Privacy Promise & Privacy Policy

GDPR green

Privacy Policy

Keeping your data safe and sound

St Luke’s is committed to protecting the privacy of our patients, supporters and those that we have contact with. We believe in being open and up front with how we use personal data that is entrusted to us and we are committed to making Privacy a Priority. If you would like to know more about he we process your personal data, please read our detailed Privacy Policy below.

St Luke’s makes privacy a priority:

We will collect, process, store and share your data safely and securely, by ensuring:

  • You’re always in control: Your privacy will be respected at all times and we will put you in control of your privacy with easy-to-use tools and clear choices.

     

  • We work transparently: We will be transparent about the data we collect and how we use that data so that you can make fully informed choices and decisions.    

  • We operate securely: We will protect the data that you entrust to us via appropriate security measures and controls. We’ll also ensure that other businesses we work with are just as careful with your data.

  • For your benefit: When we do process your data, we will use it to benefit you, to make your experience better and to improve our products and services.

  1. Who we are and how you can contact us

     “St Luke’s” (referred to in this policy as “we”, “us” or “our”) is a trading name of:

    St. Luke’s Hospice

    Little Common Lane,

    Sheffield

    S11 9NE

               

                                        Registered Company Number:                 00922448

                                        Charity Number:                                    254402

                                        ICO Registration Number:                       Z8034405

     

    We have a Data Protection Officer (DPO), who can be contacted in the following ways should you have any questions or feedback about the way your data is handled:

    Email:               dpo@hospicesheffield.co.uk

    Mail:                 Data Protection Officer

    St. Luke’s Hospice

    Little Common Lane, Sheffield S11 9NE

    We have a Caldicott Guardian, a senior member of staff responsible for protecting patient confidentiality and enabling appropriate sharing of that data.

  2. Where we collect your personal data:

    We collect personal data about you in the following ways:

    • When you request or use the services we provide;
    • When you talk to us on the phone or in any of our shops;
    • When a patient or family member provides us with your information;
    • When you use our website;
    • When you make a donation to us;
    • When you apply to work for us or volunteer for us;
    • When you send emails or letters to us;
    • When you contact us via social media;
    • When you take part in our competitions or promotions;
    • When you take part in our lottery;
    • When you sign up to our newsletters or marketing;
    • When you give us feedback;
    • From third parties or publically available sources (for example Companies House in relation to corporate supporters).

       

  3. Data we collect about you

    We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

    • Identity data – name, title, date of birth,

       

    • Contact data – location, full address, postcode, email address or telephone numbers.        

    •  

    • Transaction data – details of the donations you have made plus any products or services you have purchased from us, including date and time of booking or purchase and spend in relation to that transaction.

       

    • Technical data - internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our online channels/ platforms.

       

    • Profile data - purchases or orders made by you, your interests, preferences, feedback and survey responses, preferences about the use of products or services (including whether you are interested in certain events that we offer)

       

    • Usage data – information about how you use our website and services.

       

    • Marketing and communications data – your preferences in receiving marketing from us and your communication preferences.

       

    • CV Data – previous employment history, education, awards and references.

    • Clinical data – Clinical information as part of providing health or medical treatment.

      We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

  4. How we use your personal data

    We are only allowed to use personal data about you if we have a legal basis to do so, and we are required to tell you what that legal basis is.  We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the personal data. 

    In some circumstances we can use your personal data if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is.  A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable.  If we are relying on our legitimate interests, we have set that out in the table below.

    What we use your personal data for:

    What personal data we collect:

    Our legal grounds for processing:

    Our legitimate interests (if applicable)

    To register you as a new or prospective supporter.

    ·       Identity

    ·       Contact

     ·       Performance of a contract with you

    ·       Legitimate Interest

    To develop and grow our charity.

    To process and deliver our services to you.

    ·       Identity

    ·       Contact

    ·       Transaction

    ·       Performance of a contract with you

     To manage donations and other financial transactions with us. eg Gift Aid.

    ·       Identity

    ·       Contact

    ·       Transaction

    ·       Performance of a contract with you

    ·       Legal obligation

     To manage our relationship with you, including notifying you about changes to our terms or privacy notices

     ·       Identity

    ·       Contact

    ·       Transaction

     ·       Performance of a contract with you

    ·       Necessary to comply with a legal obligation

    ·       Legitimate interests

    To keep our records up to date

    To enable you to partake in a marketing, competitions or to complete a survey

    ·       Identity

    ·       Contact

    ·       Transaction

     ·       Performance of a contract with you

    ·       Legitimate interests

    ·       Consent

    To study how patients, clients, donors and supporters use our services to provide an effective charitable service and grow charitable income.

    To administer and protect our charity and our website

    ·       Transaction

    ·       Technical

    ·       Usage

    ·       Legitimate interests

    Running our charity, provision of administration and IT services, network security

    To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.

     ·       Identity

    ·       Contact

    ·       Marketing and communications

    ·       Usage

    ·       Profile

    ·       Legitimate interests

    To study how supporters and clients use our services, to develop them, to grow our charity and to inform our marketing strategy

    To use data analytics to improve our website, services, marketing, supporter and client relationships and experiences

    ·       Technical

    ·       Usage

    ·       Profile

     ·       Legitimate interests

    To define types of supporters, clients and contacts for our services, to keep our website updated and relevant, to develop our charity and to inform our marketing strategy

    5. Who we share your personal data with

     

  5. In order to provide you with our services and meet our legal obligations, we only share your data with third parties, in the following circumstances:

     

  6.  

    • To fulfil the services, we have been engaged to perform;
    • To verify your identity;
    • To authorise debit/credit card payments and any other transactions authorised by the supporter/donor;
    • To manage and maintain the accuracy of your records;
    • To handle complaints and improve customer service;
    • To administer support services on behalf of our patients and their families;
    • To administer marketing on behalf of St Luke’s;
    • To administer the lottery on behalf of St Luke’s; and
    • To meet legal obligations, for example, for the purposes of national security, taxation and criminal investigations.

       

      We’ll never make your personal data available to anyone outside St Luke’s for them to use for their own marketing purposes without your prior consent.

      In relation to Clinical Information we work very closely with NHS services in Sheffield. This allows us to share and receive information securely with your GP and other care professionals.

              7.

      Third party links

  7. Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.  We do not control these third-party websites and are not responsible for their privacy statements.  When you leave our website, we encourage you to read the privacy notice or policy of every website you visit.

  8. Transferring your personal data outside the EEA

    The EEA is the European Economic Area, which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA we have to tell you.

    Limited personal information that we collect from you may be transferred to and processed in a destination outside of the EEA. In these circumstances, your personal information will only be transferred on one of the following bases: 

    • The country that we send the data is approved by the European Commission as providing an adequate level of protection for personal information; or

       

    • The recipient has agreed with us standard contractual clauses (SCC’s) approved by the European Commission, obliging the recipient to safeguard the personal information; or

       

    • There exists another situation where the transfer is permitted under applicable data protection legislation (for example, where a third party recipient of personal data in the United States has registered for the EU-US Privacy Shield).

      Limited situations where your personal data may be transferred outside the EEA are as follows:

      Purpose of Processing

      Nature of the Data

      3rd Party

      Location

      Appropriate and Suitable Safeguard

      Fundraising CRM

      Supporter’s name, contact details and fundraising activity

      Blackbaud Inc t/a

      “The Raisors Edge”

      USA

      EU-US Privacy Shield

      Marketing Email Service Provider

      Supporter’s name and contact details

      The Rocket Science Group LLC t/a “MailChimp”

      USA

      EU-US Privacy Shield

      Survey Questionnaires

      Supporter’s name, contact details and any answers they have given in free text fields where they share personal data voluntarily.

      SurveyMonkey Inc. t/a “Survey Monkey”

      USA

      EU-US Privacy Shield

       

       

      To find out more about how your personal information is protected when it is transferred outside the EEA (and if you wish to obtain a copy of the appropriate and suitable safeguards), please contact our Data Protection Officer using the details above. Before sharing any information with a third party, we will ensure that there is a data sharing agreement in place requiring that the third party protects personal data according to GDPR.

  9. Data security

    We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

    We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the ICO) of a breach where we are legally required to do so.

  10. How long do we keep your personal data?

    We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:

    The requirements of our business and the services provided;

    • Any statutory or legal obligations;
    • The purposes for which we originally collected the personal data;
    • The lawful grounds on which we based our processing;
    • The types of personal data we have collected;
    • The amount and categories of your personal data; and
    • Whether the purpose of the processing could reasonably be fulfilled by other means.

      After such time, we will securely delete or destroy your personal data.

  11. Marketing

    We may use your personal data to tell you about relevant services and any upcoming events. 

    We can only use your personal data to send you marketing messages if we have either your consent or a legitimate interest to do so. 

    You can ask us to stop sending you marketing messages at any time – you just need to contact us via our details set out above in section 1, or use the opt-out links on any marketing message sent to you.

    Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of purchasing our services or any other transaction between you and us.

  12. Your rights

    You have certain rights which are set out in the law relating to your personal data.  The most important rights are set out below.

    Access to a copy of the information we hold about you

    You can ask us for a copy of the personal data which we hold about you, by writing to the Data Protection Officer (in Section 1). This is known as a data subject access request.

    You will not have to pay a fee to access your personal data, unless we believe that your request is clearly unfounded, repetitive or excessive.  In such circumstances we can charge a reasonable fee or refuse to comply with your request.

    We will try to respond to all legitimate requests within one month. 

    Telling us if information we hold is incorrect

    You have the right to question any information we hold about you that you think is wrong or incomplete.  Please contact the Data Protection Officer if you want to do this and we will take reasonable steps to check its accuracy and, if necessary, correct it.

    Telling us if you want us to stop using your personal data

    You have the right to:

    • Object to our use of your personal data (known as the right to object); or
    • Ask us to delete the personal data (known as the right to erasure); or
    • Request the restriction of processing.

      There may be legal reasons why we need to keep or use your data, which we will tell you if you exercise one of the above rights.

      Withdrawing consent

      You can withdraw your consent to us using your personal data at any time.  Please contact the Data Protection Officer if you want to withdraw your consent.  If you withdraw your consent, we may not be able to provide you with our services.

      Request a transfer of data

      You may ask us to transfer your personal data to a third party.  This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  13. Making a complaint

Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found in section 1).

You also have a right to complain to the Information Commissioner’s Office.  You can find their contact details at www.ico.org.uk.  We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact the Data Protection Officer in the first instance.