, those who attend our training courses, hire our facilities, hire us for DBS checking, use our library or hire us for another non-clinical service.

As an education and service provider, the main lawful basis (legal reason) for collecting and using personal information on training course attendees is because we hold a contract with these individuals. Processing information on this basis enables us to:

  • Deliver, administer and invoice for our courses
  • Video and record our courses to play back to attendees, which is an integral part of delivering some of our courses.

Our library users and those hiring our facilities also enter into a “contract” with Dorothy House, giving us the lawful basis to process personal information, such as contact details, so that we can administer these services.

Dorothy House will ask, specifically, for “consent” if personal data for our service users (non-patient/client) is to be used for:

  • Email marketing, for example of new training courses
  • Ensuring adequate facilities to accommodate any special needs
  • Marketing and publicity of future courses through the use of photos, videos and quotes.

 

What personal information do we collect about our service users (non-patient/client)?

Based on the data processing reasons outlined above, Dorothy House collects some of the following information:

Basic details: Name, postal/email address, telephone number

Organisation details: Job title, organisation/employer

Training:  Course feedback comments, video footage, photos, any special needs data for course participants.

 

Where do we store service users (non-patient/client) information and for how long?

Service user’s (non-patient/client) information as outlined above is stored on secure databases, hosted at Dorothy House, which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to uphold confidentiality.  This information could be kept up to seven years for HMRC purposes.

 

Sharing personal information about service users (non-patient/client) with third parties

The Education, HR and Estates Teams at Dorothy House are responsible for storing service users (non-patient/client) information and will need to share some of this information with third parties as follows:

  • External training facilitators
  • External education system providers eg Moodle
  • Third-party communications services such as email marketing, survey providers
  • Email marketing provider: We currently use Mailchimp to manage some of our email marketing.  Mailchimp stores its data in the US, although it complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework.  Mailchimp uses personal data for its own purposes.  You can read Mailchimp’s privacy information by clicking here.  We are currently in the process of moving to a UK/EU hosted email marketing provider.

Links & Downloads

Suppliers

Why do we collect service providers’ information and how do we use it?

At Dorothy House, the lawful basis for the information that we process on our service providers — contractors and suppliers — is contractual.  Processing information under this lawful basis enables us to:

  • Process and pay invoices
  • Contact emergency support providers in times of emergency.

 

What personal information do we collect about our service providers, for example contractors/suppliers?

Based on the data processing reasons outlined above, we may collect all or some of the information below to help us ensure the best relationship with our service providers:

Basic details: Name, postal/email address, telephone number

Organisation details: Job title(s), organisation/employer, bank account details, completed new supplier form.

 

Where do we store service providers’ information and for how long?

Service providers’ information as outlined above is stored on secure databases, hosted at Dorothy House, which only Dorothy House employees and volunteers with a username and password can access.  Staff receive training so that they are aware of their professional responsibility to uphold confidentiality.  This information could be kept up to seven years for HMRC purposes.

 

Sharing personal information about service providers (contractors/suppliers) with third parties

As valued service providers to Dorothy House we would look to share your details and include you in our communications as we feel there is legitimate interest, unless you request otherwise.

Links & Downloads

Website Users

Why do we collect website users’ information and how do we use it?

At Dorothy House there are lawful bases for the information that we process on those who use our website.  This includes, but is not limited to, those who access information, update their contact preferences, book places on our events, make donations and shop for our goods.

One lawful basis for the collection of personal information from website use is that of “contract” so that we can:

  • Send engagement packs to those who register for events and activities via the website
  • Deliver goods ordered through the Dorothy House website, administered by Shopify.

Specifically, we ask for your “consent” before we process personal information to help us:

  • Send digital newsletters to those who have requested a digital format via the website.

We do process some personal data with regards to our website on the lawful basis of “legitimate interest” so that we can:

  • Analyse website traffic via Google.

Processing information on the basis of legitimate interest means that Dorothy House deems it necessary and appropriate to collect this information for reasons that do not require your consent. However, you can object to data processing on this basis (see Your Rights section below).

 

What personal information do we collect about our website users?

Based on the data processing reasons outlined above, the information below may be collected depending on a user’s reasons for accessing the website:

Basic details (eg for event registration, buying good, engagement packs and responding to information requests): Name, postal/email address, telephone number

Other: Details of purchases through Shopify, payment details, IP addresses and cookies.

 

Where do we store website users’ information and for how long?

If you are buying goods, information collected from your use of our website may be collected and stored by Shopify. Payments are processed via Dublin and this is covered by the EU-US Privacy Shield Framework.  This organisation shares with us the data collected on our behalf, so that we can run our retail services.

Shopify retains all data records for the whole of Dorothy House’s contractual relationship with Shopify. If you do not wish Shopify tokeep your information, please visit: https://www.shopify.com/legal/privacy and specifically point 14 V Control over and access to your personal information.

If you are registering for an event or making an online donation, your data is held on a database hosted at Dorothy House. It is used alongside a fundraising and email marketing toolset, which stores and captures on-line events registration and donations for us. Payments are processed via the US and this is covered by the EU-US Privacy Shield Framework.

We retain all donation records for a minimum of seven years to comply with HMRC and audit requirements.  There are important organisational reasons for retaining fundraising donors’ information longer than this, for example legacy records and statistical monitoring.  If you do not wish us to keep your information longer than seven years, please contact us.

We retain all Google Analytics website data for 50 months. If you do not wish us to keep your information for this length of time, please see the section on how to prevent being tracked by Google Analytics.

 

We use cookies to help us serve you the right information

A small computer file known as a “cookie” is placed on your computer when you use the Dorothy House website. It means that our system can learn from the content you view what content may be useful to you.

How we use cookies

Dorothy House may use cookies to:

  • Store your preference information – the website can then curate more relevant information specifically for you
  • Analyse the website traffic using Google Analytics – this cumulative data ensures our goal of constant development to improve the overall user experience of the website
  • Recognise returning traffic to our website – we may therefore, display relevant content specifically, to you or present previously used functionality
  • Identify if you are signed in to the website.

However, please be assured that cookies do not allow us to access your computer or present any information about you, other than what you choose to share via your search engine browser preferences.

Site cookies

This site uses Google Analytics and so the following cookies are in use:

Cookie Name: _ga Use: This cookie is used by Google Analytics, a third-party application (provided by Google) that we use to understand how visitors use our site. You can learn more about this cookie and what Google has to say about it, and others, by logging on to:

https://developers.google.com/analytics/devguides/collection/gajs/cookie-usage

Cookie Name: notice Use: This cookie is used to remember whether or not you have closed the notice which appears at the top of your browser to inform you of the use of cookies on this site. Once set, it is saved on your computer for 45 days or until you delete your cookies.

Cookie Name: PHPSESSID Use: This cookie is used to distinguish you from other users of the site. It is deleted as soon as you leave our website. We also use social media platforms such as Facebook and Twitter. Companies like these use cookies within their systems which may, depending on your privacy settings, allow us to access some information from your accounts.

You have the right to object to this tracking and to stop it happening.

 

How do I prevent being tracked by Google Analytics?

If you are uncomfortable with this tracking, you can take the following actions:

 

Your rights re Google Analytics

If you already have Google Analytics  cookies, they will be updated with the latest information about your visit to the site. As we cannot access any personal data about you ourselves, we are not the Data Controller for your Google Analytics. You would need to contact Google directly for this information.

 

Controlling cookies

All web browsers have cookie settings. This will determine how our website uses these cookies. If you choose not to allow our website to store cookies on your device or computer you will need to amend your web browser settings to refuse cookies. Please be aware that making these changes could affect the functionality of our website for you. For example, certain pages and services may appear unavailable to you. Our website issues cookies when you visit unless you carry out the web browser settings changes to refuse cookies.

 

Sharing personal information about service providers and website users with third parties

Dorothy House will never sell personal data to any third party.

We do share your data with organisations that work on our behalf or supply us with services that require your data in order to deliver these services. Companies that we work with include:

E-Commerce organisations eg Shopify

Email marketing service We currently use Mailchimp to manage some of our requested email marketing and crucial information dissemination. Mailchimp stores its data in the US, although it complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework.  Mailchimp uses personal data for its own purposes.  You can read Mailchimp’s privacy information here: https://mailchimp.com/legal/privacy/ . We are currently in the process of moving to a UK/EU hosted email marketing provider.

Links & Downloads

Your Rights
Sharing personal information

We will never sell personal data. We use databases internally whereby the data is stored off-site with the relevant software provider. In some cases we also share information with third parties such as mailing houses who process information on our behalf including managing events and marketing by  post and email. When we use a third party in this way we require their assurance that data is handled in line with our policies.

The Communications Team at Dorothy House will ask for consent to use photos, videos  or quotes from individuals, for the sole purpose of promoting our services and raising awareness of our work. Publicity channels we use include our website, social media, local/national media, leaflets, exhibition displays and organisational publications.

If you attend one of our events, we might use photographs and video from the events in publicity, via the channels above. If you are not happy about this we will do our best to remove you from photographs/video if you make us aware of your objection before attending.

Sharing Records

Like a lot of the NHS, we use an electronic patient record system called SystmOne. If you decide to take up any offer of our support, for administrative and professional practice purposes we will need to record and store a certain amount of personal information about you on this database. This will include your name, address, date of birth, details of consultations with your GP and other healthcare professionals. We’re a multi-disciplinary team so all staff involved in your care need to have access to your records in order to provide co-ordinated and appropriate care and support.

If you are receiving support from us and if any of your healthcare professionals ie district nurses, GP practice and other health and social care staff — also use SystmOne as their clinical database system, we encourage full sharing of clinical information.

Any personal identifiable information Dorothy House records about you will be shared only with your permission. It will be shared only with relevant hospital teams or other health and social care staff involved in your care. We will always try to talk to you first if we need to share sensitive information.

If you would prefer us never to share any information with other health and social care professionals, please let us know and we will record and abide by this wish. It is only in exceptional circumstances that we are required by the law to share your information, without your permission, for instance, if there is a need to protect an individual from serious harm, or a crime has been committed.

The Data Protection Act (1998) gives you the right to see your records. For more information see the Information Commissioner’s Office website

 

Monitoring our standard of care

The Care Quality Commission, which has a legal duty to monitor the standard of the care we provide, asks that we give them the contact details of patients and their carer/close family member referred to us so that they are able before or following an inspection visit, to contact you to discuss the care a patient or relative has received. If you do not wish us to provide them with this information, please inform us by calling our Clinical Coordination Centre on 0345 0130 555 (Monday-Friday, 8-6pm; Saturday-Sunday 9am-5pm) or dhhc.dorothyhouse-referrals@nhs.net

 

NHS Data Management

In order to receive our proportion of NHS funding we are required to provide a limited amount of personal data to the Clinical Commissioning Groups (CCG) with whom we have a contract via the Commissioning Support Unit. Anonymised data is also used for audit and service improvement projects as we continually strive to improve and develop our services. If you have any questions relating to this please do contact us for more information – clinical.informatics@dorothyhouse-hospice.org.uk or call: 01225 722 988

Using cameras or other recording equipment during treatment

Using cameras or other recording equipment during treatment and care – Information for Patients and Families – November 2021

At Dorothy House Hospice Care (Dorothy House) we promote the open and honest recording of consultations or conversations with healthcare professionals.

Where this is done with everybody’s agreement, we believe this benefits the patient and the healthcare professional by:

  • enabling patients to remember important advice, particularly where there are language barriers
  • providing a copy of the consultations when patients may have been distressed
  • giving patients more time to process information
  • helping patients and their family members where patients may be experiencing memory loss or have some cognitive impairment
  • including patients’ family members in their care and decision making
  • helping patients to remember if the information is particularly complex.
  • helping to set family member’s mind at ease about the care received or even help identify poor care or abuse.

To achieve this, we will work with you to ensure that:

  • any recording is done openly and honestly with the express permission of the patient
  • the recording process itself does not interfere with the consultation process or the treatment or care being administered
  • the patient understands that a note will be made in their health record stating that they have recorded the consultation or care being provided
  • the patient is reminded of the private and confidential nature of the recording and that it is their responsibility to keep it safe and secure
  • any recording is only made for personal use
  • you are aware that the misuse of a recording may result in criminal or civil proceedings
  • you understand that the patient is entitled to see their notes
  • we can consider providing the patient with a written record summary, and or a verbatim record (if practical) of their consultation for their own personal use if this is helpful.

We are aware that patients and families may be considering covertly recording a consultation. Using a hidden camera or other recording equipment is a big decision. It can affect people’s privacy and dignity. And it can have legal consequences as well. It may also be interpreted as a sign that trust is lacking or that the patient may be considering a complaint or legal action.

Both legally, and as a matter of courtesy, you should seek the health professionals’ agreement before recording a consultation/treatment. We strongly discourage covert recording.

If you are worried about yours or somebody’s treatment and/or care, you should first raise these concerns with us. We take proactive steps to investigate and address any issues regarding your treatment and care. You can do this by using our complaints procedure.

You can also raise concerns with the Care Quality Commission (CQC). They have very helpful guidance on this subject. Using cameras or other recording equipment to check somebody’s care.  

It is important to note that the CQC state that an organisation should not ever refuse to treat someone or care for them properly because recording equipment or similar technology is being used.

 

 

Privacy Notice: Use of webcam to view Fireflies

Dorothy House operates a webcam which streams live images from a designated area of the Firefly Woods as part of its aim to allow supporters to experience the Fireflies remotely.

We have undertaken a Data Privacy Impact Assessment in order to fully comply with our obligations under data protection law when using the webcam.

There is no intention to capture personal images through the webcam and we have the following in place to ensure data subjects avoid having their image/personal data captured:

  • The camera is positioned in such a way as to avoid capturing any image other than that of the designated firefly area.
  • Clear signage is provided at the webcam site advising that live-streaming is in action.
  • There is a notice on the appeal webpage and privacy section of the website indicating the use of webcams.
  • No data is stored, live images are streamed only.
  • No audio is captured.
  • Parents/guardians are responsible for the safety of their children when viewing the fireflies and should be mindful at all times of the webcam operation.
  • We will continue to monitor and review the output from the camera to ensure that we continue to avoid processing images and therefore personal data.

 

June 2023