Privacy Policy

ST ANN’S AND PERSONAL INFORMATION

St Ann’s is the largest charity funded hospice based in the North West of England and provides Palliative Care services for patients across Greater Manchester, including inpatient, outpatient and community services. In order for us to provide our services, it is necessary for us to process both personal and confidential information about you. Processing can mean any of the following:

  • Collecting
  • Accessing
  • Recording
  • Holding
  • Viewing
  • Analysing
  • Storing
  • Adapting
  • Altering
  • Deleting
  • Disclosing

St Ann’s Hospice uses both paper and electronic systems to process the information of our patients, staff, volunteers, donors, supporters and visitors. As an organisation, we comply with the Data Protection Act 2018 and UK General Data Protection Regulation to ensure that your information is secure, that its integrity is maintained and that it is available when we/you need it. In line with the legislation, it is St Ann’s policy to:

  • Process your personal information fairly and in accordance with applicable laws;
  • Tell you about how we will use your personal information;
  • Only collect personal information from you when we need it for legitimate purposes, or legal reasons;
  • Ensure that your personal information is adequate, relevant and not excessive for the purpose for which we collect it;
  • Not keep your personal information for longer than we need to;
  • Keep your personal information secure, and limit the people who can access it;
  • Ensure that you know how to access your personal information and exercise your rights in relation to it, including being able to keep it accurate and up-to-date; and
  • Ensure that any third parties we share your personal information with take appropriate steps to protect it.

In order to protect the information that we collect, we have developed an Information Governance Management Framework around the 10 National Data Guardian standards. We perform an annual assessment to ensure that our systems meet the same high standard as the NHS (through the Data Security Protection Toolkit). This means that we have:

  • Policies and procedures for processing personal and confidential information
  • Specified staff responsibilities relating to data security and protection. Data protection and confidentiality clauses are also included in staff, volunteer and third party contracts
  • Annual training for all staff relating to data security and protection
  • Restricted access to physical and electronic sources of personal information
  • Regular audits against our policies and procedures to ensure compliance
  • Internal reporting systems to record and react to incidents. Serious incident will be reported to the Information Commissioner’s Office
  • Continuity planning to ensure that we can retrieve/maintain service levels in the case of an incident or event
  • An understanding of and limitation on the number of unsupported systems that we use
  • Robust IT protection systems to identify and respond to cyber threats
  • Standard contracts to ensure that our suppliers are able to offer the same level of data security and protection as we do

This is our Privacy Notice, which informs you how and why we process your personal information. We will also provide examples of the information, uses and organisations who we work with but please note: the lists are not exhaustive so may change from time to time. Click the relevant links below to find out more, alternatively, you can contact our Data Protection Officer using the following e-mail address: dataprotectionofficer@sah.org.uk

ST ANN’S RESPONSE TO THE COVID-19 PANDEMIC

What information do we collect?

As part of our response to the COVID-19 pandemic, we have started to collect your personal data through visitor screening questionnaires, staff and volunteer risk assessments, patient, client, staff and volunteer testing programs and the vaccination program. Details of the information we process include, but are not limited to:

  • Your name and contact details e.g. address, phone number and e-mail address
  • Your date of birth and ethnicity
  • Details of your health status, risk factors and COVID-19 test results/vaccination status

Why do we process your information?

Your information is used to:

  • To assess risk to you and others relating to COVID-19
  • To support you in the workplace (if you are a member of staff or volunteer)
  • To protect our staff and patients (if you visit one of our hospice sites)
  • To help support infection prevention and control
  • To support the national effort to manage the COVID-19 pandemic

We may also use your information for other purposes:

  • To manage and audit our services
  • To provide important statistical information to commissioners and partners.
  • For research and planning purposes – to support the wider NHS in managing the pandemic.

Please note: St Ann’s will not use your sensitive/personal identifiable information unless it is absolutely essential. This means that when we are processing your information for non-direct care purposes, we will endeavour to either anonymise it which means that all personal identifiable information is removed with no possibility of tracing the information back to you in the future; or pseudonomise it which means that all personal identifiable data is replaced, and highly restricted access is applied to the pseudonimisation code.

We may share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If we receive a formal order from a court acting in their judiciary capacity
  • If there is a public health need such as preventing the spread of infectious diseases
  • If there is a safeguarding need (vulnerable adults or children)

How do we process your information lawfully?

In the Data Protection Act 2018 and the UK General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon for the delivery of direct care:

  • Public Interest – to process and share personal information in response to the pandemic. This is underpinned by the Health Service (Control of Patient Information) Regulations 2002, which allows patient information to be shared in the event of a pandemic.
  • To process data in the field of Public Health/Occupational Health – to process your sensitive personal information (e.g. medical information, race, religion) in response to pandemic
  • Legal Obligation – to manage our records in line with data protection legislation and NHS Records Management for Health and Social Care 2016.

Which other organisations do we work with?

In order for St Ann’s to operate, we need to engage with other organisations for the provision of some services. All third party contracts are assessed to ensure compliance with the UK General Data Protection Regulation.  Examples of contracted services includes:

  • Occupational Health service – we will share staff and volunteer risk assessments, test results and vaccine details with Stepping Hill Occupational Health service to ensure our staff and volunteers are supported appropriately.
  • Track and Trace – we will share data with the local government for Track and Trace purposes.
  • Continuous Improvement – we work with other healthcare providers e.g. the NHS to help with identifying areas for improvement and future investment.

PATIENTS AND CLIENTS

What information do we collect?

We collect your information from you and other health and social care providers who may be caring for you, for example your GP or district nurse. We keep records about your treatment and care both on paper and electronically. Details of the information we process include, but are not limited to:

  • Your name and contact details e.g. address, phone number and e-mail address
  • Your date of birth and ethnicity
  • Your medical records including assessments, diagnosis, treatment, services attended, status and care planning
  • Your holistic care including spiritual, social and psychological needs, assessments and services attended.
  • Information about your next of kin, close family, friends and carers

Why do we process your information?

Your information is used for direct care purposes:

  • To invite you to and to assess suitability of our services for you and your support network
  • To provide you and the people that care for you with our care and support services
  • To ensure we have records of the care provided to you; this helps your direct care team stay up to date with the care that has been provided to you

We may also use your information for purposes that are not related to your direct care:

  • To investigate queries, complaints or legal claims
  • To manage and audit our services, including when the purpose of the audit is for quality improvement
  • To provide important statistical information to commissioners and partners for funding and management purposes
  • For research and planning purposes. Your personal information will not be used for this purpose if you have signed up to the National Data Opt Out. For more information, relating to the National Data Opt Out, click the following link:

https://digital.nhs.uk/services/national-data-opt-out

Please note: St Ann’s will not use your sensitive/personal identifiable information unless it is absolutely essential. This means that when we are processing your information for non-direct care purposes, we will endeavour to either anonymise it which means that all personal identifiable information is removed with no possibility of tracing the information back to you in the future; or pseudonomise it which means that all personal identifiable data is replaced, and highly restricted access is applied to the pseudonimisation code.

We may also share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If we receive a formal order from a court acting in their judiciary capacity
  • If there is a public health need such as preventing the spread of infectious diseases
  • If there is a safeguarding need (vulnerable adults or children)

How do we process your information lawfully?

In the Data Protection Act 2018 and the UK General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon for the delivery of direct care:

  • Public Interest – to process personal information to deliver our care and support services. This is underpinned by the Health and Social Care Act 2012.
  • Provision of Health and Social Care Services – to process your sensitive personal information (e.g. medical information, race, religion) to deliver our care services. This performed under our contracts with NHS Clinical Commissioning Groups.
  • Legal Obligation – to manage your personal records in line with data protection legislation and NHS Records Management for Health and Social Care 2016.
  • Consent – when you join one to one or group video consultation sessions.

You can withdraw consent at any time by leaving the video consultation.

Which other organisations do we work with?

In order for St Ann’s to operate, we need to engage with other organisations for the provision of some services. All third party contracts are assessed to ensure compliance with the UK General Data Protection Regulation.  Examples of contracted services includes:

  • Data Management – all patient health and social care records and related reporting/correspondence are managed through an electronic database called EMIS Web, which is used widely across the healthcare sector. This is the same system used by most GP practices in Greater Manchester.
  • Record Retention – Paper copies of medical records are archived securely both at the Hospice and off site. The off-site storage is managed by Restore.
  • Incident Reporting – all incidents are recorded in an electronic database called Sentinel, which is hosted by Vantage.
  • Video Consultations – we use software provided by AccuRX to hold one to one video consultations with our patients.
  • Group Video Classes – we use web-based applications to provide group video conferencing for example, FaceTime and Microsoft Teams. The third party organisations will process your personal information to provide the video conferencing services, and may collect your information for their own legitimate interests. More detail can be found in the service provider’s Privacy Notices.
  • Online Forms – we use Microsoft 365 Services to be able to provide you with electronic versions of our patient and client surveys.
  • Insurance Claims – we work with a company called DE Ford to manage insurance claims.
  • Audits – we work with other organisations who help us audit our systems to ensure that we are complying with our legal, regulatory and internal requirements. For example, the Care Quality Commission and Beevers & Struthers.
  • Continuous Improvement – we work with other healthcare providers e.g. the NHS to help with identifying areas for improvement and future investment.
  • Audio Recordings – we work with Reliance High-tech Ltd who provide our staff with a lone worker device for the health and safety of our staff.

HEALTH AND SOCIAL CARE DATA SHARING

St Ann’s Hospice shares personal information with other NHS organisations, non-NHS organisations and Local Authorities who are involved in providing health and social care to you. By sharing information in this way, we are able to work as multi-disciplinary teams to ensure that your health and social care needs are being met.

When we plan to share large amounts of sensitive personal information with other organisations, we complete a thorough Data Protection Impact Assessment. St Ann’s will only commence sharing your information once a data sharing agreement is in place and we have assurance that the other organisation is able to offer the same high level of protection for your information as we do. If during the impact assessment process, we are unable to mitigate against a high risk to the security of your information, we will submit the assessment to the Information Commissioner’s Office for assessment and will not progress until our planned activities have been approved.

An example of how data is shared between health and social care networks is through the Greater Manchester Care Record. More information about the Greater Manchester Care Record can be found here: https://healthinnovationmanchester.com/thegmcarerecord/

A copy of the Greater Manchester Care Record Privacy Notice can be found here: https://healthinnovationmanchester.com/the-gm-care-record-privacy-notice/

STAFF, VOLUNTEERS, TRUSTEES AND CONTRACTORS

What information do we collect about you?

When you apply for a role (staff, volunteer, trustee, bank or contract) at St Ann’s, we can collect your information from a number of sources. This will depend on how you have submitted your interest in working with us.  The source of your information can be you, an online job website that you have signed up to, your recruitment consultant or referees that you have supplied for your application. We will keep records of your application and personal information in paper and electronic forms. Details of the information we process include, but are not limited to:

  • Name and contact details e.g. address, telephone number and e-mail
  • Education and employment history
  • References and their contact details

If your application is successful, a copy of your application, supporting information and interview notes will be included in your HR file. At the time of job offer, we will also collect further information from you and hold it on your HR file, for example:

  • Forms of Identification
  • Proof of eligibility to work in the UK
  • Disclosure and Barring Service Checks
  • Credit and Fraud Checks
  • Occupational Health Assessments
  • Driving licence, vehicle registration and insurance documents
  • Equal Opportunities information
  • Emergency contacts
  • Bank details
  • National Insurance / Social Security Numbers
  • Pension details

At the start of your employment/service, you may be assigned user accounts that are required for your role; logs of your account details and some activities within systems will be held by St Ann’s relating to your:

  • E-mail accounts
  • Telephone numbers
  • Application software accounts
  • Hardware assigned

During the term of your employment/service, information will be added to your HR records relating to your attendance, occupational health, professional development, performance management and conduct (including findings from investigation/grievance/disciplinary events should they occur).

Why do we process your information?

Your information is used for administration, management and organisational purposes, for example:

  • To keep a record of your application process, including screening and interviews to assess your suitability for the role and right to work in the UK
  • To be able to contact you throughout your application and term of employment/service
  • To send your contract and other necessary correspondence
  • To provide you with access to systems that are needed for your role
  • To be able to contact someone in the case of an emergency
  • To arrange workplace rotas
  • To pay you and provide you with benefits (if applicable)
  • To record your development, training, qualifications and professional registrations
  • To review your performance against organisational objectives
  • To provide any necessary support that you may need in order to perform your role
  • To perform budgeting and other general workforce management activities

We also need to process your information to ensure that we are complying with the law, for example:

  • For proof of eligibility to work in the UK
  • To ensure the safety and security of our patients, staff/volunteers and the organisation, as we are working with vulnerable individuals
  • For financial audit purposes in line with the Companies Act 2006
  • For taxation purposes
  • For insurance purposes
  • For compliance with the Equality Act 2010

We may also share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If there is a need to protect and safeguard vulnerable children and adults
  • If there is a public health need such as preventing the spread of infectious diseases
  • If we receive a formal order from a court acting in their judiciary capacity

How do we process your information lawfully?

In the Data Protection Act 2018 and the General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:

  • Contract – to provide you with an employment contract.
  • For the assessment of your working capacity and occupational health.
  • Consent – to process your personal information when you apply to/and volunteer for St Ann’s Hospice or when you complete our equal opportunities forms to help us monitor compliance with the Equality Act 2010.

You have the right to withdraw consent at any time and we will stop processing your data in an identifiable format.

  • Legal Obligation –
    • To ensure all staff are eligible to work in the UK in line with the Home Office Code of Practice on Preventing Illegal Working 2019
    • To ensure compliance with the Safeguarding Vulnerable Groups Act 2006
    • To ensure compliance with the Income Tax Act 2007
    • To ensure compliance with the Companies Act 2006
    • To ensure compliance with the Equality Act 2010
    • To manage your personal records in line with the Records Management for Health and Social Care 2016 and the Data Protection Act 2018 and UK General Data Protection Regulation.

Which other organisations do we work with?

In order for St Ann’s to operate, we need to engage with other organisations for the provision of some services. All third party contracts are assessed to ensure compliance with the UK General Data Protection Regulation. Examples of contracted services includes:

  • HR Services – the cloud-based Access Select HR database is used to store personal information, manage annual leave and attendance.
  • Occupational Health Services – we work with Stepping Hill Hospital for Occupational Health services to ensure that our staff are happy, healthy and supported in the work place.
  • Interpreter services – we will work with independent interpreter services when required.
  • Payroll and other payments – Beever and Struthers and Sage Payroll is used to process your monthly payments.
  • Life Insurance – Broadstone and Champain help us to find the best Life Insurance products on the market for our staff. They will also share your data with the insurance providers.
  • Pensions – we work with other organisations to enrol you in pension schemes for example, Scottish Widows, NHS pension and Broadstone.
  • Training – we work with a learning provider for mandatory training called Nimble. Staff also access NHS mandatory training through an online database called Moodle.
  • Staff Conduct Checks – we work with the Disclosure and Barring Service during the recruitment process for the assessment of applicants. The hospice renews the checks every 3 years for staff and volunteers.
  • Insurance Claims – we work with a company called DE Ford to manage insurance claims.
  • Audits – we work with other organisations who help us audit our systems to ensure that we are complying with our legal, regulatory and internal requirements. For example, Beevers & Struthers.
  • Financial Auditing – Deloitte perform annual financial audits, which include auditing Payroll accounts.
  • Employment Services – we sometimes work with ACAS to resolve disciplinary, grievance or other employment related disputes.
  • Incident Reporting – all incidents are recorded in an electronic database called Sentinel, which is hosted by Vantage.
  • Remote Working – we work with other organisations to provide you with the ability to work remotely, for example, Microsoft Office 365 (Outlook, SharePoint, OneDrive and Teams) and M247 (our internet provider who enables remote access via software called FortiClient).  When you work remotely from home, the third party organisations will process personal information to provide the services, and may collect your information for their own legitimate interests (for example, your IP address). More detail can be found in the service provider’s Privacy Notices.
  • Health and Safety – we work with Reliance High-tech Ltd to provide relevant staff members with a lone worker device.

STUDENTS, PLACEMENTS AND COURSE ATTENDEES

What information do we collect about you?

When you apply to attend a course or placement at St Ann’s, we can collect your information from a number of sources. This will depend on how you have submitted your interest in the courses or placements that we offer. The source of your information can be you, your organisation, school or referees that you have supplied for your application. We may also collect your information from external sources on a direct marketing business to business basis for education and training purposes to promote our workshops. We will keep records of your application and personal information in either paper or electronic forms. Details of the information we process include, but are not limited to:

  • Name and contact details e.g. address, telephone number and e-mail
  • Contact details for people within your education services or employment
  • Employment and Education information
  • References and their contact details
  • Disclosure and Barring Service Checks
  • Medical questionnaire
  • Emergency contacts

Why do we process your information?

Your information is used for administration, management and organisational purposes, for example:

  • To keep a record of your attendance and provide you with certificates and course evaluation material
  • To be able to contact you throughout the course or placement
  • To be able to contact someone in the case of an emergency
  • To record your development, training, qualifications and professional registrations
  • To provide any necessary support that you may need in order to access and complete the course or placement

We also need to process your information to ensure that we are complying with our legal obligations as an organisation, for example:

  • To ensure the safety and security of our patients, staff/volunteers and the organisation, as we are working with vulnerable individuals

We may also share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If there is a need to protect and safeguard vulnerable children and adults
  • If there is a public health need such as preventing the spread of infectious diseases
  • If we receive a formal order from a court acting in their judiciary capacity

How do we process your information lawfully?

In the Data Protection Act 2018 and the UK General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:

  • Contract – to provide you with a placement or course.
  • For the assessment of your working capacity and occupational health. 
  • Legal Obligation – to ensure compliance with the Safeguarding Vulnerable Groups Act 2006

Which other organisations do we work with?

In order for St Ann’s to operate, we need to engage with other organisations for the provision of some of our training and development services. All third party contracts are assessed to ensure compliance with the General Data Protection Regulations. Examples of contracted services includes:

  • Online training modules – we work with a learning provider for training called Nimble. Staff also access NHS mandatory training through an online database called Moodle.
  • Online interactive training courses – we work with Zoom to provide you with some training courses remotely.
  • External training – we work with other organisations who provide training in areas that we are unable to deliver in house.
  • Incident Reporting – all incidents are recorded in an electronic database called Sentinel, which is hosted by Vantage.

ENQUIRERS, DONORS AND SUPPORTERS

What information do we collect about you?

We collect your personal information when you ask about our activities, take part in our events, make donations and sign up to our newsletters and updates. We also use third party organisations to collect information about prospective and existing supporters from publicly available sources of information (for example, the internet, Companies House and rich lists), which we then add to our records. We keep records of your personal information in paper and electronic forms. Details of the information we process include, but are not limited to:

  • Name, address, telephone number, email address, age and gender
  • Dietary Requirements (if applicable)
  • Payment information and donation history
  • Records of consent and correspondence between you and St Ann’s
  • Records of activities attended, fundraising behaviours and wealth identifiers
  • Photographs, quotes, or video footage when you have taken part in our events
  • Whether you are a patient of St Ann’s if you to choose to share this when making a donation, and if you have any links to other supporters.

Please note: St Ann’s will collect children’s data with the consent of a parent or guardian and will only correspond with the parent or guardian. The information of children will not be shared and we do not correspond with children under the age of 18.

Why do we process your information?

The information that you provide is used to our fundraising activities:

  • To manage the fundraising event or campaign
  • To keep a record of who has signed up to our events
  • To provide relevant information and resources to participants
  • To provide a safe environment for our events to take place
  • To process income from the events

We may also process your information for purposes that are not linked to specific fundraising activities:

  • To track your activities to build a profile of interests and fundraising behaviours – this helps us to send specific updates and asks to you
  • To research our supporters to identify those who may be able to give or influence transformational gifts for the hospice.

*More Info: St Ann’s Hospice relies almost entirely on donations from the general public, and we strive to fundraise in the most efficient way we can. To aid this, we will occasionally use third party organisations to carry out research on a specially selected group of supporters who may be able to make or influence a large donation to the hospice. This is a process widely known as wealth screening. Information will be gathered from publicly available sources, like Companies House and published rich lists, about employment, past philanthropic giving and visible assets, and added to the data we already hold. We only use reputable organisations to undertake this research who have demonstrated compliance with data protection law and are registered with the ICO. We will not use information we believe has not been lawfully, fairly or ethically obtained, and we do not use information sources which have not been made public. This information will then be used to make a personal and considered approach to certain individuals related to their interests, their past support of the hospice and their inferred ability and willingness to make or influence a transformational gift to the hospice. This is undertaken under St Ann’s Hospice’s legitimate interest, and supporters can opt out of this processing by contacting supporter@sah.org.uk or calling 0161 498 3631.

  • To keep current and potential supporters informed about our fundraising activities by sending direct marketing
  • Where you have provided consent, we may use photographs, videos and quotes of/from you to publicise the Hospice and our activities
  • To claim gift aid on donations from the HMRC with your consent
  • To provide a transparent audit trail for income received in line with the Fundraising Regulations for the receipt of income
  • To keep supporter information relating to gift aid for audit purposes with your consent

  • To keep donation information to benchmark our performance against other charities.

We may also share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If there is a need to protect and safeguard vulnerable children and adults
  • If we receive a formal order from a court acting in their judiciary capacity

How do we process your information lawfully?

In the Data Protection Act 2018 and the UK General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:

  • Contract – to process your information in order to perform our contract with you, for example when you sign up to our fundraising events or make a donation.
  • Legitimate interest – to process your data to support the fundraising activities of the organisation, for example:
    • When we perform research using publicly available sources of information and record the results on our database
    • When we generate profiles to help us target specific groups of supporters
    • When we send direct marketing via post or telephone.

You have the right to object to this type of processing and we will stop immediately.

  • Consent – to send you direct marketing via electronic means in line with Privacy and Electronic Communications Regulation.

You have the right to withdraw consent from this type of processing at and we will stop immediately.

  • Legal obligation – to comply with the law, for example when we keep a record of donations and Gift Aid for the purpose of financial audit in line with The Companies Act 2006 and HMRC requirements.

Which other organisations do we work with?

In order for St Ann’s to operate, we need to engage with other organisations for the provision of some services. All third party contracts are assessed to ensure compliance with the UK General Data Protection Regulation. Examples of contracted services includes:

  • Event Sign-up – we work with organisations to advertise/market our fundraising activities and provide registration facilities, for example Eventbrite.
  • Event Management – we work with organisations who help us to put on a variety of fundraising events; examples include Great Adventure Challenges, Great Run Company and Manchester Half Marathon.
  • Virtual Events – we work with organisations who help us provide online fundraising events like quizzes, for example Zoom and Funraisin’.
  • Fundraising Data and Relationship Management – all donor/supporter data is hosted by Blackbaud who provide us with our database, online forms and some payment services.
  • Mailing and Marketing – we use mailing houses to distribute our event registration packs, Friends Newsletter and other communications, for example Wodehouse and 121 Direct Mail. We also use e-mail marketing systems for example, Blackbaud, Online Express and Mailchimp, and printing companies who make materials for promotional and other purposes, for example Prontaprint, Minuteman, and PrintOn.
  • Running Appeals – we work with organisations who provide us with resources for collection tins and online dedications/donations, for example Facebook Donate, Thyngs, Minted Box, Just Giving and Everyday Hero.
  • Payment Processing – we work with organisations to process payments for donations for example, PayPal, Stripe, Liberty Pay, AIB Merchant Services, Sage Pay, Corvid Paygate and Secure Collections
  • Research – we work with organisations to analyse and enhance the personal information of our supporters using publicly available sources of information for example, Impact Fundraising and Factary. In some cases, the information may be entered into specialist software systems that will perform statistical analysis to help us:
    • Identify our most popular events
    • Understand our revenue generation streams
    • Forecast for future campaigns
    • Identify and build profiles on supporters who may be able to make or support a transformational donation to the hospice. The research allows us to make a personal and relevant approach to selected supporters, saving the charity time and money and reducing the risk of intrusive or irrelevant communications.

Please note: Some of the organisations that we work with will process your data outside of the UK. More information can be found in the ‘TRANSFERING YOUR INFORMATION OUTSIDE OF THE UK’ section of this privacy notice.

LOTTERY MEMBERS AND TRADING COMPANY CUSTOMERS

What information do we collect about you?

We collect your personal information when join our lottery and buy items from our shops or online platforms. We will keep records of your personal information in paper and electronic forms. Details of the information we process include, but are not limited to:

  • Name, address, telephone number, email address, date of birth
  • Payment information
  • Records of consent and correspondence between you and St Ann’s

Why do we process your information?

The information that you provide is used to provide you with goods and services:

  • To enter you into our Lottery draw
  • To sell and deliver items from our online sales and charity shops
  • To collect items that you have kindly donated
  • To process income from your lottery membership and purchases

We may also process your information for purposes that are not linked to good and services:

  • To provide a transparent audit trail for income received
  • To claim gift aid on income received from the HMRC with your consent
  • To ensure compliance with the Gambling Commission
  • To keep a log of customer preferences to help us understand specific interests and trends in monies raised
  • To keep current and potential supporters informed about new goods and services by direct marketing

We may also share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If there is a need to protect and safeguard vulnerable children and adults
  • If we receive a formal order from a court acting in their judiciary capacity

How do we process your information lawfully?

In the Data Protection Act 2018 and the UK General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:

  • Contract – to process your information in order to perform our contract with you, for example when you sign up to our lottery or buy goods/services from us.
  • Legal obligation – to comply with the law, for example when we keep a record of donations and Gift Aid for the purpose of financial audit in line with The Companies Act 2006.
  • Consent – to apply for Gift Aid against your donations or send you electronic direct marketing. You are able to withdraw consent at any time and we will stop immediately.
  • Legitimate interest – to send you direct marketing by post of telephone. You are able to object to this at any time and we will stop immediately.

Which other organisations do we work with?

In order for St Ann’s to operate, we need to engage with other organisations for the provision of some services. All third party contracts are assessed to ensure compliance with the UK General Data Protection Regulation. Examples of contracted services includes:

  • Lottery Sign-up – we work with organisations to advertise/market our goods and services, and provide registration facilities, for example LPS, SEC and Integrated Promotions.
  • Data Management – Lottery memberships and the draw are managed through an electronic database called Combase, which used by a number of charitable organisations.
  • Online Trading – we work with eBay, Amazon, Shopify, Facebook Shop and Instagram Shopping to sell goods for income generation.
  • Delivery of goods – we work with Hermes to deliver goods to you.
  • Trading in our shops – we use a till system called Chariot to process and record sales.
  • Payment Processing – we work with organisations to process payments for example, PayPal, Stripe, Liberty Pay, AIB Merchant Services, Sage Pay, Corvid Paygate and Secure Collections and World Pay (Worldpay-Privacy-Notice-English.pdf (fisglobal.com)).

WHEN YOU COME TO ST ANN’S PREMISES

What information do we collect about you?

When you come to any of the St Ann’s sites as a member of staff, volunteer, trustee, contractor, client, student/trainee or guest/visitor you will be required to complete a signing in book to register your attendance. Personal information that we will collect will include:

  • Name
  • Car registration
  • CCTV video recordings*

*We operate CCTV systems in areas that are used by staff (for example in our pharmacy areas) and areas that are used by members of the public, there are notices displayed to inform the subjects of the recording.

Why do we process your information?

The information that you provide is used for ensuring the safety and security of our patients, staff, volunteers, visitors and property, and to facilitate the detection and prevention of crime.

How do we process your information lawfully?

In the Data Protection Act 2018 and the UK General Data Protection Regulation, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:

  • Legitimate interest –
    • To help us ensure the safety of our patients, staff, volunteers, visitors and property, and to facilitate the detection and prevention of crime.

Which other organisations do we work with?

We may share your information with other organisations when we are required to do so by law, for example:

  • If we are sent a request from the Police under the Crime and Disorder Act 1998
  • If we receive a formal order from a court acting in their judiciary capacity
  • If there is a need to protect and safeguard vulnerable children and adults

You have the right to see CCTV images of yourself and be provided with a copy subject to certain criteria. We will not release images of other people to you. If you are involved in an incident whilst on our premises, we will record details of the incident in an electronic database called Sentinel, which is hosted by Vantage.

VISITORS TO OUR WEBSITE OR SOCIAL MEDIA SITES

What information do we collect about you?

In order for us to provide a high quality website and social media service, St Ann’s needs to collect and process personal information about you, for example:

  • Cookies – the name of the domain from which you access the Internet, the date and time you access our site, and the Internet address of the website from which you linked to our site
  • Your name and contact details, and other persons involved in queries/correspondence that you raise with us
  • Your name and contact details, and other persons involved in complaints that you raise with us

Why do we process your information?

We will use your information to provide a relevant and efficient web and social media service:

  • Cookies measure the number of visits to the different sections of our site, and to help us make our site more useful to visitors. Guidance for managing cookies through your browser can be found at the following website: https://www.aboutcookies.org/
  • To correspond with you relating to your query or complaint

How do we process your information lawfully?

In the Data Protection Act 2018 and the General Data Protection Regulations, processing of your personal information must be done fairly, lawfully and transparently. St Ann’s will only process information relating to you as long as there is a lawful basis in line with the legislation and it is necessary for us to do so. The following legal bases are commonly relied upon:

  • Legitimate interest –
    • To process your data to ensure our website functions properly and to help us improve our website and social media sites
    • To respond to your queries or complaints

Which other organisations do we work with?

In order for St Ann’s to operate our website, we need to engage with other organisations for the provision of:

  • Website Publishing – we use an organisation called WordPress to publish the content of our website.
  • Website and Social Media Monitoring – we work with Google Analytics, Twitter and Facebook Analytics, and Buffer to collect standard user and internet log information and details of visitor behaviour patterns. You cannot be identified from this information.
  • Website Maintenance – we work with Reason Digital to maintain the website; this includes:
    • Daily back-ups of the site
    • Ever-cache technology: proprietary caching technology for massive scalability and speed
    • Firewall protection: multiple powerful firewalls between our data and threats

Please note: From time to time our website may also include links to other websites. These links are provided for your convenience to provide further information. They do not signify that we endorse the website(s). We have no responsibility for the content of the linked website(s). We encourage you to read the privacy statements on the other website(s) you visit.

TRANSFERING YOUR INFORMATION OUTSIDE OF THE UK

St Ann’s Hospice stores some personal data on the Microsoft Office 365 platform, which is hosted in the European Economic Area. St Ann’s Hospice also uses other third party organisations to help with some of our fundraising and marketing services. Some of the providers will transfer your personal data to countries outside of the UK, mainly to the EU or USA. Examples of this include:

  • When you sign up to an event through Eventbrite or Online Express
  • When you pay St Ann’s Hospice through the online Stripe or Merchant Service platforms
  • When you attend a Zoom video conference call
  • When we send direct marketing via email through Mail Chimp or Blackbaud Services

If your information is to be processed outside of the UK, it will only be processed once we have confirmation that the recipient is subject to equivalent data protection legislation, and that your information will remain secure.  Additionally, there will always be a Data Processing Contract (including Standard Contract Clauses for restricted transfers) in place, which will specify what the data is to be used for. If you would like to see evidence of the agreements, please forward an email to dataprotectionofficer@sah.org.uk.

HOW LONG WILL ST ANN’S RETAIN YOUR INFORMATION?

At St Ann’s we will only retain your information for as long as we need it. We have three records management policies in place that are read alongside each other:

  • Records Management Policy based on the NHS – Records Management for Health and Social Care 2016 guidelines – for detail of the healthcare retention schedules that we follow, please click the below link:

https://digital.nhs.uk/binaries/content/assets/legacy/excel/o/o/rmcop-retention-schedules.xls

  • Fundraising Data Policy (standard retention period is 10 years from the last point of contact)
  • Policy for the Management of Employee Records (standard retention period is 6 years from the end of your employment contract)

YOUR RIGHTS

Under the Data Protection Act 2018 and the UK GDPR, you have the following rights relating to your personal information:

  • Right to Access (Subject Access Request / Access to Health Records)
  • Right to Rectification
  • Right to Erasure (Right to be forgotten)
  • Right to Object
  • Right to Restrict Processing
  • Right to Data Portability
  • Right not to be subject to automated decision making including profiling

* Please note: not all rights apply to the personal data that we process about you. An example of this could be when you would like to have your records erased, but they have been collected in order to meet a legal obligation, or if you request access to records that would cause serious physical or mental harm to you or others.

CONTACTING ST ANN’S TO EXERCISE YOUR RIGHTS, OR FOR FURTHER INFORMATION

If you would like to exercise any of your rights or you would like further information relating to data protection, please contact:

Data Protection Officer

St Ann’s Hospice

St Ann’s Road North

Heald Green

Stockport
SK8 3SZ

Telephone: 0161 702 5414

Email: dataprotectionofficer@sah.org.uk

Website: https://www.sah.org.uk

COMPLAINTS

If you have contacted St Ann’s with concerns but are not happy with the response, you are able to lodge a complaint by calling or writing to the Chief Executive. The Chief Executive will then deal with your concerns as a formal complaint.

 

Chief Executive

St Ann’s Hospice

St Ann’s Road North

Heald Green

Cheadle

SK8 3SZ

Telephone: 0161 498 3634 or 0161 498 3635

Website: https://www.sah.org.uk/about-us/complaints-procedure/

THE INFORMATION COMMISSIONER’S OFFICE

The supervisory authority for data protection in the United Kingdom is the Information Commissioner’s Office (ICO). If you would like to see our registration with the ICO, enter the following registration codes into the website:

  • Z5762319 for our Hospice processing activities
  • ZA100746 for our Trading Company processing activities

If you would like further information relating to data protection or would like to lodge a complaint, you have the right to contact the ICO at the following address:

The Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113

Email: casework@ico.org.uk

Website: www.ico.org.uk