Privacy policy

East Anglia’s Children’s Hospices (EACH) is committed to protecting any personal information that you share with us or information that is provided to us by other organisations.

The purpose of this policy is to give you a clear explanation of what personal information we collect and how we collect, use and protect your personal information.

What is personal information?

Personal information is any information about you from which you can be identified such as your name, address, date of birth, credit card details, IP address, photo or video image but it may also be anything that identifies you for example, your NHS number or biometric data. For service users, some of this data will be sensitive and relate to their health and wellbeing, ethnicity and religious views.

By providing us with personal sensitive data you give us your explicit consent to process this sensitive personal date for the purposes set out in this Privacy Policy.

EACH will only use your information in ways that you would reasonably expect.  Sometimes we may undertake research, with your permission, to better understand people’s expectations about how their data will be used.

EACH will always consider the impact of processing your data before any action is taken to ensure that it has no unjustified adverse effects.

Information we may hold about you

Your information will only be collected, stored or processed where a specific purpose has been identified.

This will fall into the following categories:

Information required to provide you with EACH services. Service User Information and data held may include personal information such as name, address, contact details, date of birth, gender, ethnicity and religious beliefs. next of kin, information about your health and wellbeing collected by EACH and information received by us from other agencies and health and social care professionals involved in your care, emails, images, audio and video recordings, correspondence, care assessments, plans and records of care and services received, appointments, bookings, incidents, surveys, commendations, complaints and concerns.

Personal Information to support a contractual arrangement – for example, contracts of employment or other formal agreement.

Information required for to comply with legal obligations – for example, disclosure and baring service, vat records, payroll records.

Information required in the legitimate interest of the charity or its subsidiaries – for example, as a supporter of the charity it will be in the legitimate interest of both EACH and you as a supporter to keep you informed about the work of EACH

Information which you have provided us with your consent to process – for example, you may have given us your consent to send you marketing information.

Information which you may have provided us with as a matter of your own vital interest.ie to maintain your own personal safety such as next of kin of information about your health If you have provided us with details of relatives or next of kin, it is your responsibility to ensure that you have made them aware of this and that they accept the terms of this privacy policy.

Information collected by our website – including the internet protocol (IP) address used to connect your computer and other information about your browser type, version, times, operating system and platform and Uniform Resource Locators (URLs or web addresses) clickstream to, through and from our site and browsing activity on our site.

How information is collected

Information you provide directly to us
Information is given to us directly when, for example, you become a service user, register for a fundraising event, volunteer to support the charity, become an employee, or make a donation.

We will ask you to provide personal information. You may provide this on a form, during a discussion, over a web form or by other means.

The details we ask you for will be directly related to the purpose for which they are required, for example:

  • A charitable donation may be given anonymously, but we would prefer to have your contact details so that we can confirm receipt and keep you informed; you will be able to choose whether or not you supply this information. Depending on your payment method we may need to record your payment details.
  • As a donor, we will often ask you for more information than the bare minimum to process your donation, this may be so that we can identify you as an event entrant or it may be part of building a long-term relationship with you. Our fundraisers will be genuinely interested in how you have raised funds and why you have chosen to support EACH and may record this information so they have a record when they next contact you.
  • If you are a member of staff or a volunteer more information will be required, depending on the work you do we may need to ask you for sufficient information to carry out some background checks and there is certain information that we are required to have on record.
  • If you are a service user then your records may include sensitive personal data, including medical information.

Information collected electronically
You may provide information to us directly through our website.  When you interact with an EACH website it is helpful to be able to identify you to improve your experience.  Like most websites EACH uses ‘cookies’ to enable the website to recognise you when you return.  A cookie is a small text file that transfers to your computer (or phone or tablet) and can help with things such as auto-filling your name and address in text fields.

By using an EACH website you are confirming you agree to our privacy and cookies policies.

There is more information about how cookies work as an appendix to this document.

If you enter details onto one of our online forms and you don’t send or submit the form, we may contact you to see if we can help with any problems you may be experiencing with the form or with our website.

CCTV
Some of our premises are monitored by CCTV or door access systems. For the purposes of security, images and videos may be retained for a limited period of time.

Information provided by third parties
Sometimes information will be provided indirectly through a third party, for example: through a donation website (e.g. Just Giving), from an organisation where you have given permission to share your data, or service user information may have been shared with EACH through the NHS spine or by other agencies, health and social care professionals.

Third parties must only supply EACH with your information if they have the correct lawful authority to do so.  When you share your information with anyone you should check their privacy policy so you understand how they will process and share your data. You should also regularly check your security settings for online services with whom you share your data.

Information collected from public sources
EACH may collect information from public sources such as Companies House, social media profiles, newspapers and other published material. EACH may also carry out research into population demographics, geographic data or other areas which may impact on our future service delivery or identify potential areas of focus to raise funds.

How we use your data

The following gives examples of how data is used:

  • For the purpose of treatment and care
  • To make sure we maintain our responsibilities for quality and accountability
  • To inform the development of care services for children, young people and families
  • To raise awareness of needs of families & EACH services
  • For funding purposes
  • To provide you with information, products or services that you request
  • To keep you informed about the work of the charity
  • To ask for your support to help EACH continue the our work of caring for life-threatened children, young people and their families. This may be through volunteering, fundraising, becoming a gift-aider or other means of providing support to the charity
  • To provide you with other services, for example, our library service
  • To maintain a relationship with you as a supplier of services
  • To ensure we contact supporters with the most appropriate communication we may profile your data by combining the information we hold with other sources of information or carry out other analysis techniques. This will enable EACH to contact you in the most relevant way and provide an improved experience. It will also enable EACH to have a greater insight and understanding of its supporters and use the information to develop the charity’s donor base. If you do not want your data to be used in this way then you can opt out at any time by emailing supportercare@each.org.uk or by telephoning 01223 800800

We may record telephone conversations for the purposes of staff training or other development.

Marketing
If you have consented to our processing your personal data for marketing purposes, in accordance with this Privacy Policy, we may send you information (via email, post, phone or text) about our activities and services we consider of interest to you.

You have the right to ask us not to process your information in this way at any time.  If you no longer wish to receive emailed or web based marketing information you can unsubscribe at www.each.org.uk/unsubscribe. For non-web based marketing please contact supportercare@each.org.uk.

How we will contact you

If you have told us how you prefer to be contacted then we will use your preferred method to contact you.  This may be by post, email, telephone, text or another method you have requested.

We will comply with the requirements of the data protection laws and the Fundraising Regulator guidance to ensure we do not contact you without your consent for the purposes of marketing calls by telephone, email or text message.

We understand people may give us their contact details for a variety of purposes, but will only use them for marketing purposes if this was made clear at the time they were given and we received your consent.

Sharing information

Service user information may be shared with other parties for the following reasons:

  • For the purpose of treatment and care
  • To make sure we maintain our responsibilities for quality and accountability
  • To inform the development of care services for children, young people and families
  • To raise awareness of needs of families & EACH services.
  • For funding purposes including to provide evidence that contracted services have been delivered. To fulfil a legal duty
  • To provide information to regulatory bodies.
  • To carry out research

We will always seek consent before identifiable service user information is shared for the purposes listed above.

National Data Opt-Out Programme
From May 25th 2018, any person aged 13 years or over, with an NHS number, can opt-out of having their confidential identifiable patient information being used for reasons other than their individual care and treatment. A person with parental responsibility can opt out on behalf of a child under 13 years of age. If you wish to opt out or wish to find out more information about this, please visit the national data opt out programme or ask a member of your local hospice team for a leaflet.

Third party agencies
EACH does not sell personal details to third parties for the purposes of marketing.

EACH uses third party agencies who act under contract to carry out tasks on behalf of the charity.  This may include data cleaning, direct mail fulfilment services, database technical support from IT providers, data hosting, external secure archiving, and confidential record destruction.  These providers, in addition to contractual commitments to EACH, have the same obligations as EACH under data protection legislation.

EACH may also engage third party medical or therapeutic professionals or other contractors or agency staff to work on site providing or supporting EACH services.  These third parties may be given access to personal information on the same basis as EACH staff and will be contractually bound to the same standards of data protection and confidentiality.

Employee data made be shared with third parties for the purpose of occupational health assessments; consent will always be obtained for this.  Payroll data will be shared with our payroll processing bureau and with Her Majesty’s Revenue and Customs.

Where possible, EACH will always choose to anonymise data before sharing with third parties.

EACH may be required by law to share data to comply with legislation, for example, to safeguard a child or adult at risk of harm, as a result of a court order, a request from the police who are investigating a crime or an investigation from other authorities, for example, a tax enquiry.

Safeguards to protect your privacy
EACH takes data protection and information governance very seriously.

All EACH staff receive formal training annually and are supported with resources, materials and advice to ensure that the organisation complies with the requirements of the various data management and protection legislation and best practice guidance. This includes the General Data Protection Regulations (EU) 2016, the NHS Digital Data Protection& Security toolkit and National Data Guardian’s 10 Data Security Standards 2017

An information governance management group oversees the arrangements for ensuring compliance with required law and standards. Your personal data will be kept confidential and secure and will, unless you agree otherwise, only be used for the purpose(s) for which it was collected and in accordance with this Privacy Policy, applicable Data Protection Laws and other regulatory requirements (e.g. The Fundraising Regulator).

All access to data is managed through role-based security to ensure access to systems and data is restricted only to those who have appropriate authority

All EACH mobile devices and servers are encrypted and data is held in a secure data centre. On our website, if the web page starts with HTTPS or if you see a padlock symbol, your data should be encrypted when it is sent from your computer to its destination. If you do not see this symbol then it is not encrypted and you should not send confidential, financial or sensitive data.

Software versions are updated to ensure they are supported and EACH deploys up-to-date virus protection systems and participates in the NHS CareCERT virus and malware advisory system.

All data processes and systems at EACH are risk assessed to ensure compliance with legal requirements and best practice.  The process includes the identification of the legal basis by which information is processed.  Depending on what this is, further steps are carried out to protect your interests; this may mean contacting you to obtain your specific consent or carrying out a balancing test to ensure our treatment is fair.

EACH has a retention policy for all data stored or processed on EACH systems.  The retention policy is decided and then reviewed as part of the annual data risk assessment process.  Information is only kept as long as it is required, or as long as there is a legal requirement to keep it.  Information no longer required is disposed of in a secure manner.

In order to maximise the security around processing of financial transactions the EACH website uses industry recognised secure payment processing companies to process payments.  This means that whilst on an EACH website you may be seamlessly passed over to a third-party payment portal to complete you transaction (e.g. PayPal or SagePay) – this may include the transfer of personal details you have already provided.  We will always make it clear where this happens.

Where our website links you to sites hosted by other organisations, we will make this clear so you know you are leaving the EACH website. No personal data will be transferred over these links.

The majority of EACH data is processed in the UK or the European Economic Area (EEA) on EACH systems.  Occasionally there may be a requirement to process non-care data outside of this zone. Where data is sent outside of the EEA we will ensure appropriate obligations are in place to give your data the same level of protection as it would have in the EEA.  This may be through data sharing agreements, national agreements or confidentiality contracts.  By providing your personal data to EACH you agree to this transfer, storage and processing.

Debit and Credit Card Information
If you use your credit or debit card to donate or pay for a transaction we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standard.  EACH does not keep your payment details – all card details and validation codes are securely destroyed once the payment or donation has been processed.

Young Persons
EACH is committed to protecting the privacy of the young people who engage with us through receiving care, volunteering or fundraising.

Sometimes we may ask for your age so that we can identify whether you are a young person.  For example, if you are under 16 we will want to ensure we have your parents’ consent before you give us your personal information.  When we collect information about a child or a young person we will make it clear as to the reasons for collecting this information and how it will be used.

Service Users Privacy Statement
More detailed information regarding how service user information is managed can be found in the Family Information Leaflet 10 What happens to your information

Vulnerable Supporters Policy
EACH is committed to protecting vulnerable supporters. Please refer to our Vulnerable Supporters Policy (pdf) on our website for more information.

Inappropriate Website Content
If you post or send any content that we believe to be inappropriate, offensive or in breach of any laws, such as defamatory content, we may use your personal information to inform relevant third parties such as your internet provider or law enforcement agencies.

Your rights

Your rights are important to us, we recognise that you have the following rights:

  • The right to be informed about your personal information we store and/or process
  • The right of access to the information we hold about you and make a subject access request
  • The rights of erasure or restricted processing
  • The right of portability – you may be able to ask us to give information we hold about you to another organisation
  • The right to object to the way in which we store or process your information
  • The right to object to any automated decision-making process that we may use

If you would like to exercise any of these rights, please contact the data protection officer at DataProtection@each.org.uk or telephone 01223 800800. You can also write to the Data Protection Officer at Church Lane, Milton, Cambridge. CB24 6AB.

Other information

For the purposes of Data Protection Laws, the Data Controller is:

East Anglia’s Children’s Hospices with the registered address of Church Lane, Milton, Cambridge, CB24 6AB

Registered Charity Number 1069284

Company number 03550187 (registered in England and Wales)

Where this document refers to we or us or EACH we mean East Anglia’s Children’s Hospices and its trading subsidiaries East Anglia’s Children’s Hospices (Trading) Limited, Stable Trading and the Children’s Hospice for the Eastern Region.

You may contact the EACH data protection officer at any time if you have any concerns or questions about how your data has been used. Contact can be made by emailing DataProtection@each.org.uk, or in writing to Data Protection Officer, East Anglia’s Children’s Hospices, Church Lane, Milton, Cambridge, CB24 6AB.

If you are not satisfied with the way EACH handles your request you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website at http://www.ico.org.uk

Shopping Cart
Scroll to Top