St John’s Hospice is committed to protecting your personal data and to ensuring that your privacy rights are respected. This statement sets out why and how we collect your information, how your information is used as well as the circumstances where information might be shared with others.
We comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. This statement sets out the information we are required to provide to you and explains your rights under this legislation.
Why we collect information about you and how is it used
Service Users & Patients
We keep records about your health and any treatment. These records help to ensure that you receive the best possible care. They may be written down in paper records or held on computer. The health data that we collect about patients is regarded as “special category” data as it is more sensitive than other types of information.
Your records are used to direct, manage and deliver the care you receive. This ensures that our clinicians have accurate and up to date information to asses your health and decide on the best care for you and it ensures that appropriate information is available if you need to see another professional.
Personal data may also be used for the following reasons:
• To review the care we provide to ensure it is of the highest standard and quality
• To ensure our services can meet patient needs in the future
• To investigate patient queries, complaints and legal claims
• To ensure that we receive payment for the care you receive
• To prepare statistics on our performance
• To help to train and educate healthcare professionals
Everyone working within the Hospice has a legal duty to keep information about you confidential.
Similarly, anyone who receives information from us has a legal duty to keep it confidential.
We will not disclose your information to any other third parties except, where there is a legitimate interest, we may share information with:
• Medical Professionals engaged by us to carry out services to you
• Your GP or medical practitioner
• The Department of Health or any other statutory body to whom we are required to submit data
• Authorised organisations to convert your data into an anonymised statistical form
• We may be required to disclose information to the Police, any regulatory or Government departments or a court of law.
We will inform you as soon as reasonably practical after we receive the request, unless we are prohibited by law from doing so or it is not practicable to do so.
Families and Next of Kin
• We collect information about family members, as part of our provision of care to patients and in order to provide assistance and support following bereavement. We collect information such as the names, addresses and phone numbers of family members, and make records of our involvement with family members.
• We may also use this information to contact family members to allow them to participate in surveys that we carry out toassess how family members rate the quality of care that is provided to their relative.
• The legal justification that we use to carry out this activity is (Article 6) that it is in the “public interest” or is in line with our “official functions” and (Article 9) it is necessary for “medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems”.
• You have the right to object to us using your information in this way; if you or a family member would like to opt out of such surveys, please inform a member of staff and we shall not include you.
Donors and Beneficiaries
We hold the personal data of our donors and supporters, whether those are individuals or organisations. We also hold personal data on our beneficiaries to whom we deliver various services. The exact data held will depend on the services provided.
Where we engage with individuals, we may collect and process personal data in order to deliver our services, to process a donation,or to fulfil any other fundraising and/or charitable activity. We request that individuals only provide the personal data that isrequired for us to fulfil our business operations.
What data is processed?
The data that is processed is dependent on the service that is being provided and on the recipient of this service.
• Services to beneficiaries. Personal data may include contact details, photographs, videos and any other specifically relevant data.
• Services to donors. Personal data may include contact details, history of giving, financial information, banking information,interests, relationships, addresses, and other personal data that is relevant to our fundraising and general marketing purposes
The legal basis for use of your personal data
We use your personal data in line with the following legal justifications or “grounds”:
• You have requested us to take steps in order for you to enter into a contract with the Hospice so that we may provide you with healthcare services
• You have given consent to the processing of your personal data for one or more specific purposes
• The use of your personal data is necessary for the provision of healthcare services provided to you as part of the contract between you and the Hospice
• We have a legitimate interest in using your personal data which does not override your privacy rights (our legitimate interests include quality assurance, improving our services, monitoring outcomes and maintaining business records)•Processing of your personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• We have a legal or regulatory obligation to use your personal data.
The information that we process as part of providing your service includes “special category” information. This special category information is data related to race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. The legal basis that we use to process this special category information is:
How long is your personal information kept for?
Your personal information is kept in line with the recommended legal and professional best practice retention standards set out in the NHS Records Management Code of Practice for Health and Social Care 2016.
• The use of the information is necessary for medical diagnosis or the provision of healthcare services
You have rights under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. These rights include:
Disclosure of information
You have the right to restrict how and with whom we share the personal information in your records that identifies you. You can also change your mind at any time about a disclosure decision.
Right of access to your health records
The EU General Data Protection Regulation (GDPR) and the Data Protection Act (DPA) 2018 give you a right to access the information we hold about you on our records. The Access to Health Records Act (AHRA) 1990 provides certain individuals with a right of access to the health records of a deceased individual. Requests can be made in writing to the Hospice at the following address:
St John & St Elizabeth Hospital
60 Grove End Road,
St John’s Wood,
The Hospice will provide information to you within one month of receipt of:
A completed application form containing adequate supporting information (such as your full name, address, date of birth, NHS number, proof of identification etc.)
The Hospice must be able verify your identity using “reasonable means”. Please send all requests to the above address along with an indication of what information you are requesting to enable us to locate it in an efficient manner.
This can be extended by a further two months where the request is complex or where there are numerous requests. If this is the case, we will contact you within one month of the receipt of the request and explain why the extension is necessary.
Other rights in relation to your personal data
In addition to the right to access your health records (which is referred to as a Subject Access Request), you have other rights in relation to your personal data:
Right to restriction of processing: there are some circumstances where you may wish us to stop using your personal data for a period of time. We are not obliged to comply with all requests and we will consider other factors such as whether we need to continue to process your information in order to perform tasks which are in the public interest, including public health, or for the purposes of establishing, exercising or defending legal claims.
Right to rectification: we are careful to ensure the accuracy of your information but you may ask us to amend or update your data if you feel that this is necessary.
Right to data portability: we must transfer the information that you have provided to us to you (or another individual or organisation) at your request if it is technically feasible for us to do so.
Right to object: your rights include the right to object to particular uses of your information (such as your information being shared with third parties). In general, this right is available to you where we process your data in relation to our legitimate interests. You have the right to withdraw consent to your contact details being used for Marketing or Fundraising purposes.
Right to erasure (right to be forgotten): in certain circumstances you have the right to request we delete the personal information we hold about you. We do not have to comply with any such request where the personal data is directly related to the provision of healthcare services, if it is necessary to comply with a legal obligation or if it is for the establishment, exercise or defence of legal claims.
If you are not happy with the way in which we have dealt with a request from you in relation to any of your rights or have any concerns in relation to the lawful processing of your personal data then you may make a complaint to the Information Commissioner’s Office at the following address:
Information Commissioner’s Office
Telephone: 0303 123 1113
Further information can be found on the ICO website: www.ico.org.uk
St John’s Hospice is part of the St John & St Elizabeth Hospital. The Hospital is the Data Controller and is registered with the Information Commissioner’s Office (registration number Z8761565). The Data Controller can be contacted at the following address:
St John & St Elizabeth Hospital
60 Grove End Road,
St John’s Wood,
Telephone: 020 7806 4000
A Data Protection Officer (DPO) has been appointed whose role is to monitor compliance with the GDPR & the DPA, train staff and conduct internal audits and to be the first point of contact for supervisory authorities and for individuals whose data is processed. Should you wish to contact the DPO please email firstname.lastname@example.org or call 020 7806 4000 (x3365).