Privacy policy
When you provide us with your personal or sensitive information it is important you understand how it will be used and looked after. The purpose of this Privacy Policy is to give you a clear explanation of what personal information we collect and how we collect, use, and protect it.
Where this document refers to, we or us, or EACH, we mean East Anglia’s Children’s Hospices, and its trading subsidiaries East Anglia’s Children’s Hospices (Trading) Limited, Stable Trading and the Children’s Hospice for the Eastern Region.
EACH is registered with the Information Commissioner’s Office (ICO) in accordance with General Data Protection Regulations (GDPR).
- Registered Charity Number 1069284.
- Company number 03550187 (registered in England and Wales).
EACH has appointed a Data Protection Officer who ensures your information is always handled securely and in accordance with the law. You may contact the EACH Data Protection Officer at any time if you have any concerns or questions about how your data has been used:
By telephone: 01223 800 800
By email: [email protected]
By post: East Anglia’s Children’s Hospices, Church Lane, Milton, Cambridge. CB24 6AB.
Accessibility
If you wish to receive this Privacy Policy in a different format, such as large print, braille, audio recording, or translated into a different language, please contact us:
By telephone: 01223 800 800
By email: [email protected]
By post: East Anglia’s Children’s Hospices, Church Lane, Milton, Cambridge. CB24 6AB.
Your rights
Under data protection regulations, you have rights over how your personal information is used by others:Â
- The right to be informed about your personal information we store and/or process.
- The right of access to the information we hold about you and make a subject access request
- The rights of erasure or restricted processing.
- The right of portability – you may be able to ask us to give information we hold about you to another
- The right to object to the way in which we store or process your information.
- The right to object to any automated decision-making process that we may use.
If you would like to exercise any of these rights, please contact the Data Protection Officer at [email protected], or telephone 01223 800 800, or write to the Data Protection Officer, East Anglia’s Children’s Hospices, Church Lane, Milton, Cambridge, CB24 6AB.
If you no longer wish to receive emailed or web-based marketing information you can unsubscribe at www.each.org.uk/unsubscribe. For non-web-based marketing please contact [email protected].
Personal information
Personal information is any information about you from which you can be identified, such as your name, address, date of birth, debit/credit card details, IP address, photos or film, but it may also be anything that identifies you, for example, your NHS number or biometric data. Some personal information will be sensitive, for example, information regarding health and wellbeing, ethnicity and religious views.
EACH will only use your information in ways that you would reasonably expect having read this Privacy Policy. Your information will only be collected, stored or processed where specific purposes have been identified and highlighted in this policy or by direct communication with you.
The amount of information we collect and use about you will vary depending on your relationship with EACH. We always make sure there is a legal basis in data protection law when we collect and use your information. The legal bases we rely on are:
- Consent: Where you have given us clear and informed permission.
- Contractual: Where there is a contract between you and us.
- Legal obligation: Where a law says we must.
- Legitimate interest: Where it is necessary for our charitable aims and the benefits have been carefully balanced against respect for your privacy, your information rights, and your expectations.
- Vital Interest: Where providing data could protect life in a life-or-death situation.
- Public task: Where it is necessary for us to perform a task in the public interest.
All legal basis, including consent are reviewed on an ongoing basis, please let us know if you would like us to update our records.
How information is collected
Directly from you: This is information you give to us directly when, for example, you become a service user, register for a fundraising event, volunteer to support the charity, become an employee, or make a donation or otherwise interact with the charity and its subsidiaries. You may provide this on a paper or digital form, during a telephone or face-to-face conversation, or by other means.
If you are a member of staff or a volunteer specific information will be required. Depending on the work you do we may need to ask you for sufficient information to carry out some background checks and there are also key personal data details required. We may provide you with forms to complete or capture your details directly in our Applicant Tracking System or HR systems. Many of the EACH systems are integrated so if you provide information in one system it may also update another (e.g. HR to Payroll).
If you are a service user then your records will probably include sensitive personal data, including medical information. Much of this will be collected directly from you.
You may provide information to us directly through our website or other electronic medium. When you interact with an EACH website it is helpful to be able to identify you to improve your experience. Like most websites EACH uses ‘cookies’ to enable the website to recognise you when you return. A cookie is a small text file that transfers to your computer (or phone or tablet) and can help with things such as auto filling your name and address in text fields. By using an EACH website, you are confirming you agree to our privacy and cookies policies.
There is more information about how our cookies work here.
If you enter details onto one of our online forms and you don’t send or submit the form, we may contact you to see if we can help with any problem you may be experiencing with the form or with our website.
CCTV: Some of our premises are monitored by CCTV or door access systems. For the purposes of security, images and videos may be retained for a limited period of time.
Third Parties: Sometimes, information will be provided indirectly through a third party, for example: through a donation website (e.g. JustGiving), from an organisation where you have given permission to share your data. Service user information may have been shared with EACH through the NHS spine or by other agencies, health, and social care professionals.
Third parties must only supply EACH with your information if they have the correct lawful authority to do so. When you share your information with anyone, you should check their privacy policy so you understand how they will process and share your data. You should also regularly check your security settings for online services with whom you share your data.
Information collected from public sources: EACH may collect information from public sources such as Companies House, social media profiles, newspapers and other published material. EACH may also carry out research into population demographics, geographic data or other areas which may impact on our future service delivery or identify potential areas of focus to raise funds. Information from different sources may be combined for profiling or analysis purposes.
What kind of personal information we process
For care service users, we will record your contact details, demographics, and access to medical records which we can update.
We may also collect data about your family members and professionals who work with you.
If you receive community care, we will make sure we have the information we need to work in your home which may be everything from your Wi-Fi password to where you keep medications.
We will record data for ethnicity and diversity monitoring.
We will record your name, address, contact details, date of birth, gender, ethnicity and religious beliefs, next of kin, and information about your health and wellbeing.
For employees, we hold information related to your employment record, payroll, supervision and appraisal notes, disciplinary proceedings, occupational health records (obtained only with your consent), data for ethnicity and diversity monitoring.
 For donors, it is helpful if we can collect more information than the minimum of contact details and gifts received:
- Charitable donations may be given anonymously, but we would prefer to have and hold your contact details so that we can confirm receipt and keep you informed; you will be able to choose whether you supply this information. Depending on your payment method we may be required to record your some of your personal information in connections with payment details.
- As a donor, we will often ask you for more information than the bare minimum to process your donation, this may be so that we can identify you as an event entrant or it may be part of building a long-term relationship with you. Our fundraisers will be genuinely interested in how you have raised funds and why you have chosen to support EACH and may record this information so they have a record when they next contact you.
- Information required for us to process your fundraising requests, for example, using your preferred contact method to allow us to send you information relevant to an EACH event or to provide pertinent stewardship and support for your fundraising for EACH. If you ask us to support you with a fundraising activity, we will continue to do so unless you make a change to your request as we consider this to be good stewardship. We differentiate our communications between stewardship and marketing to ensure we can effectively comply with the Privacy and Electronic Communications Regulations (PECR) which require consent for electronic marketing. We will always ensure we have your consent for electronic marketing.
- Information required in the legitimate interest of the charity or its subsidiaries, for example, as a supporter of the charity, a balancing test may show that it is in the legitimate interest of both EACH and you as a supporter to keep you informed about our work.
- Personal information may also be held and processed under legitimate interest, consent, contract or legal obligation for the purposes of claiming Gift Aid, recording financial transactions, customer service support etc. Whenever legitimate interest is applied, EACH will carry out a balancing test to ensure fairness.
- Depending on your payment method we may record your payment details and pass them on to a third-party mercantile service to process the payment. We will ensure your payment details are handled securely.
- In some instances, acceptance of a gift may require more information to ensure we comply with Money Laundering Legislation, and we may not always be able to accept a gift anonymously.
For online browsers, in addition to your contact details we may collect and store your address, phone numbers, email addresses. Â On our website we process and store IP addresses and information about your browser type, version, times, operating system platform, Uniform Resource Locators (URLs or web addresses), clickstreams to, through and from our site and browsing activity on our site.
For our purchasing suppliers, many are organisations outside the scope of this policy, but there are a few individuals for whom we will keep the minimum data we need to comply with legislation, and this will include your contact details, details of purchases and amounts spent.
How information about you is used
Care services
If you use our care services, we will collect your personal data and sensitive or ‘special category’ information that relates to your physical and/or mental health and any other relevant information such as religious beliefs or sexual orientation. This data goes onto form your healthcare record, together with additional information such as the personal details of your family and/or carers, etc.
From time to time, care staff may be asked to take clinical photographs of you for medical or training purposes. Such photographs would form part of your medical record and would not be made publicly available without your explicit consent.
Information will be used to carry out care assessments, book appointments or visits, send you correspondence, complete surveys, record incidents and deliver care. We may receive commendations or complaints and concerns, and process the information contained therein to respond to you and develop our service.
To inform the development of care services for children, young people and families, we may use your data to identify patterns and trends. We will also use it for resource planning. We will keep records to:
- Enable home visits.
- To let you know about services and events.
- To monitor trends and progress in care.
- Undertake research, with your permission, to better understand people’s expectations about how their data will be used.
- To provide you with information, products or services you request.
So that we can provide high quality care and support we need specific data. This is collected from or shared with:
- You or your legal representative(s);
- Third parties. We may do this face to face, via phone, via email, via our website, via post, via application forms. Third parties are organisations with whom we have a legal reason to share your data with. These may include:
- Other parts of the health and care system such as NHS Trusts, your GP, the pharmacy, social workers, and other health and care professionals.
- Local Authorities.
- The police or other law enforcement agencies or courts subject to law or court order.
We are also required by law to report certain information to appropriate third-party authorities. This is only provided after formal permission has been given by a qualified health professional or Caldicott Guardian. Occasions when we must pass on information include:
- Where we encounter infectious diseases which may endanger the safety of others, such as meningitis or measles.
- Where a formal court order has been issued
Where information sharing is requested by third parties and no legal obligation to share exists, we will not disclose any health information without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk.
The Clinical Services Director, Care Service Leads, Data Protection Officer and Caldicott Guardian may look at your records to monitor and audit the quality of records and care, or if dealing with a complaint.
The Care Quality Commission, our regulatory body, may also look at records as part of their inspection process; they will ask your consent.
There is limited access to identified members of our administration team in support of care and patient and family related events.
For friends, relatives, appointed next of kin, we will record basic details and contact information e.g. name and address.
We require this data because we have a legitimate interest in holding next of kin details about the individuals who use our service and keeping emergency contact details for our staff.
Your Right to Withdraw Consent for us to Share Your Personal Information:
- At any time, you have the right to refuse/ withdraw consent to information sharing. The possible consequences will be fully explained to you and could include delays in receiving care.
How can you get access to your own health records?
- The Data Protection Act 2018 gives you the right to see or have a copy of your health records.
- If you want to access your health records you should make a written request (which can be by email) to our Data Protection Officer at [email protected]. You should also be aware that in certain circumstances your right to see some details in your health records may be limited in your own interest or for other reasons.
We do not share any patient personal information, or the information of those associated with our patients without their consent to our: -
- Fundraising Team
- Marketing Team
- Retail Team
Families - More detailed information regarding how children and families’ information is managed can be found in the Family Information Leaflet ‘What happens to your information’. Please ask our staff for a copy.
National Data Opt-Out Programme - From the 25th May 2018, any person aged 13 years or over, with an NHS number, can opt-out of having their confidential identifiable patient information being used for reasons other than their individual care and treatment. A person with parental responsibility can opt out on behalf of a child under 13 years of age. If you wish to opt out or want to find out more information about this, please go to https://digital.nhs.uk/services/national-data-opt-out-programme or ask a member of your local hospice team for a leaflet.
EACH is part of the Shared Care Record for the East of England- Why shared care records matter, every health and social care organisation that you have contact with has their own set of records. To provide you with the best care it is important that authorised health and social care staff have the most up to date information available to them. Shared care records assist staff to make the best decisions by having a more joined-up picture of your information. This is important in providing safe, personalised, and connected care. Please see our privacy notice for the shared care record.
 Income Generation
For the purpose of income generation, we may use your personal data to:Â
- Steward your fundraising, ensuring we are offering you the support you need during your activity or donation.
- Provide pertinent stewardship and support for your fundraising for EACH. If you ask us to support you with a fundraising activity, we will continue to do so unless you make a change to your request as we consider this to be good stewardship. We differentiate our communications between stewardship and marketing to ensure we can effectively comply with the Privacy and Electronic Communications Regulations (PECR) which require consent for electronic marketing. We will always ensure we have your consent for electronic marketing.
- Claim Gift Aid from HMRC and/or to register you for retail Gift Aid as a donor of second-hand goods.
- Report to fundraising bodies on anonymised statistics and activity.
- Provide you with information, products or services you request.
- Comply with Money Laundering Legislation and we may not always be able to accept a gift anonymously.
- Ensure we contact supporters with the most appropriate communication we may profile your data by combining the information we hold with other sources of information or carry out other analysis techniques. This will enable EACH to contact you in the most relevant way and provide an improved experience. It will also enable EACH to have a greater insight and understanding of its supporters and use the information to develop the charity’s donor base. If you do not want your data to be used in this way then you can opt out at any time by emailing [email protected] or by telephoning 01223 800807.
- We send some data to specialist agencies for data cleaning which includes correcting and may include enhancing the data.
- Ask for your support to help EACH continue our work of caring for children, young people and families. This may be through volunteering, fundraising, becoming a Gift Aider or other means of providing support to the charity.
- Steward your fundraising, ensuring we are offering you the support you need during your activity or donation.
Marketing
We may use your personal information to:
If you have consented to our processing your personal data for marketing purposes, in accordance with this privacy policy, we may send you information (via email, post, phone or text) about our activities and services we consider of interest to you or those that you have requested.
To provide web services for the enrolment and processing of volunteers.
To interacting with you on our website providing information, online shopping and forums.
We may take individual or group photos at events and your image may be used in promotional material if you attend our events or sites.
EACH does not sell personal details to third parties for the purposes of marketing.
Runing our organisation
We may use your personal information to:
Ensure you receive excellent stewardship and are updated on our work and progress.
Ask for your support to help EACH continue our work caring for children, and families. This may be through volunteering or other means of providing support to the charity.
Record payment information, depending on your payment method, we may need to record your payment details and pass them on to a third-party mercantile service to process the payment.
We may record telephone conversations for the purposes of staff training or other development.
If you are an employee or volunteer, we will use your personal information to:
- Process staff personal data for payroll and Human Resource Management purposes.
- Issue contracts of employment or volunteer service agreements. We will need your employment history and details about you for this which we will store securely.
- To carry out diligence checks, for example, checking driving licences to verify eligibility to drive, taking a copy of your passport to establish right to work and place of residence.
- To notify our insurers of employees age and any driving points you may have on your licence if you drive EACH vehicles.
- To administrate employee or corporate pension or insurance schemes. In this case, salary, medical and contact details may be shared with third party pension and insurance providers.
- If you are a member of staff or a volunteer, more information will be required. Depending on the work you do we may need to ask you for sufficient information to carry out some background checks. You will be asked to complete a personal details form when you join EACH and you should provide updates if that information changes. Records of your employment, appraisals, supervision, progression and HR processes are also kept on your personnel record but not kept longer than required.
- Information required for us to comply with legal obligations, for example, Disclosure and Barring Service applications, financial accounts or payroll records.
For administrative purposes, we may process and store your personal data to:
- Verify the identity of Trustees or senior managers, to ensure they qualify as ‘fit and proper persons’ and to provide identity verification to banks or financial institutions.
- To process personal information to support contractual arrangements.
- Process or store personal information to comply with legal obligations, for example, disclosure and barring service, VAT records and payroll records.
- Monitor and audit our services and ensure quality and accountability.
- To provide you with other services, for example, our library service.
- We may share your data with a third-party specialist, under a confidentiality agreement, in assisting with large volume Subject Access Request redaction.
- To maintain a relationship with you as a supplier of services.
- To provide you with IT systems, to set up your accounts and connect to your personal mobile devices.
- We may share your personal data with solicitors or other advisors if there is a legitimate, contractual or legal reason to do so.
- Provide Companies House and the Charity Commission with details of Trustees and Directors.
- Provide information to financial institutions for key staff or Trustees to verify identity for the purposes of authorising transactions.
- Storing information which you may have provided us with as a matter of your own vital interest, i.e. to maintain your own personal safety such as next of kin or information about your health.
Contacting you
Default: If you have told us how you prefer to be contacted then we will use your preferred method to contact you when appropriate. This may be by post, email, telephone, text or another method you have requested. Please let our staff know your preferences.
Marketing: If you have consented to our processing of your personal data for marketing purposes, in accordance with this privacy policy, we may send you information (via email, post, phone or text) about our activities and services we consider of interest to you. We will only send you marketing communications via electronic means if we have your consent to do so.
Sharing information
Information may be shared with other parties for a variety of reasons:
- For shared delivery of care (with other healthcare professionals).
- To raise awareness of the needs of families and EACH service users.
- To provide information to regulatory bodies or funders.
- To make sure we maintain our responsibilities for quality and accountability (audits and inspections).
- To inform the development of care services for children, young people, and families.
- For funding purposes including to provide evidence that contracted services have been delivered.
- To fulfil a legal duty.
- With our IT Managed Service Provider to support your work IT requirements.
- To set you up as a user on cloud systems.
- Due to contractual requirements.
- To carry out research.
- To work with EACH contracted third parties.
- To make payments on employees’ behalf into their group personal pension scheme, or other deduction from pay.
- EACH may engage third party medical or therapeutic professionals, or other contractors or agency staff to work on site providing or supporting EACH services. These third parties may be given access to personal information on the same basis as EACH staff and will be contractually bound to the same standards of data protection and confidentiality.
- EACH uses third-party organisations or contractors who act under our data governance rules to carry out tasks on behalf of the charity. This may include data cleaning, direct mail fulfilment services, database technical support from IT providers, data hosting, external secure archiving, and confidential record destruction. These providers have the same obligations as EACH under data protection legislation and we ensure these obligations are built into our contracts with them.
- Payroll data will be shared with our payroll processing bureau and with His Majesty’s Revenue and Customs.
- Employee data may be shared with third parties for the purpose of occupational health assessments (consent will always be obtained for this).
- EACH may be required by law to share data to comply with legislation, for example, to safeguard a child or adult at risk of harm, as a result of a court order, a request from the police who are investigating a crime or an investigation from other authorities, for example, a tax enquiry.
Where the legal basis for processing data is based on consent, we will always obtain this from you before sharing data.
Your rights
Your rights are important to us, we recognise that you have the following rights:
- The right to be informed about your personal information we store and/or process
- The right of access to the information we hold about you and make a subject access request
- The rights of erasure or restricted processing
- The right of portability – you may be able to ask us to give information we hold about you to another organisation
- The right to object to the way in which we store or process your information
- The right to object to any automated decision-making process that we may use
If you would like to exercise any of these rights, please contact the data protection officer at [email protected] or telephone 01223 800800. You can also write to the Data Protection Officer at Church Lane, Milton, Cambridge. CB24 6AB.
Safeguards to protect your privacy
EACH takes data protection and information governance very seriously.
All EACH staff receive formal information governance training annually and are supported with resources, materials and advice to ensure that the organisation complies with the requirements of the various data management and protection legislation and best practice guidance.
An Information Governance Management Group oversees the arrangements for ensuring compliance with required law and standards. Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used in accordance with this privacy policy, applicable data protection laws and other regulatory requirements.
All access to data is managed through role-based security to ensure access to systems and data is restricted only to those who have appropriate authority.
All EACH-owned mobile devices and servers are encrypted, and data is held in a secure data centre. On our website, if the web page starts with HTTPS or if you see a padlock symbol, your data is encrypted when it is sent from your computer to its destination. If you do not see this symbol then it is not encrypted, and you should not send confidential, financial or sensitive data.
Software versions are updated to ensure they are supported, and EACH deploys up-to-date virus protection systems and participates in the NHS CareCERT virus and malware advisory system.
All data processes and systems at EACH are risk assessed to ensure compliance with legal requirements and best practice. The process includes the identification of the legal basis by which all information is processed. Depending on what this is, further steps are carried out to protect your interests; this may mean contacting you to obtain your specific consent or carrying out a balancing test to ensure our treatment is fair.
EACH has a retention policy for all data stored or processed on EACH systems. The retention policy is decided and then reviewed as part of the annual data risk assessment process. Information is only kept as long as it is required, or as long as there is a legal requirement to keep it. Information no longer required is disposed of in a secure manner.
To maximise the security around processing of financial transactions, the EACH website uses industry recognised secure payment processing companies to process payments. This means that whilst on an EACH website you may be seamlessly passed over to a third-party payment portal to complete your transaction (e.g. PayPal or Committed Giving) – this may include the transfer of personal details you have already provided. We will always make it clear where this happens.
Where our website links you to sites hosted by other organisations, we will make this clear, so you know you are leaving the EACH website.
International data transfers
Most of EACH data is processed in the UK or the European Economic Area (EEA) on EACH systems. Occasionally, there may be a requirement to process non-care data outside of this zone. Where data is sent outside of the EEA, we will ensure appropriate controls are in place to give your data the same level of protection as it would have in the EEA. This may be through data sharing agreements, national agreements or confidentiality contracts. If you require further information, you can request it from our Data Protection Officer.
Debit and credit card information
If you use your credit or debit card to donate or pay for a transaction, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard. EACH does not keep your payment card details – all card details and validation codes are securely destroyed once the payment or donation has been processed.
Inappropriate website and social media content
If you post or send any content, we believe to be inappropriate, offensive or in breach of any laws, such as defamatory content, we may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies.
Changes to the Privacy Policy
We may need to change this notice in response to different ways of working, or new regulations. The version number and revision date is included in this notice. As a matter of course, we will review the notice every three years or sooner if changes are required. Please ensure you check our website for updates.