Skip to content


Data protection Policy

1.1  St Cuthbert’s Hospice needs to process personal identifiable information and in some cases personal sensitive information about patients, employees/volunteers (present, past and prospective), Board of Directors, clients, donors, suppliers and other business contacts to enable it to run efficiently and effectively for the benefit of those it serves.

1.2  During the course of duties with the Hospice, volunteers, staff, trustees and where permitted third parties, will be dealing with personal and/or sensitive information such as names/addresses/phone numbers of clients, volunteers and donors, and also certain details on the health of clients. Personal and/or Sensitive information may also be overheard while working at the Hospice.

1.3  Personal information includes name, address, email address, data of birth etc. The Hospice also processes personal information using a CCTV system to monitor and collect visual images for security and the prevention and detection of crime. No matter how it is collected, recorded and used (e.g. on a computer or on paper) this personal identifiable information must be dealt with properly to ensure compliance with the Data Protection Act 2018 and the General Data Protection Regulations (GDPR) – which regulates the “processing” of personal data.

1.4  The lawful and proper treatment of personal identifiable information by St Cuthbert’s Hospice is extremely important to its success and in order to maintain the confidence of our service users, employees, volunteers and all stakeholders. All staff and volunteers who process personal data in any form must ensure that they comply with the requirements of the Data Protection Act 2018 and the Data Protection Policy including any procedures and guidelines which may be issued. This policy aims to ensure the Hospice treats personal information lawfully and correctly.


2.1 The Hospice is committed to protecting the rights and freedoms of individuals in accordance with the provisions of the Data Protection Act 2018. To comply with the law, information must be collected and used fairly, stored safely and may only be disclosed with lawful authority. The Hospice supports and complies with the seven principles set out in the Data Protection Act 2018, which are summarised below:

2.1.1 Personal data must be obtained and processed fairly, lawfully and in a transparent manner in relation to individuals.

2.1.2  Data can only be collected and used for specified, explicit and legitimate purposes.

2.1.3  Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

2.1.4  Data must be accurate and up to date.

2.1.5  Data must not be held any longer than is necessary for its given purpose.

2.1.6  Data must be processed in a manner that ensures appropriate security ofthe personal data, including protection from unauthorised access,accidental loss or damage.

2.1.7  The Hospice shall be responsible for, and be able to demonstrate,compliance with the above principles.


3.1  This policy will ensure that personal identifiable and sensitive information is processed, handled, transferred, disclosed and disposed of lawfully. Personal identifiable information should be handled in the most secure manner by authorised staff only, on a need to know basis.

3.2  The Data Protection Act 2018 applies to all aspects of handling personal identifiable information by St. Cuthbert’s Hospice, whether clinical or non-clinical, including (but not limited to) structured record systems (paper and electronic) and the transmission of information (fax, email, post and telephone) that identifies or could identify an individual.

3.3  This policy applies to:

  • All information used by the Hospice,
  • All information systems managed by or for the Hospice
  • Any individual using information “owned” by the Hospice
  • Any individual requiring access to information “owned” by the Hospice
  • Any individual working on behalf of the Hospice, or anyone who accessesHospice premises and information which is owned or managed by the Hospice.

3.4 This policy covers all aspects of information within St Cuthbert’s Hospice includingbut not limited to (collectively known as clients):

    • Patients/guests/relatives/carers
    • Customers/suppliers/contractors
    • Human Resources – staff and volunteers
    • Finance and Service User information
    • Organisational administrative information
    • Complainants
    • Information provided from donors and supporters through the fundraising team.


4.1 Personal data means any information which helps the Hospice to identify living individuals, such as your name, address, telephone or email address. This data may also include financial details and optional information such as personal, family and lifestyle details. “Identify” means information that tells you something about that person at that time which could have an impact on them e.g. photograph

4.2  Sensitive personal dataMay consist of information that makes reference to particular matters of an identifiable person, e.g. their health, ethnicity, religion, criminal records, sexual life. The Hospice holds such data for instance for equal opportunities monitoring

4.3  “Processing” in relation to information or data is a wide ranging activity that includes obtaining, recording, holding or storing personal data and carrying out any operations on it such as adaptations, alterations, transfer, retrieval, disclosure and erasure or destruction.

4.4  Data controllerThe Hospice, as an organisation, is the Data Controller and determines the purposes for which and the manner in which any personal data are, or are to be, processed. Data controllers must ensure that any processing of personal data for which they are responsible complies with the Data Protection Act 2018. Failure to do so risks enforcement action, even prosecution, and compensation claims from individuals.

4.5  A Processor is responsible for processing personal data on behalf of a controller and is required to maintain records of personal data and processing activities.

4.6  Data subject means an individual who is the subject of personal data.

4.7  The Information Commissioners Office (ICO)The ICO Is the UK’s independent regulator set up to uphold the public’s information rights. The ICO investigates complaints made by the public and provides guidance for the public and organisations.

4.8  Privacy NoticeA Privacy notice is published on the Hospice’s website. This indicates what to expect when the Hospice collects personal information.


5.1 Board of Trustees/Chief Executive

The Board of Trustees is ultimately responsible for the policy’s implementation. Responsibility for information governance is delegated to the Chief Executive

5.2  Data Co-ordinatorThe Hospice has designated the Head of Human Resources as Data Co- ordinator to deal with any day-to-day matters arising from the implementation of the Data Protection Policy and any requests for information under the Data Protection Act 2018. The Data co-ordinator is also responsible for notifying to the Information Commissioner the purposes for which it processes personal data. Details of the Hospice’s Data Controller Notification can be obtained from the Information Commissioner’s website (Registered no: Z22126399).

5.3  Caldicott GuardianThe Clinical Services Manager acts as the Caldicott Guardian. The Caldicott Guardian is responsible for agreeing and reviewing protocols for governing the transfer and disclosure of patient-identifiable information across the Hospice, supporting agencies and external parties.

5.4  Central Support Services ManagerSupport the effective governance of St Cuthbert’s Hospice which drives performance improvement.

5.5  Information Asset Owners (IAO)It is the responsibility of the Hospice’s Information Asset Owners to ensure that all information assets are documented and kept appropriately secure, in line with the Data Protection Act 2018 and are not kept for longer than necessary. IAO will be supported by Asset Administrators, but the overall responsibility rests with the IAO. Details of owners and administrators identified in appendix 1.

5.6  All Staff and Volunteers

5.6.1 Hospice staff, Board of Directors, volunteers and any third parties, permitted to access, process or use any personal information in the course of their duties must ensure that the Data Protection Act 2018 principles are followed at all times. The Hospice will provide guidance and training to enable staff and volunteers to understand and carry out their responsibilities and monitor compliance with their obligations.

5.6.2 All staff and volunteers are responsible for ensuring they keep up to date with Hospice policies, procedures and guidance.

5.6.3 Staff and volunteers are also responsible for ensuring that the personal data the Hospice holds about them is accurate and up to date by informing the Human Resources Department of any changes or errors.


6.1 The Hospice obtains contact details (names, addresses, and phone numbers) and health details from clients. This data is obtained, stored and processed solely to assist staff and volunteers in the efficient running of the service requested by the client. Personal details supplied by clients are not used to send marketing material or Hospice newsletters, unless prior consent is obtained.


7.1 Where a contractor undertakes work on behalf of the Hospice which involves the processing of personal data, the Hospice remains the data controller of that data. It is the contractor’s responsibility to inform the Hospice of any change in the “processing of data” that is owned by the Hospice this includes any change in software or subcontracting.



9.1 Staff and volunteers must ensure that they employ safeguards for personal data proportionate to the risks presented in their processing activities. Personal data should not be taken off site unless absolutely necessary and with the permission of a member of the Senior Management Team.


10.1 Personal data must not be disclosed to any third party (including family members and the police) except in the following circumstances:

  • The data subject have given consent. This is unambiguously achieved
  • It is necessary to protect the vital interests of the data subject
  • It is necessary to prevent serious harm to a third party
  • It is required to safeguard national security
  • It is necessary for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of any tax or duty
  • It is necessary for the discharge of regulatory functions including securing the health, safety and welfare of persons at work
  • It is available to the public anyway by law
  • It is necessary to establish, exercise or defend legal rights
  • It has been published


11.1 Under the Data Protection Act 2018, all data subjects have the right to request access to his/her personal data held by the Hospice. Such a request is known as a “subject access request”.

8.1 The personal data that donors provide to us when making a donation, or taking part in a fundraising activity, is held on the Hospice’s fundraising database. Unless the donor instructs the Hospice otherwise, the information provided will be used to post information about St Cuthbert’s Hospice future news and events. Donors may request to “opt out” of receiving this information as indicated on the Hospice Privacy Notice, published on the website.

11.2 All applications must be directed through the Data Co-ordinator who should deal with the request on behalf of the Hospice in line with the Access to Records Procedure.


12.1 The Hospice recognises that under the Data Protection Act 2018 an individual can request that his/her personal data is not processed for one or more purposes by a data controller (The Hospice). However, in some cases, the Hospice may lawfully decline such a request.


13.1 Any breaches/losses of personal data must be reported to the line manager and the Data Co-ordinator. The incident reporting procedure will be followed.


14.1 The Hospice must only retain personal data for the length of time the information is required for the specific purpose they were collected.

14.2  Reference should be made to the Document Archiving, Retrieval and Destruction procedure together with the Hospice’s Document Retention Procedure which details the minimum periods of retention of records and the process for archiving and destruction of Information.

14.3  Staff and volunteers must ensure the destruction of personal data is carried out confidentially and completely. Where multiple copies of the data exist, all paper and electronic copies must be destroyed. Where personal data is recorded in paper form, the paper must be securely shredded.


15.1  This Policy will be reviewed by the Information Governance and Quality Working Group every three years or more frequently if appropriate to take into account changes to legislation that may occur, and/or guidance from the Information Commission.

15.2  Line Managers will be responsible for auditing and monitoring compliance with this policy at least once every two years.

15.3  The HR Sub Committee will be responsible for receiving and considering reports on any breaches of this policy.


  • Access to Records Procedure
  • Sharing Patients Information Policy • Information Governance Policy
  • Social Media Policy & Guide
  • Privacy Notice
  • Website Privacy Policy
  • Electronic Data Use, Storage and Archiving Policy
  • Document Archiving, Retrieval and Destruction Procedure
  • Document Retention Procedure
  • IT Security Procedure
  • Complaints Policy

POLICY NAME: Data Protection Policy July 2016




Register of System Owners and Administrators

ContractorData heldHospice leadAsset ownerAsset administrator
Ribchesters Chartered AccountantsPayrollFinance Manager
SDMSPersonnelHead of HRHead of HRHR Administrator
SageSupplierFinance ManagerFinance Administrator
DonorflexDonorDevelopment ManagerAssistant Donor Development Fundraiser
TPP HospicePatientClinical Services ManagerMedical Secretary
WaterstonsAll DataGovernance Manager
Cargo CreativeWebsite dataDevelopment Manager