Data Protection Policy

1. INTRODUCTION

In line with our mission, vision and values we see all individuals as unique and deserving of respect, dignity and choice. We take our duty of care seriously and take all possible steps to ensure our staff behave with compassion, integrity and professionalism and uphold our reputation as an outstanding Hospice.

This policy provides a framework for all staff and volunteers that identifies and promotes best practice, minimises uncertainty for staff and volunteers, and ensures they are able to deliver services that are caring, safe, effective, responsive and well lead.
Our Mission: To make every day count for those affected by life-limiting illnesses.
Our vision: To be a centre of excellence within our community and to provide all-embracing, compassionate and individualised care to all those affected by life-limiting illnesses, at a time and a place that is right for them.

Our values:
Respect
Professionalism
Choice
Compassion
Reputation
Integrity

1.1 St Cuthbert’s Hospice needs to process personal identifiable information and in some cases personal sensitive information about patients, employees/volunteers (present, past and prospective), Board of Directors, clients, donors, suppliers and other business contacts to enable it to run efficiently and effectively for the benefit of those it serves.
1.2 During the course of duties with the Hospice, volunteers, staff, trustees and where permitted third parties, will be dealing with personal and/or sensitive information such as names/addresses/phone numbers of clients, volunteers and donors, and also certain details on the health of clients. Personal and/or Sensitive information may also be overheard while working at the Hospice.

1.3 Personal information includes name, address, email address, data of birth etc. The Hospice also processes personal information using a CCTV system to monitor and collect visual images for security and the prevention and detection of crime. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal identifiable information must be dealt with properly to ensure compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) – which regulates the “processing” of personal data.

1.4 The lawful and proper treatment of personal identifiable information by St Cuthbert’s Hospice is extremely important to its success and in order to maintain the confidence of our service users, employees, volunteers and all stakeholders. All staff and volunteers who process personal data in any form must ensure that they comply with the requirements of the Data Protection Act 2018 and this Data Protection Policy including any procedures and guidelines which may be issued. This policy aims to ensure the Hospice treats personal information lawfully and correctly.

2. POLICY STATEMENT

2.1 The Hospice is committed to protecting the rights and freedoms of individuals in accordance with the provisions of the Data Protection Act 2018. To comply with the law, information must be collected and used fairly, stored safely and may only be disclosed with lawful authority. The Hospice supports and complies with the seven principles set out in the Data Protection Act 2018, which are summarised below:

2.1.1 Personal data must be obtained and processed fairly, lawfully and in a transparent manner in relation to individuals.

2.1.2 Data can only be collected and used for specified, explicit and legitimate purposes.

2.1.3 Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

2.1.4 Data must be accurate and up to date.

2.1.5 Data must not be held any longer than is necessary for its given purpose.

2.1.6 Data must be processed in a manner that ensures appropriate security of the personal data, including protection from unauthorised access, accidental loss or damage.

2.1.7 The Hospice shall be responsible for, and be able to demonstrate, compliance with the above principles.

3. SCOPE

3.1 This policy will ensure that personal identifiable and sensitive information is processed, stored, handled, transferred, disclosed and disposed of lawfully. Personal identifiable information should be handled in the most secure manner by authorised staff only, on a need to know basis.

3.2 The Data Protection Act 2018 applies to all aspects of handling personal identifiable information by St. Cuthbert’s Hospice, whether clinical or non-clinical, in either paper or electronic format.

3.3 This policy applies to:
• All information used by the Hospice
• All information systems managed by or for the Hospice
• Any individual using information “owned” by the Hospice
• Any individual requiring access to information “owned” by the Hospice
• Any individual working on behalf of the Hospice, or anyone who accesses Hospice premises and information which is owned or managed by the Hospice

3.4 This policy covers all aspects of information used by St Cuthbert’s Hospice including but not limited to (collectively known as clients):
• Patients/guests/relatives/carers
• Customers/suppliers/contractors
• Staff and volunteers
• Finance and Service User information
• Organisational administrative information
• Complainants
• Information provided from donors and supporters through the development team.

4. DEFINITIONS

4.1 Personal data means any information which helps the Hospice to identify living individuals, such as name, address, telephone or email address. This data may also include financial details and optional information such as personal, family and lifestyle details. “Identify” means information that tells you something about that person at that time which could have an impact on them e.g. a photograph

4.2 Sensitive personal data may consist of information that makes reference to particular matters of an identifiable person, e.g. their health, ethnicity, religion, criminal records, sexual life. The Hospice holds such data for instance for equal opportunities monitoring.

4.3 “Processing” in relation to information or data is a wide ranging activity that includes obtaining, recording, holding or storing personal data and carrying out any operations on it such as adaptations, alterations, transfer, retrieval, disclosure and erasure or destruction.

4.4 Data controller
The Hospice, as an organisation, is the Data Controller and determines the purposes for which and the manner in which any personal data are, or are to be, processed. Data controllers must ensure that any processing of personal data for which they are responsible complies with the Data Protection Act 2018. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.

4.5 A Processor is responsible for processing personal data on behalf of a controller and is required to maintain records of personal data and processing activities.

4.6 Data subject means a living individual who is the subject of the personal data.

4.7 The Information Commissioners Office (ICO)

The ICO Is the UK’s independent regulator set up to uphold the public’s information rights. The ICO investigates complaints made by the public and provides guidance for the public and organisations.

4.8 Privacy Notice
A Privacy notice is published on the Hospice’s website. This indicates what to expect when the Hospice collects personal information.

5. ROLES AND RESPONSIBILITIES

5.1 The Senior Information Risk Owner (SIRO)
The Chief Executive is the designated SIRO and has overall accountability and responsibility for ensuring information is shared safely, securely and lawfully.

5.2 Data Protection Officer (DPO)
The Data Protection Officer is responsible for overseeing the systems and procedures that support the implementation of this policy, as well as supporting and advising staff.

5.3 Caldicott Guardian
The Medical Director is the designated Caldicott Guardian and has overall responsibility for the safety of patient and service user confidentiality and information sharing issues, and is the officer responsible for overseeing all aspects of confidentiality and security in relation to the appropriate use, access to and transfer of patient identifiable information.

5.5 Information Asset Owners (IAO)
It is the responsibility of the Hospice’s Information Asset Owners to ensure that all information assets are documented and kept appropriately secure, in line with the Data Protection Act 2018 and are not kept for longer than necessary. IAO will be supported by Asset Administrators, but the overall responsibility rests with the IAO. Details of owners and administrators are identified in appendix 1.
IAO’s are responsible for the completion of a Data Protection Impact Assessment (DPIA) where appropriate. This is a process which helps assess privacy risks to individuals in the collection, use and disclosure of information. DPIAs help identify privacy risks, foresee problems and bring forward solutions. The DPIA Procedure should be consulted in determining whether a DPIA is required.

5.6 All Staff and Volunteers

5.6.1 Hospice staff, Board of Directors, volunteers and any third parties, permitted to access, process, or use any personal information in the course of their duties must ensure that the Data Protection Act 2018 principles are followed at all times. The Hospice will provide guidance and training to enable staff and volunteers to understand and carry out their responsibilities and monitor compliance with their obligations.

5.6.2 All staff and volunteers are responsible for ensuring they keep up to date with Hospice policies, procedures and guidance.

5.6.3 Staff and volunteers are also responsible for ensuring that the personal data the Hospice holds about them is accurate and up to date by informing the Human Resources Department of any changes or errors.

6. PERSONAL DATA RELATING TO CLIENTS

6.1 The Hospice obtains contact details (names, addresses, and phone numbers) and health details from clients. This data is obtained, stored and processed solely to assist staff and volunteers in the efficient running of the service requested by the client. Personal details supplied by clients are not used to send marketing material or Hospice newsletters, unless prior consent is obtained.

7. PERSONAL DATA RELATING TO CONTRACTORS/SUPPLIERS

7.1 Where a contractor undertakes work on behalf of the Hospice which involves the processing of personal data, the Hospice remains the data controller of that data. It is the contractor’s responsibility to inform the Hospice of any change in the “processing of data” that is owned by the Hospice this includes any change in software or subcontracting.

8. PERSONAL DATA RELATING TO DONORS

8.1 The personal data that donors provide to us when making a donation, or taking part in a fundraising activity, is held on the Hospice’s fundraising database. Unless the donor instructs the Hospice otherwise, the information provided will be used to post information about St Cuthbert’s Hospice future news and events. Donors may request to “opt out” of receiving this information as indicated on the Hospice Privacy Notice, published on the website.

9. SECURITY OF PERSONAL DATA

9.1 Staff and volunteers must ensure that they employ safeguards for personal data proportionate to the risks presented in their processing activities. Personal data should not be taken off site unless absolutely necessary and with the permission of a member of the Senior Management Team.

10. TRANSFER OF DATA TO THIRD PARTIES

10.1 Personal data must not be disclosed to any third party (including family members and the police) except in the following circumstances:
• The data subject has given consent. This is unambiguously achieved
• It is necessary to protect the vital interests of the data subject
• It is necessary to prevent serious harm to a third party
• It is required to safeguard national security
• It is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty
• It is necessary for the discharge of regulatory functions including securing the health, safety and welfare of persons at work
• It is available to the public anyway by law
• It is necessary to establish, exercise or defend legal rights
• It has been published

11. RIGHT TO ACCESS PERSONAL INFORMATION

11.1 Under the Data Protection Act 2018, all data subjects have the right to request access to his/her personal data held by the Hospice. Such a request is known as a “subject access request”.

11.2 All applications must be directed through either the Chief Executive, Caldicott Guardian or Data Protection Officer who will coordinate the request on behalf of the Hospice in line with the Access to Records Procedure.

12. RIGHT TO REQUEST THAT PERSONAL DATA IS NOT PROCESSED

12.1 The Hospice recognises that under the Data Protection Act 2018 an individual can request that his/her personal data is not processed for one or more purposes by a data controller (The Hospice). However, in some cases, the Hospice may lawfully decline such a request.

13. REPORTING BREACH OR LOSS OF PERSONAL DATA

13.1 Reporting of risks and incidents is important to ensure that appropriate action is taken so that risks/incidents do not reoccur and to learn from them.
13.2 Any breaches/losses of personal data must be reported to the line manager and the Data Protection Officer. The incident reporting procedure will be followed.
13.3 Serious data breaches must be reported to the ICO under the Data Protection Act 2018 within 72 hours of becoming aware of the breach.

14. RETENTION/DISPOSAL OF RECORDS CONTAINING PERSONAL DATA

14.1 The Hospice must only retain personal data for the length of time the information is required for the specific purpose they were collected.

14.2 Reference should be made to the Document Archiving, Retrieval and Destruction procedure together with the Hospice’s Document Retention Procedure which details the minimum periods of retention of records and the process for archiving and destruction of Information.

14.3 Staff and volunteers must ensure the destruction of personal data is carried out confidentially and completely. Where multiple copies of the data exist, all paper and electronic copies must be destroyed. Where personal data is recorded in paper form, the paper must be securely shredded.

15. REVIEW AND AUDIT

15.1 This Policy will be reviewed by the Governance Review Committee every three years or more frequently if appropriate to take into account changes to legislation that may occur, and/or guidance from the Information Commissioner.

15.2 Line Managers will be responsible for auditing and monitoring compliance with this policy at least once every two years.

15.3 The Governance Review Committee will be responsible for receiving and considering reports on any breaches of this policy.

ASSOCIATED DOCUMENTS AND PROCEDURES

• Access to Records Procedure
• Access to Records Policy
• Sharing Patients Information Policy
• Information Governance Policy
• Social Media Policy & Guide
• Privacy Notice
• Electronic Data Use, Storage and Archiving Policy
• Document Archiving, Retrieval and Destruction Procedure
• Document Retention Procedure
• IT Security Procedure
• Complaints Policy
• Data Protection Impact Assessment

REFERENCES AND GUIDELINES

Information Commissioner:
ico.org.uk

Government legislation:
www.legislation.gov.uk/ukpga/2018/12/contents/enacted

POLICY NAME: Data Protection Policy
DATE OF FIRST APPROVAL: July 2016
DATE OF LAST REVIEW: November 2021
DATE OF NEXT REVIEW: November 2024