Keeping your data safe and sound
St Luke’s makes privacy a priority:
We will collect, process, store and share your data safely and securely, by ensuring:
- You’re always in control: Your privacy will be respected at all times and we will put you in control of your privacy with easy-to-use tools and clear choices.
- We work transparently: We will be transparent about the data we collect and how we use that data so that you can make fully informed choices and decisions.
- We operate securely: We will protect the data that you entrust to us via appropriate security measures and controls. We’ll also ensure that other businesses we work with are just as careful with your data.
- For your benefit: When we do process your data, we will use it to benefit you, to make your experience better and to improve our products and services.
Who we are and how you can contact us
“St Luke’s” (referred to in this policy as “we”, “us” or “our”) is a trading name of:
Little Common Lane,
Registered Company Number: 00922448
Charity Number: 254402
ICO Registration Number: Z8034405
Data Protection Officer
We have a Data Protection Officer (DPO), who can be contacted in the following ways should you have any questions or feedback about the way your data is handled:
Email: [email protected]
Mail: Data Protection Officer, St. Luke’s Hospice, Little Common Lane, Sheffield, S11 9NE
We have a Caldicott Guardian, a senior member of staff responsible for protecting patient confidentiality and enabling appropriate sharing of that data.
Data we collect about you
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity data – name, title, date of birth.
- Contact data – location, full address, postcode, email address or telephone numbers.
- Transaction data – details of the donations you have made plus any products or services you have purchased from us, including date and time of booking or purchase and spend in relation to that transaction.
- Technical data - internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our online channels/ platforms.
- Profile data - purchases or orders made by you, your interests, preferences, feedback and survey responses, preferences about the use of products or services (including whether you are interested in certain events that we offer)
- Usage data – information about how you use our website and services.
- Marketing and communications data – your preferences in receiving marketing from us and your communication preferences.
- CV Data – previous employment history, education, awards and references.
- Clinical data – Clinical information as part of providing health or medical treatment.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
How we use your personal data
We are only allowed to use personal data about you if we have a legal basis to do so, and we are required to tell you what that legal basis is. We have set out in the table below: the personal data which we collect from you, how we use it, and the legal ground on which we rely when we use the personal data.
In some circumstances we can use your personal data if it is in our legitimate interest to do so, provided that we have told you what that legitimate interest is. A legitimate interest is when we have a business or commercial reason to use your information which, when balanced against your rights, is justifiable. If we are relying on our legitimate interests, we have set that out in the table below.
Who we share your personal data with
In order to provide you with our services and meet our legal obligations, we only share your data with third parties, in the following circumstances.
- To fulfil the services, we have been engaged to perform;
- To verify your identity;
- To authorise debit/credit card payments and any other transactions authorised by the supporter/donor;
- To manage and maintain the accuracy of your records;
- To handle complaints and improve customer service;
- To administer support services on behalf of our patients and their families;
- To administer marketing on behalf of St Luke’s;
- To administer the lottery on behalf of St Luke’s; and
- To meet legal obligations, for example, for the purposes of national security, taxation and criminal investigations.
We’ll never make your personal data available to anyone outside St Luke’s for them to use for their own marketing purposes without your prior consent.
In relation to Clinical Information we work very closely with NHS services in Sheffield. This allows us to share and receive information securely with your GP and other care professionals.
Third party links
Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice or policy of every website you visit.
Transferring your personal data outside the EEA
The EEA is the European Economic Area, which consists of the EU Members States, Iceland, Liechtenstein and Norway. If we transfer your personal data outside the EEA we have to tell you.
Limited personal information that we collect from you may be transferred to and processed in a destination outside of the EEA. In these circumstances, your personal information will only be transferred on one of the following bases:
- The country that we send the data is approved by the European Commission as providing an adequate level of protection for personal information; or
- The recipient has agreed with us standard contractual clauses (SCC’s) approved by the European Commission, obliging the recipient to safeguard the personal information; or
- There exists another situation where the transfer is permitted under applicable data protection legislation (for example, where a third party recipient of personal data in the United States has registered for the EU-US Privacy Shield).
Limited situations where your personal data may be transferred outside the EEA are as follows:
Purpose of Processing
Nature of the Data
Appropriate and Suitable Safeguard
Supporter’s name, contact details and fundraising activity
Blackbaud Inc t/a
“The Raisors Edge”
EU-US Privacy Shield
Marketing Email Service Provider
Supporter’s name and contact details
The Rocket Science Group LLC t/a “MailChimp”
EU-US Privacy Shield
Supporter’s name, contact details and any answers they have given in free text fields where they share personal data voluntarily.
SurveyMonkey Inc. t/a “Survey Monkey”
EU-US Privacy Shield
To find out more about how your personal information is protected when it is transferred outside the EEA (and if you wish to obtain a copy of the appropriate and suitable safeguards), please contact our Data Protection Officer using the details above.
Before sharing any information with a third party, we will ensure that there is a data sharing agreement in place requiring that the third party protects personal data according to GDPR.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator (including the ICO) of a breach where we are legally required to do so.
How long do we keep your personal data?
We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:
The requirements of our business and the services provided;
- Any statutory or legal obligations;
- The purposes for which we originally collected the personal data;
- The lawful grounds on which we based our processing;
- The types of personal data we have collected;
- The amount and categories of your personal data; and
- Whether the purpose of the processing could reasonably be fulfilled by other means.
After such time, we will securely delete or destroy your personal data.
We may use your personal data to tell you about relevant services and any upcoming events.
We can only use your personal data to send you marketing messages if we have either your consent or a legitimate interest to do so.
You can ask us to stop sending you marketing messages at any time – you just need to contact us via our details set out above in section 1, or use the opt-out links on any marketing message sent to you.
Where you opt out of receiving marketing messages, this will not apply to personal data provided to us as a result of purchasing our services or any other transaction between you and us.
You have certain rights which are set out in the law relating to your personal data. The most important rights are set out below.
Access to a copy of the information we hold about you
You can ask us for a copy of the personal data which we hold about you, by writing to the Data Protection Officer (in Section 1). This is known as a data subject access request.
You will not have to pay a fee to access your personal data, unless we believe that your request is clearly unfounded, repetitive or excessive. In such circumstances we can charge a reasonable fee or refuse to comply with your request.
We will try to respond to all legitimate requests within one month.
Telling us if information we hold is incorrect
You have the right to question any information we hold about you that you think is wrong or incomplete. Please contact the Data Protection Officer if you want to do this and we will take reasonable steps to check its accuracy and, if necessary, correct it.
Telling us if you want us to stop using your personal data
You have the right to:
- Object to our use of your personal data (known as the right to object); or
- Ask us to delete the personal data (known as the right to erasure); or
- Request the restriction of processing.
There may be legal reasons why we need to keep or use your data, which we will tell you if you exercise one of the above rights.
You can withdraw your consent to us using your personal data at any time. Please contact the Data Protection Officer if you want to withdraw your consent. If you withdraw your consent, we may not be able to provide you with our services.
Request a transfer of data
You may ask us to transfer your personal data to a third party. This right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Making a complaint
Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found in section 1).
You also have a right to complain to the Information Commissioner’s Office. You can find their contact details at www.ico.org.uk. We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact the Data Protection Officer in the first instance.