Martin House needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its work. Personal information must be collected and dealt with appropriately – whether on paper, in a computer, or recorded on other material - and there are safeguards to ensure this under the Data Protection Act 2018 and GDPR.
Data Controller - The organisation that determines the purposes for which and the manner in which any personal data are or are to be processed. Martin House Hospice Care for Children and Young People, (thereafter known as Martin House) is the Data Controller under the Data Protection Act 2018, and GDPR, and determines what purposes personal information held will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold, and the general purposes that this data will be used for (i.e. complete an ICO registration).
Data Protection Act 2018 (DPA) - The current UK legislation that provides a framework for responsible behavior by those using personal information, should be used in conjunction with the GDPR.
Data Protection Officer (DPO) - The DPO is the Director of Finance & Corporate Governance.
Data Subject - The individual who is the subject of personal data.
Consent and Explicit consent is a freely given, specific, unambiguous, and informed agreement by a Data Subject to the processing of personal information about her/him. Explicit consent is needed for processing sensitive data. Under GDPR there is little practical difference between consent and explicit consent.
Information Commissioner - The UK Information Commissioner is responsible for implementing and overseeing the Data Protection Act 2018 and GDPR as the UK ‘Supervising Authority’.
Processing means collecting, amending, using, handling, storing, viewing, or disclosing information
Personal Data/ Information any information, held in any format relating to a living individual who can be identified either from the data or from the data in conjunction with other information that is in, or likely to come into, the possession of the data controller. This includes employment details, patient and client information, donor and supporter information, customer information, and information captured on CCTV. Note that under GDPR items such as IP addresses, email addresses, and other information that is, or can be, unique to an individual may also be considered to be personal data.
Non-personal data is simply any data that is not personal (data pertaining to characteristics, traits, or attributes of identity, which can be used to identify an individual).
Sensitive ‘special category’ data means data about:
- Racial or ethnic origin
- Political opinions
- Religious or similar beliefs
- Trade union membership
- Physical or mental health
- Sexual life
- Criminal record
- Criminal proceedings relating to a data subject’s offenses
Informed consent is when A Data Subject clearly understands why their information is needed, who it will be shared with, the possible consequences of agreeing or refusing the proposed use of the data, and then gives their consent.
Associated policies and procedures
This policy should be read in accordance with the following hospice policies, procedures, and guidance:
- Contract of employment & Employee handbook
- Disciplinary Policy
- Equality, Diversity & Inclusion policies and procedures
- Privacy Notices
- Data Subject Access & Erasure Request Policy
- IT Policies
Aims and objectives of the policy
To ensure that Information Governance and Data Protection are maintained this policy will ensure the following:
- Confidentiality and integrity of personal and sensitive information is maintained.
- Information is available to authorised users only.
- Information is not disclosed to unauthorised individuals.
- To prevent the unauthorised destruction of information.
- To advise staff of their obligations to maintain information confidentiality, integrity, and availability.
Scope of the policy
This policy must be followed by all staff and volunteers.
General Failure to adequately comply with the content and principles of this policy may lead to staff/volunteer disciplinary action and/or monetary penalties by the ICO against the individual or the Charity.
Accountabilities and responsibilities
Chief Executive (who is also the SIRO) is responsible for ensuring adequate resources are in place for the implementation of this policy and delegates day-to-day responsibility for this to the Data Protection Officer, the Caldicott Guardian, and Information Governance Support Manager.
Data Protection Officer (DPO) is responsible for:
- Informing and advising the Charity and its employees about their obligations to comply with the DPA/GDPR and other data protection laws.
- Monitoring compliance with the DPA/GDPR and other data protection laws, including managing internal data protection activities, advising on data protection impact assessments; train staff and conduct internal audits.
- Being the first point of contact for supervisory authorities (ICO) and for individuals whose data is processed. The Director of Finance & Corporate Governance is the DPO.
Caldicott Guardian is responsible for:
- providing advice and guidance in the use and sharing of patient (service user) information i.e. the application of the Caldicott Guardian Principles.
- approving, monitoring and reviewing protocols governing access to service user identifiable information by staff within the Hospice and by relevant other agencies
- overseeing the control of access to and disclosure of care records. The Deputy Director of Clinical Services is the Caldicott Guardian.
Senior Information Risk Owner (SIRO) is responsible for ensuring the organisation's information risks are identified and managed, and that appropriate assurance mechanisms exist. The CEO is the SIRO.
Information Governance Support Manager (IGSM) is responsible for:
- implementing the Information Governance work program across the Charity;
- monitoring actual or potential reported information security incidents within the organisation;
- ensuring the effectiveness of the Information Governance (IG) incident reporting system and procedures. The Head of IT is the IGSM.
Information Asset Owners (IAO’s) are responsible for managing/maintaining the security and integrity of the information assets assigned to them. The IAO’s are typically members of the Martin House Operational Leadership Team.
Managers are responsible for:
- ensuring that the policy and its supporting procedures and standards are built into local processes and that there is ongoing compliance
- ensuring that all staff job descriptions contain relevant responsibility for personal information security, confidentiality, and records management
- ensuring their staff undertake information governance training
- the security of the physical environment where their team operates and where information is processed and stored.
- ensuring that all sources of person identifiable information sent into or out of the Charity are advised of the requirements of this policy.
- reporting and investigating any breaches of this policy.
The Head of IT is responsible for ensuring all computer hardware and software is safeguarded in line with the DPA/GDPR and provides relevant reports to the appropriate persons (SIRO, DPO, Information Governance Steering Group) to assist with monitoring compliance or incident investigations.
All staff and volunteers are responsible for:
- complying with this policy and its supporting procedures, including maintenance of data confidentiality and data integrity
- maintaining the operational security of the information systems they use
- ensuring they complete any training as required
- reporting any breaches of this policy through the information incident reporting process
- checking that personal data held on themselves is accurate and up to date and updating the People Team accordingly of any changes (e.g. change of address).
Martin House may share data with other agencies such as the NHS, local authorities, funding bodies, Department of Work and Pensions, and other Government and voluntary agencies. GDPR also permits the sharing of patient information between clinicians for the purpose of the direct care of that patient. This means, for example, that a clinician may share information about a child with that child’s GP.
The Data Subject will be made aware in most circumstances how and with whom their information will be shared and in line with the rights of data subjects the wishes of data subjects regarding the sharing and use of their data will, where possible, be implemented. Where third parties are used in the processing or storage of data then Data Protection requirements of the GDPR are included within contracts, data sharing agreements or through individual Non-Disclosure Agreements (NDA). There are circumstances where the law allows Martin House to disclose data (including sensitive data) without the data subject’s consent. These are:
- Carrying out a legal duty or as authorised by the Secretary of State
- Protecting vital interests of a Data Subject or other person or where there is a safeguarding concern
- The Data Subject has already made the information public
- Conducting any legal proceedings, obtaining legal advice, or defending any legal rights
- Monitoring for equal opportunities purposes – i.e. race, disability, or religion
- Providing a confidential service where the Data Subject’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Data Subjects to provide consent signatures.
Martin House regards the lawful and correct treatment of personal information as essential to successful working, and to maintaining the confidence of those with whom we deal.
Principles of data protection
Martin House will adhere to the following data protection principles:
Personal and sensitive data shall be:
- processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met (i.e. the conditions of the DPA and GDPR),
- obtained only for one or more of the purposes specified in the DPA/GDPR, and shall not be processed in any manner incompatible with that purpose or those purposes,
- adequate, relevant, and not excessive in relation to those purpose(s)
- accurate and, where necessary, kept up to date,
- processed in accordance with the rights of data subjects under the DPA/GDPR,
- kept secure and the Data Controller will take appropriate technical and other measures to prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information, and personal and sensitive data,
- shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal information e.g. signed up to the USA Privacy Shield requirement, and.
- shall not be kept for longer than is necessary.
Martin House will, through appropriate management, strict application of criteria and controls:
- Observe full conditions regarding the fair collection and use of information,
- Meet its legal obligations to specify the purposes for which information is used,
- Collect and process appropriate information, and only to the extent that it is needed to fulfill its operational needs or to comply with any legal requirements,
- Ensure the quality of information used,
- Ensure that the rights of people about whom information is held can be fully exercised under the DPA and GDPR. These include:
- The right to change or remove their consent for processing their personal data
- The right to be informed that processing is being undertaken,
- The right of access to one’s personal information
- The right to prevent processing in certain circumstances
- The right to correct, rectify, block, or erase information, which is regarded as wrong information, and the right to be ‘forgotten’
- Take appropriate technical and organisational security measures to safeguard personal information,
- Ensure that personal information is not transferred abroad without suitable safeguards,
- Treat people justly and fairly whatever their age, religion, disability, gender, sexual orientation, or ethnicity when dealing with requests for information,
- Set out clear procedures for responding to requests for information
Specific information regarding this can be found in the relevant privacy notices published on the Martin House website.
Data access (subject access requests)
All Data Subjects have the right to access the information Martin House holds about them (i.e. make a subject access request (SAR)) and Martin House will comply with the ICO “Subject access code of practice” in dealing with these requests. GDPR requires one month and it is no longer permitted to make a charge for the completion of a subject access request.
Information provided for a SAR must have the Data Subject as its focus, not merely mentioned in passing. Records may be redacted to remove details of third parties (but not those of relevant health professionals). A member of staff, volunteer, or other Data Subject, may make a written request to access to the information held about them by application to the Data Protection Officer, the CEO, a Clinician, manager, or the People Team. Staff information held generally for the purposes of management planning or forecasting is exempt from SAR information provision above. A SAR received in any part of Martin House should be passed to the DPO for registering and processing.
Further details outlining all rights in relation to personal data are available in our “Data Subject Access Request and Erasure Policy” which is available on our website.
Appendix 3 ‘Your Information - Privacy Matters at Martin House’ gives an overview of the legal basis and reasons for data collection by the Charity.
In areas where ‘Consent’ is the legal basis for data processing Martin House will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.
When collecting data with consent, Martin House will ensure that the Data Subject:
- Clearly understands why the information is needed
- Understands what it will be used for and what the consequences are should the Data Subject decide not to give consent to processing
- As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
- Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
- Has received unambiguous and sufficient information on why their data is needed and how it will be used
Managing Data Subjects Contact Preferences
Data subjects have the right to change their minds regarding consent to collect or share personal or sensitive information at any time. When using consent as the legal basis for collecting or sharing information Martin House will keep records where consent has or has not been agreed upon and amend these records at the request of verified data subjects. In addition irrespective of the legal basis for collecting/using information Martin House will, where practicable, cease contacting data subjects upon their request e.g. stop sending marketing material on request. The Charity will at all times comply with Mail and Telephone Preference Services registrations and not market to those requesting no contact by direct mail or telephone.
Data Storage Personal and/or sensitive information and records relating to data subjects will be stored securely and will only be accessible to authorised staff and volunteers.
Information will be stored for only as long as it is needed for the purpose that it was collected or required by statute and will be disposed of appropriately i.e. paper records will be disposed of using the Martin House process for disposing of confidential waste. Records will be maintained in line with statutory and regulatory retention requirements.
It is Martin House's responsibility to ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party.
Martin House will also take steps to ensure that this information is kept up to date e.g. by routinely or periodically asking data subjects whether there have been any changes to their data. In addition, Martin House will ensure that:
- It has a Data Protection Officer with specific responsibility for ensuring compliance with Data Protection
- Everyone processing personal information understands that they are responsible for following good data protection practice
- Everyone processing personal information is appropriately trained to do so
- Everyone processing personal information is appropriately supervised
- Anybody wanting to make enquiries about handling personal information knows what to do i.e. discuss with line management who will be supported by the DPO
- It deals promptly and courteously with any enquiries about handling personal information
- It describes clearly how it handles personal information – through Privacy Notices
- It will regularly review and audit the ways it holds, manages, and uses personal information. It regularly assesses and evaluates its methods and performance in relation to handling personal information
- All staff and volunteers are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.
Information incident reporting
In the event of a suspected information security or confidentiality breach occurring the following process should be followed:
- All incidents, suspected incidents, and near misses should be reported as soon as practically possible (normally within 24 hours). The GDPR requirement is for serious incidents to be reported to the ICO within 72 hours of confirmation of the incident occurring.
- The person discovering an actual or suspected information breach or incident should report it to their line manager (this includes near misses), and
- The line manager should ensure action is taken to contain the incident/prevent a recurrence.
- The incident should be reported to the area’s Director, and
- The incident should be logged on the incident recording system (Vantage) for managerial/Director review and consideration, and
- Reported through the SLT and to the Information Governance Steering Group
Retention of Records
GDPR and the DPA state that data should not be kept for any longer than necessary for the purpose for which they were obtained. Martin House abides by all statutory and regulatory retention requirements.
Training and Support
Information Governance training is provided within Martin House mandatory training
Monitoring and review
This policy will be updated as necessary to reflect best practices in data management, security, and control and to ensure compliance with any changes or amendments made to the DPA/GDPR.
The policy owner is responsible for the review at least every three years.
The policy is an important component of the Martin House information governance arrangements and should be referenced in the Martin House IG policies and/or procedures.
UK GDPR and Data Protection Act 2018
- Records Management Code of Practice for Health and Social Care 2021
- Care Quality Commission registration standards, Supporting Workers (21) of the Health & Social Care Act (2008) Regulated Activities Regulations 2010.
- Public Records Act 1958 and Local Government Act 1972
- Freedom of Information Act 2000
- UK GDPR and Data Protection Act 2018
- Health and Social Care Act 2008
- Caldicott principles
Data Protection Impact Assessment
We have clear policies in respect of Information Governance, including Data Protection and Inter-Agency Sharing, under the requirements of the Data Protection Act 1998. These policies must be followed throughout the operation of this policy.
Equality and Diversity Impact Assessment
This Policy is implemented in line with our Equality and Diversity Policy and associated legislation. Consideration will be given to all protected characteristics under the Equality Act 2010 to eliminate discrimination, advance equality of opportunity, and foster good relations.
This policy and associated documents are available in different languages and alternative formats on request.
Consent ICO Guidance on how to obtain, record, and manage consent.
- Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand.
- Include the name of your organisation and any third parties, why you want the data, what you will do with it, and the right to withdraw consent at any time.
- You must ask people to actively opt-in. Don’t use pre-ticked boxes, opt-out boxes, or default settings.
- Wherever possible, give granular options to consent separately to different purposes and different types of processing.
- Keep records to evidence consent – who consented, when, how, and what they were told.
- Make it easy for people to withdraw consent at any time they choose. Consider
- using preference-management tools.
- Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business “
Appendix 2 “right to be forgotten”
Data Subjects have the right to ask for all data about them to be removed/deleted (erased). In general, the Charity is content to comply with such requests provided that:
- It is lawful to do so
- The Charity can still discharge its responsibilities to the Data Subject e.g. by providing care
- The data is not required in the defence of legal claims However, a skeleton record may be retained to prevent future data collection of the Data Subject’s information.
Further details outlining all rights in relation to personal data are available in our “Data Subject Access and Erasure Request Policy” which is available on our website.
Appendix 3 Your Information – Privacy Matters at Martin House
This is a summary of the processing of personal information carried out by Martin House (the Charity) and it is supported by more detailed information in the Privacy Notices for many of the individual areas covered here. These Notices and policies are all available from the Martin House website (https://www.martinhouse.org.uk) or the Data Protection Officer who can be contacted at: email@example.com or at Martin House, Grove Road, Boston Spa, Wetherby, LS23 6TX.
The Charity will comply with the requirements of the data protection legislation in force, whether that is the Data Protection Act or the General Data Protection Regulations, both of which came into force in May 2018.
All our information systems, paper and electronic, are designed to be secure and protect data from unauthorised access, theft, and misuse.
Why do we need to process personal information?
We need to process personal data in order to deliver our services:
- In the provision and management of health, welfare, and support services to service users
- To provide, manage, and develop Fundraising opportunities
- To provide retail services
- To manage the affairs of the Charity. With the consent of service users and carers, we collect the personal and sensitive information that we need in order to provide appropriate care. For the purposes of care, this information will be shared amongst the clinical team providing the care.
We process the personal data of staff and volunteers to:
- Recruit staff and volunteers
- Fulfill contractual requirements
- Meet legal requirements
- Provide effective management
- Develop a highly skilled and qualified workforce
- Deliver health, safety, and welfare commitments
The legal basis for such processing is a combination of legal requirements and legitimate interest and in some instances consent.
We also collect personal data from retail customers to:
- Fulfill contractual obligations
- Meet legal requirements and
- Respond appropriately to communications, donations, and gifts
- Meet legal requirements
- Provide information about the activities of the Charity
The legal basis for processing supporter information is normally because of legal requirements or is a legitimate interest of the Charity.
Our Fundraising team may collect personal and sensitive information in the context of events held to support the Charity and keep potential event participants informed of future events. The legal basis for collecting this information is usually the consent of the potential or actual participants of the events or to meet legal/contractual requirements. In the case of informing participants of previous events of upcoming events the legal basis is one of legitimate interest for physical ‘direct marketing’ and consent for digital ‘direct marketing’.
The Lottery (and Raffle) activities of the Charity process the personal information of participants in order to run these events and the legal requirement for retaining lottery data is extended to coincide with the retention period of finance records.
Recording personal information about you
Most information we hold will be collected from you but we may also obtain this from third parties such as your doctor (or other health professionals) or other relevant organisations such as a previous employer for a reference. We will always tell you why we need your information and how we’ll use it. We will only ask you for information that is relevant and necessary to the delivery of our services.
Information we hold about you will vary depending on the contact you have with the Charity and the services we provide to you. For example, if we are providing you with care your information will be shared with those directly involved in providing that care. If we’re supporting you with training, it’s helpful that we know about your education and previous employment history. If you need adaptations in your workplace, we may need to know about associated health conditions.
Sometimes we need to share your information with other organisations that we work with or who provide services on our behalf. We will only share relevant details and we will ensure your information remains secure.
We may need to share information in order:
- To provide you with the most appropriate care
- To meet our legal obligations
- To fulfill a contract with you e.g. when we use a 3rd party to make a delivery
- In connection with legal proceedings (or where we are instructed to do so by Court order)
- To protect the vital interests of an individual (in a life or death situation) When the information we need to share is defined as ‘special’ (e.g. information about health matters, ethnicity, religion, sexual orientation), we will generally ask you for consent before we share unless we are required or permitted to share this by law.
You can ask for a copy of the personal information we hold about you. This is known as a Subject Access Request (SAR). You can also request information to be corrected, erased, or transferred to another organisation. You also have the right to be ‘forgotten’’.
Please put all requests in writing (or email). Further details outlining all of your rights in relation to your personal data are available in our “Data Subject Access and Erasure Request Policy” which is available on our website.
Accurate and up-to-date
Please tell us if your information changes so we can keep it up to date. For example, if you change your contact details including mobile number and email address. We won’t keep your information longer than we need to.
Consent & Promotion of our Services
We may use your contact details to send you information and communicate with you about matters associated with your connection to the Charity. We will not send you ‘direct marketing’ if you have opted out of receiving it. We will never provide or sell your details to 3rd parties for their marketing purposes. You have the right to object to direct marketing at any time, and our communications will always include clear instructions on how to ‘unsubscribe’.