Privacy Policy

INTRODUCTION

At St Margaret of Scotland Hospice (the “Hospice”), we pride
ourselves on being open and transparent with our patients, their families, our
supporters, staff and anyone else who comes into contact with the Hospice
including how their personal data is stored and used. This includes the
processes we adopt when we ask for donations to keep our organisation running.

Purpose of this policy

This Privacy Policy explains what personal data we may collect
about you, how we use it, and the steps we take to ensure that it is kept
secure.

This includes, when you use this website at www.smh.org.uk, or
when you contact us, for example by telephone, email, contact cards or through
face to face interactions. We also explain your privacy rights and how the law
protects you, including how we comply with the General Data Protection
Regulation (“GDPR”), which came into effect on 25th May 2018, and
all other related privacy laws and any codes of practice issued by the
Information Commissioner.

Additional information may be provided on particular pages of
this website for example, on any specific pages where we collect personal data
and you should also refer to those.

It is important that you read this privacy policy together with
any statements or fair processing notices we may provide on specific occasions
when we collect or process personal data so that you are fully aware of how and
why we are using your data. This privacy policy supplements those other notices
and is not intended to override them.

BY USING THIS WEBSITE AND/OR GIVING PERSONAL DATA TO US YOU
INDICATE THAT YOU CONSENT TO US USING YOUR PERSONAL DATA IN ACCORDANCE WITH
THIS PRIVACY POLICY

In summary, we are committed to
protecting your privacy, your right to confidentiality and ensure that your personal
information will be:

  • Processed lawfully, fairly, and in a transparent manner
  • Collected for specified, explicit and legitimate purposes
  • Only collected so far as required for our lawful purposes
  • As accurate and up to date as possible
  • Retained for a reasonable period of time, in accordance with retention
    policies
  • Processed in a manner which ensures an appropriate level of security

Further, more detailed information is included in the following
links:

Personal Data

Special Categories Of Data

Website

How We Might Contact You

Security

Retention

Transfer Outside Of Europe

Changes To This Policy

Updating Or Correcting Your Data

Your Rights

Contact

PERSONAL DATA

Personal
data means any information about an individual from which that person can be
identified. It does not include data which has been anonymised and where the person’s
identity has been removed.

We collect
personal data in a number of ways, and for a number of reasons. For example, we
may collect and hold information from fundraisers, donors and supporters in
order to make better decisions about how we raise and spend funds. As a Registered
Charity, our Hospice relies on the support of people living in its local
community – both financially and in kind. By gathering information about our
community we can fundraise more efficiently and get the right information to
the right people based on what they want to see.  Ultimately this means our Hospice is able to
continue to provide excellent care to those in need.

Examples of Personal Data

  • a name and surname;
  • a home address;
  • an email address such as name.surname@company.com;
  • an identification card number;
  • location data (for example the location data function on a mobile
    phone);
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • the advertising identifier of your phone;
  • data held by a hospital or doctor, which could be a symbol that uniquely
    identifies a person such as a hospital number or CHI.

We may receive your Personal Data:

  • through face to face interactions, through this website, by email, over
    the phone, or on paper (such as from any form you complete)
  • directly from you such as when you make a donation; when you sign up to
    an event or activity; when you join our Hospice Lottery; when you sign up as a
    Gift Aid donor in one of our shops or when you sign up as a volunteer.
  • from another organisation for example, where you use fundraising sites
    such as Just Giving or Virgin Money Giving to fundraise for the Hospice. These
    organisations may share your personal data with us if you allow them to do so.
    You should check their Privacy Policy to fully understand how they process your
    personal information.
  • from social media sites or apps. If your settings and preferences allow,
    we may obtain information (including personal data) from social media services
    such as Facebook, Instagram, Twitter and Linkedin.
  • automatically in the case of technical data, for example as you interact
    with our website including via the use of cookies and similar technologies.

Information about other people

If you
provide personal data to us relating to any person other than yourself, you must
ensure before you do so that they understand how their personal data will be
used and that you are authorised to disclose it to us, and to consent to its
use on their behalf. You should bring this privacy policy to their attention.

The personal data we collect

We will
only use your personal data when the law allows us to, and in accordance with
this privacy policy. We may process your personal data for more than one lawful
basis, depending on the specific purpose for which we are using your data.

The type
and quantity of personal data we collect and how we use it depends on why you
are providing it. Occasionally we may ask for your date of birth, for example,
if there is an age restriction on an event or activity you have chosen to take
part in (e.g. Lottery players must be aged over 16 years).

The
following table explains the main types of personal data which we may collect,
use, store and transfer. It also explains the purposes for which we use
different categories of personal data, and the lawful basis or bases which we
believe applies to those uses:

Purpose Types of personal data used Lawful basis for processing
To manage our relationship with you
as a patient, for example to communicate with you and to provide you with the
correct care and treatment.
Identity and Contact
Data 
such as your name, home address and
date of birth/CHI.
Necessary for performance of our
contract with you, compliance with our legal obligations, and for our
legitimate interests in providing you with our proper ongoing care and
treatment.
To provide you with information
where necessary, as the next of kin of one of our patients. For example, to
contact you in the case of an emergency or to facilitate any elements of
patient care.
Identity and Contact
Data 
such as your name, home address,
date of birth
Necessary for our compliance with
our legal obligations and for our legitimate interests in providing you with
necessary information about the patient, as part of our provision of proper
care for that patient.
To manage our relationship with you
as a volunteer, for example to contact you, or to carry out any necessary
administration.
Identity and Contact Data Necessary for our legitimate
interests in managing our volunteer network to support our organisation and
to comply with our recruitment policies.
To process your application for a
job or volunteer role with us, including if you are between the ages of 14-16
and apply to volunteer as part of a formal work experience arrangement with
your school, or as part of the Duke of Edinburgh Scheme.
Identity and Contact Data
Career and Interests
Data 
including any CV, career history
information or references.
Child Data including name, home address, date
of birth and information about their education.
Necessary for our legitimate
interests in the operation of our organisation in order to be able to respond
to you and to consider you for a role within our organisation.
Where we collect and process Child
Data in the context of an application for volunteering, we do so on the basis
that it is in our legitimate interests to be able to consider and respond to
you.
To provide any products or services
you request to you, including taking payments and contacting you where
necessary in relation to the same.
Identity and Contact Data
Financial Data including bank account numbers and
details
 
Necessary for the performance of
the contract that you have entered into with us.
To administer this website,
including troubleshooting, data analysis, testing, system maintenance and
support
Identity and Contact Data
Technical Data including internet protocol (IP)
address, your login data, browser type and version, time zone setting and
location, browser plug in types and versions, operating system and platform
and other technology on the devices you use to access this website. This may
also include information about how you use our website and our services.
Profile Data such as username and password
details, demographic postcode preferences and interests, and information such
as feedback and survey responses.
Necessary for our legitimate
interests in providing and improving our website and customer service to you,
to improving the services we offer you and to ensuring our website operates
properly and for network security.
To ensure our third-party service
providers can perform their obligations to us.
Identity and Contact Data
Technical Data
Profile Data
 
Necessary for our legitimate
interests in ensuring that our third party providers such as external
consultants and contractors are able to provide support services to us.
To deal with new enquiries Identity and Contact Data, including any data you provide
when completing the ‘Contact Us’ form on this website.
Child Data
Necessary for our legitimate
interests in the operation of our organisation in order to be able to respond
to and deal with new enquiries.
Where we collect and process Child
Data in the context of a new enquiry, we do so for our legitimate interests
in the operation of our organisation in order to be able to respond to and
deal with new enquiries.
To facilitate your account if you
join our lottery, including undertaking any necessary age restriction checks
and fraud prevention measures.
Identity and Contact Data
Financial Data
 
Necessary for the performance of
the contract that will be in place between us.
To administer a donation you make
to us, or to administer you as a gift aid donor. Including communicating with
you in the event of a query.
Identity and Contact Data
Financial Data
Necessary for the performance of
the contract that will be in place between us, and for our legitimate
interests in the operation of our organisation in order to be able to collect
and process donations.
To sign you up for, and communicate
with you in relation to an event or activity you wish to take part in.
Identity and Contact Data
Financial Data
Child Data
Necessary for the performance of
the contract that will be in place between us and for our legitimate
interests in the operation of our organisation in arranging and facilitating
fundraising and awareness events and activities.
Where we collect and process Child
Data in the context of an event, we do so for our legitimate interests in the
operation of our organisation in arranging and facilitating fundraising
awareness events and activities.
To communicate with you once you
have decided to leave the hospice as a volunteer, so that we can send you
information about new events or activities you may wish to take part in in
the future, or to send you any other information we think you may find interesting.
 
Identity and Contact Data
Necessary for our legitimate
interests in developing, marketing and promoting our organisation.
To undertake market research in
order to improve the products and services we offer.
Identity and Contact Data
Profile Data
Necessary for our legitimate
interests to ensure that the goods and services we provide and the work we do
are appropriate.
To create a profile about you to
understand your preferences, including analysing demographic and geographic
information
Identity and Contact Data
Profile Data
Necessary for our legitimate
interests to ensure that our fundraising work is effective and to improve our
ability to meet our aims.

Where it
is appropriate we may also ask for:

  • information relating to your health (for example if you are taking part
    in a high risk event such as one of our treks or skydives)
  • how you heard about the event/activity/Hospice
  • why you have decided to donate to us. We understand that you may have
    private reasons and we only want to know the answer if you are comfortable
    telling us, you are under no obligation to do so
  • your bank or credit card details (these are used for the single
    transaction only and are destroyed after use). 
    No credit card information is retained by the Hospice.

How we will use your Personal Data

All
personal data that we obtain about you and/or any other person whose details
you provide will be recorded, used, and protected by us in accordance with
current data protection law and this Privacy Policy. We will primarily use the
personal data for the following purposes:

  • To provide the products and services you request (including taking
    payments) and to communicate with you in the event that any products or
    services requested are unavailable, or if there is a query or problem with your
    request, to process your application for a job or volunteer role with us
  • Charity fundraising. To administer any donations (including taking
    payments) you agree to make, including complying with Gift Aid requirements and
    to communicate with you in the event of a query
  • personnel matters. To administer your employment or voluntary work where
    you become an employee or volunteer
  • fraud prevention. To detect and reduce fraud and credit risk
  • market research. To carry out market research so that we can improve the
    products and services we offer
  • demographic analysis and preferencing. To create an individual profile
    for you (including analysing demographic and geographic information) so that we
    can enhance your experience and relationship with us, understand and respect
    your preferences and to provide information and details of relevant offers and
    opportunities where you have agreed to receive them. We may undertake
    in-house research and engage third party organisations such as fundraising
    agencies to help us identify people who may be able to support us with a larger
    gift or in other ways, using publicly available records. We may also collect
    information on your interests, for example board memberships, hobbies, or
    articles about you in the media. We use this information to tailor our
    communication with you and invite potential supporters to meetings, groups and
    events which may be of interest to you.
  • Charity Regulation. To comply with our obligations as a Charity.
  • website monitoring. To use IP addresses and monitor website use to
    identify locations, block disruptive use, record website traffic or personalise
    the way information is presented to you

Consent and lawful processing
of personal data

The legal
basis for the collection and use of your personal data is you have given your
consent and/or it is in our legitimate interests to contact you. We need to do
so in order to support Hospice needs in the area; your rights and freedoms are
not prejudiced by this. Please see the table above for further information.

Disclosing your personal data

We do not
sell personal data.

In order
to provide our products and services, we may, occasionally, appoint other
organisations to carry out some of the processing activities on our behalf.
These may include, for example, technology hosts, event administration,
printing companies and mailing houses. In these circumstances, we will ensure
that your personal data is properly protected and that it is only used in
accordance with this Privacy Policy and our instructions.

We use
third party electronic payment providers to administer some transactions. They
have their own privacy policies and we encourage you to read them.   St Margaret of Scotland Hospice is
registered as compliant with PCI DSS (Payment Card Industry Data Security
Standards) and this is renewed annually. 
The data security standards were designed to ensure that ALL companies
that accept, process, store or transmit credit card information maintain a
secure environment and to reduce credit card fraud.

On very
rare occasion, we may be required to disclose your details to the police,
regulatory bodies or legal advisors or to comply with a court order or a legal
obligation. In these circumstances we would be careful to only provide
information that we are required to provide. 

SPECIAL CATEGORIES OF DATA

By the
nature of what we do, we may need to process ‘special categories’ of data for
clinical purposes. A special category of data would include details about your
race or ethnicity, sex life, sexual orientation, and information about your
health and genetic data.

St
Margaret of Scotland Hospice is a local, independent Charity and we are not
part of the NHS, but we do work very closely with all NHS services in Glasgow/West
Dunbartonshire and East Dunbartonshire. Clinical information is part of the NHS
records system. This allows us to share information securely with your GP and
other care professionals.

If you are
a patient or service user
, we may contact you with
important information regarding your care or support available to you, in the
way that you have requested.

If you are
the next of kin of a patient
, we may
contact you in the event of the death of a patient with further information on
our services, for example, to offer bereavement support.

If you
have agreed to take part in a clinical research study
, the information about your health and care may be provided to
researchers running other research studies in this organisation and in other
organisations. These organisations may be universities, NHS organisations or
companies involved in health and care research in this country or abroad.

In
accordance with NHS guidance, the Hospice has an appointed Caldicott Guardian;
a senior member of staff responsible for protecting patient confidentiality and
enabling appropriate sharing. The sharing of sensitive personal information is
strictly controlled by law. We will consult you before information about you is
shared to ensure we act with your consent. If you are unable to consent for any
reason, we will only share information where it is in your best interests to do
so.

If you are
unable to consent to the processing of your personal data for any reason, for
example if you are physically or legally incapable of giving your consent we
will only share your information on the basis that it is necessary in order to
protect your vital interests, and it is also necessary in our legitimate
interests in providing our proper care to you.

We may
also process special categories of data about you if we need to assess your
health needs such as to administer medicine to you or for the purposes of
medical diagnosis. We would process your data in this way on the basis that it
is necessary for the purposes of preventative or occupational medicine, or for
medical diagnosis, as well as it being in our legitimate interests in providing
our proper care to you.

WEBSITE

IP
addresses

In order
to understand how users use this website and our services, we may collect your
Internet Protocol addresses (also known as IP addresses). Your IP address is a
unique address that computer devices (such as PCs, tablets and smartphones) use
to identify themselves and in order to communicate with other devices in the
network.

Cookies

We use
cookies on the Hospice website to make your browsing experience more efficient
and enjoyable.

Cookies
are small text (.txt) files containing basic information about a particular
website and user. We use traffic log cookies to identify which pages are being
used. This helps us analyse data about web page traffic and improve our website
in order to tailor it to customer needs.

If you
would like to disable cookies, you can change your browser settings to reject
cookies. However, this may negatively affect how some of our content is
displayed and how our website functions.

For more
information about cookies, visit www.aboutcookies.org.

Links to
other websites

Please
note this website may contain links to other websites that are not controlled
by us. These links are provided for your convenience. Clicking on those links
or enabling those connections may allow third parties to collect or share data
about you. We are only responsible for our privacy practices and our security.
We recommend that you check the privacy and security policies and procedures of
each and every other website that you visit and each organisation that holds
your personal data.

HOW
WE MIGHT CONTACT YOU

We may
need to contact you for various reasons in a number of ways. If you have given
consent or there is legitimate interest, we may use your data, including
identity and contact data, technical data and marketing and communications
data, to contact you with further information about the Hospice, our work,
fundraising requests and any news or upcoming events. We will not send you
such communications if we know that you are a child.

Email
communications may contain tracking beacons/tracked clickable links or similar
server technologies in order to track subscriber activity within email
marketing messages. Where used, such marketing messages may record a range of
subscriber data relating to engagement, geographic, demographics and already
stored subscriber data.

We will
usually try to tailor the communications we send to you so that they are
relevant and in line with the preference options you have chosen which form
part of the personal profile we will create for you.

Preferences
/ Subscribe / Unsubscribe

You and
any other person whose personal data you have provided to us can change
your/their mind about whether you wish to receive information.

You can
change your preferences at any time by using any of the methods shown below
(see the section ‘Updating and correcting personal data’) or by following the
instructions with each communication you/they receive.

Please
note it may take up to one month for your changes to be implemented and for
communications to start or cease.

SECURITY

We take
the security of personal data seriously. We employ security technology,
including firewalls, and encryption to safeguard personal data and have procedures
in place to ensure that our paper and computer systems and databases are
protected against unauthorised disclosure, use, loss and damage.

Personal
data in our databases is only accessible by appropriately trained staff and
volunteers who need to access your personal data as an essential part of their
role. All access is tracked through individual login credentials.

We only
use third party service providers where we are satisfied that the security they
provide for your personal data is at least as stringent as we use ourselves.
They will only process your personal data on our instructions, for specified
purposes, and are subject to a duty of confidentiality.

RETENTION

We will
retain your personal data for as long as necessary to fulfil the purposes we
collected it for, including for the purposes of satisfying any legal,
accounting, insurance or reporting requirements.

To
determine the appropriate retention period for personal data, we consider the
amount, nature, and sensitivity of the personal data, the potential risk of
harm from unauthorised use or disclosure of your personal data, the purposes
for which we process your personal data, and the applicable legal requirements.

In some
circumstances, we may anonymise personal data (so that it can no longer be
associated with you) for research or statistical purposes in which case we may
use this information indefinitely without further policy to you.

Everyone
who has supported the Hospice in some way will hear from us at least once a
year, unless you have opted out of communication from us. We will continue to
do this until you tell us otherwise. We will always provide details in our
communications of how you can opt out.

TRANSFER OUTSIDE OF
EUROPE

If we ever
need to transfer your personal data to other territories outside of the United
Kingdom or the European Economic Area, we will take proper steps to ensure that
it is protected in accordance with this Privacy Policy and applicable privacy
laws.

CHANGES TO THIS POLICY

Privacy
laws and practice are constantly developing and we aim to meet high standards.
Our policies and procedures are, therefore, under continual review. We may,
from time to time, update our security and privacy policies.

We will
ensure our website has our most up to date policy and suggest that you check
this page periodically to review our latest version

UPDATING OR
CORRECTING YOUR DATA

It is
important that the personal data we hold about you is accurate and current.
Please keep us informed if your personal data changes during your relationship
with us.

In order
to save the Hospice money, we may use data cleansing services to update us on
people who have moved home or who have died. If you have registered a change of
address with the Post Office’s National Change of Address database, we will
update your details through this mechanism. Similarly, for relevant activity,
if you use the Fundraising Preference Service to withdraw consent to receiving
direct marketing from us, we will amend our records accordingly.

You may update
or correct your personal data by contacting us at the address below, asking us
to update your details. Please include your name, address and/or email address
when you contact us as this helps us to ensure that we accept amendments only
from the correct person.

If you are
providing updates or corrections about another person, we may require you to
provide us with proof that you are authorised to provide that information to
us. You must also ensure that you have that person’s consent to pass on their details
and make them aware of this privacy policy.

If you
wish us to remove your data, please email remove@smh.org.uk

YOUR RIGHTS

You have a
number of legal rights in respect of your personal data. Depending on the
circumstances, these may include:

  • access. The right to receive a copy of
    the personal data that we hold about you. The same right applies to any other
    person whose personal data you provide to us. We will require proof of identity
    and proof of authority if the request comes from someone other than the person
    whose data we are asked to provide. This will ensure we only provide
    information to the correct person.  In
    the first instance, please email rightofaccess@smh.org.uk or write to the Hospice Administrator or Data Protection Officer (See
    Contacts section).  We normally expect to
    respond to requests within one month of receiving them.
  • withdraw consent to direct marketing. You can
    exercise this right at any time and can ask us to do update your preferences.
    See section ‘Updating and correcting your personal data’ above for details.
  • withdraw consent to other processing. Where
    the only legal basis for our processing your personal data is that we have your
    consent to do so, you may withdraw your consent to that processing at any time
    and we will have to stop processing your personal data. Please note, this will
    only affect a new activity and does not mean that processing carried out before
    you withdrew your consent is unlawful.
  • rectification. If you consider any of your
    personal data is inaccurate, you can correct it yourself or ask us to do it for
    you (see section ‘Updating and correcting your personal data’ above for
    details).
  • restriction. In limited circumstances you may be
    able to require us to restrict our processing of your personal data. For
    example, if you consider what we hold is inaccurate and we disagree, the
    processing may be restricted until the accuracy has been verified.
  • erasure. Where we have no lawful basis for
    holding onto your personal data you may ask us to delete it.
  • portability. In limited circumstances you may be
    entitled to have the personal data you have provided to us sent electronically
    to you for you to provide to another organisation.
  • to complain to the Information Commissioner’s Office. This is the UK supervisory authority for data protection issues. You
    can find information on how to make a complaint at www.ico.org.uk. We would however, like the
    opportunity to assist with any concerns before you approach the ICO, so please
    contact us in the first instance using the details above.

Exercising
your rights

Please
contact us if you wish to exercise any of your rights.

You will
not have to pay a fee to access your personal data (or to exercise any other
rights). However, we may charge a reasonable fee if your request is considered
unfounded, repetitive or excessive. Alternatively, we may refuse to comply with
your request in these circumstances.

We may
need to request specific information from you to help us confirm your identity
and ensure your right to access your personal data (or to exercise any of your
other rights). This is a security measure to ensure personal data is not
disclosed to a person who has no right to receive it. We may also contact you
to ask you to clarify your request to speed up our response.

We try to
respond to all legitimate requests within one month. Occasionally it may take
us longer than a month if your request is particularly complex or you have made
a number of requests, in which case we will keep you updated.

CONTACT

St
Margaret of Scotland Hospice is the Data Controller in respect of all personal
data collected by us.  We employ a
specialist Data Protection Officer to ensure we comply with our legal duties.

The
contact details are as follows:

Clare
Murphy                                                                                 John
McGlone CISSP CRISC

Administrator                                                                                                Data
Protection Officer

St
Margaret of Scotland Hospice                                      Cyber
Consultancy & Privacy Practice

East Barns
Street                                                                         11 Market Street

Clydebank                                                                                        Stirling

G81 1EG                                                                                              FK8
1TU

Phone : 0141 952 1141                                                                                0333
305 6558

Email: clare.murphy@smh.org.uk                                    DPO@MSCLtd.org