Privacy Statement

Introduction
For Data Protection* requirements the data controller is Barnsley Hospice, Church Street, Barnsley, South Yorkshire S75 2RL. This is also our registered office. Our registered charity number is 700586

We are registered with the Information Commissioner (reg. no. Z6910489)

Contacting us
If you want to request further information about this privacy notice or exercise any of your rights, you can email us at enquiries@barnsley-hospice.org

Our commitment to you

Barnsley Hospice collects, stores and processes personal information during the course of our activities and we recognise the need to treat personal and sensitive information in a fair, lawful and transparent manner. No personal information held by us will be processed unless the requirements for fair, lawful and transparent processing can be met.

Access to personal and sensitive data is controlled, and only available on a ‘need to know’ basis. All our staff receive training on the principles of data protection and information security. We also train our volunteers if they handle personal data.

We process personal information about patients and their family members, carers, or friends; about our donors and supporters and our suppliers and contractors.

Processing can mean any of the following:

  • Collecting
  • Accessing
  • Recording
  • Holding
  • Viewing
  • Analysing
  • Storing
  • Adapting
  • Altering
  • Deleting
  • Disclosing

We have a separate privacy notice for our employees and volunteers.

Barnsley Hospice uses both paper and electronic systems to process the information of our patients, staff, volunteers, donors, supporters and visitors. As an organisation, we comply with the Data Protection Act 2018 and UK General Data Protection Regulation to ensure that your information is secure, that its integrity is maintained and that it is available when we/you need it.

Your Data Protection Rights

You have certain rights in relation to your personal information, although those rights may not apply in all cases or to all the information that we hold about you. For example, we may need to continue to hold and process information to establish, exercise or defend our legal rights.


Under Data Protection law, if we hold information about you, you have the following rights:

  • To be informed why, where and how we use your information.
  • To ask for access to your information.
  • To ask for your information to be corrected if it is inaccurate or incomplete.
  • To ask for your information to be deleted or removed where there is no need for us to continue processing it.
  • To ask us to restrict the use of your information.
  • To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
  • To object to how your information is used. You can object to us processing your data at any time. If you do object, we will stop processing your data immediately and will only reinstate processing if we can confidently prove that we have an overriding reason to do so. However, it may be that we cannot provide our services safely without processing this data, which may mean we would have to withdraw our service.
  • To challenge any decisions made without human intervention (automated decision making).

Lawful basis for processing

We must have a lawful basis for processing your information; this will vary on the circumstances of why we process and how we use your information, but typical examples include:

  • The activities are within our legitimate interests as a charity that provides hospice care. Barnsley Hospice has a duty of care for its patients, and processing is necessary for the provision of health and social care, the treatment of patients, and for the management of health or social care systems and services.
  • The processing is necessary for compliance with a legal obligation to which we are subject e.g. we must provide certain contact information and other details about our services to HMRC and the Charities Commission.
  • The processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
  • An individual has given consent for us to process their information.
  • To protect vital interests e.g. the processing is necessary to protect someone’s life.

If we process any special categories of information i.e. information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, processing of genetic or biometric data for the purpose of uniquely identifying individuals, health data, or data concerning your sex life or sexual orientation, we must have a further lawful basis for the processing. This may include:

  • The processing is necessary to protect the data subject’s vital interests or someone else’s vital interests, e.g. where the data subject is physically or legally incapable of giving consent.
  • The processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.
  • The processing is necessary for: reasons of substantial public interest, for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services based on legislation or pursuant to contract with a health professional and subject to the conditions and safeguards.
  • The data subject gives us their explicit consent to do so.
  • If the public interest is thought to be of greater importance: for example, if a serious crime has been committed; if there are risks to the public or our staff; to protect vulnerable children or adults.
  • Where we have a legal duty, for example reporting some infectious diseases, wounding by firearms and complying with court orders.


What information we collect


Patient Records

Barnsley Hospice collects, stores and processes personal information about prospective, current and former patients who have been referred to us for any care service provided by the Hospice. We also collect, store and process personal information about prospective, current and former family members, carers or friends of patients, where these details have been provided to us for the purposes of providing care.


The personal data we process in relation to our care is provided to us both by the individual and by a third-party healthcare professional who has referred the individual to us for care.

This information can include:

  • Personal demographics (including gender, race, ethnicity, sexual orientation, religion)
  • Contact details such as names, addresses, telephone numbers and emergency contact(s)
  • Medical information including physical health or mental condition, medications, previous treatments and records of care given by other health and social care organisations.
  • Health records are held on paper and electronically and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection Laws.

Our staff are trained to handle your information correctly and protect your confidentiality and privacy; we do not undertake automated decision-making such as profiling.


We maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold on to any other third parties. Your information is not processed overseas.


Information collected about you to deliver your care is also used, or could be used, to assist with:

  • Making sure your care is coordinated and of a high standard.
  • Assessing your condition against a set of criteria to ensure you are receiving the best possible care.
  • Using statistical information to plan services to meet the needs of the population and to support research. Your personal information will not be used for this purpose if you have signed up to the National Data Opt Out. For more information, relating to the National Data Opt Out, click the following link: https://digital.nhs.uk/services/national-data-opt-out

If you would like information about the National Data Opt Out in other formats such as different languages, braille, easier read or British Sign Language (video) please click this link: https://digital.nhs.uk/services/national-data-opt-out/supporting-patients-information-and-resources

  • To manage and audit our services
  • Preparing statistics on our performance for NHS commissioners, the Care Quality Commission and other regulatory bodies.
  • Helping to train staff.  
  • Supporting the funding of your care.
  • Reporting and investigation of complaints, claims and untoward incidents.
  • When you are referred to the Hospice, we need to receive enough information about you to be able to make a decision as to whether you are eligible to receive our services, and whether we are best placed to deliver the care you need. This includes your contact details and information about your health, which is relevant to the service you are being referred to (for example, your past medical history and what medication you are taking). This information is stored on our electronic database.
  • Media quotes from patients/relatives – we would only use quotes in the media if we have the patient or relative’s explicit consent to do this.

Please note: Barnsley Hospice will not use your sensitive/personal identifiable information unless it is absolutely essential. This means that when we are processing your information for non-direct care purposes, we will anonymise it, which means that all personal identifiable information is removed with no possibility of tracing the information back to you in the future; or pseudonomise it, which means that all personal identifiable data is replaced, and highly restricted access is applied to the pseudonimisation code.

Donor and Supporter Records

Barnsley Hospice collects, stores and processes personal information about prospective, current and former donors and supporters of the charity.
The personal data we hold in relation to donors is provided by individuals at the point at which they choose to support Barnsley Hospice or through fundraising donations or via the donation of Gift Aid on the sale of donated goods.

In order to carry out our activities in relation to donors and supporters, we handle data in relation to contact details such as names, addresses, telephone numbers, emails, bank account and credit card details.
Our staff are trained to handle your information correctly and protect your confidentiality and privacy. We maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is only collected for our own marketing purposes and is never collected for or sold to other organisations.

CCTV system

Barnsley Hospice operates a Closed-Circuit Television (CCTV) surveillance system (“the system”) at our head office and in our retail hub with images being monitored and recorded. The system is owned, operated and managed by Doyle Security Ltd.

It is used for maintaining public safety, the security of property and premises and for the detection, prevention and investigating of crime. Where appropriate, in exceptional cases, it may also be used to monitor staff when carrying out work duties. Disclosure of recorded material will only be made to third parties in accordance with the purposes of the system and in compliance with Data Protection legislation.

We do not collect more information than we need to fulfil our stated purposes and will not retain if for longer than is necessary.

Data is stored and managed in each monitored location. Extraction of this data from each location is restricted to authorised personnel only, and is only carried out for legitimate, lawful reasons.

We will retain the images for 30 days after which they will be automatically erased, except where we have taken excerpts for purposes of detection, prevention or investigating crime. Any images retained for this purpose will be erased on completion of our investigations. Where required to do so as part of any external police investigation, we will share such images with the appropriate authorities.

Access to view recorded images is restricted to key individuals but we may be requested to share the images with the Police and other agencies for crime prevention or detection purposes.

How we use and share your personal data

Barnsley Hospice shares personal information with other NHS organisations, non-NHS organisations and Local Authorities who are involved in providing health and social care to you. By sharing information in this way, we are able to work as multi-disciplinary teams to ensure that your health and social care needs are being met.

If we need to share large amounts of sensitive personal information with other organisations, we complete a thorough Data Protection Impact Assessment. Barnsley Hospice will only commence sharing your information once a data sharing agreement is in place and we have assurance that the other organisation is able to offer the same high level of protection for your information as we do. If during the impact assessment process, we are unable to take actions to reduce a high risk to the security of your information, we will submit our assessment to the Information Commissioner’s Office for further review and will not progress until our planned activities have been approved.

In order to process your information and donations to the highest possible standards, we will sometimes need to give other organisations access to your data, for example our database provider.


We will not routinely disclose any information about you without your express permission. However, in addition to the above, there are a number of reasons why we are lawfully required to share information with others. This can be due to:

  • Our obligations to comply with legislation
  • Our duty to comply with any Court Orders which may be imposed
  • Our obligations in respect of the detection and prevention of crime or fraud
  • A public health need such as preventing the spread of infectious diseases
  • A specific need to protect adults or children at risk of abuse or neglect (safeguarding).

For all of our services (including Counselling), your case may be discussed with the staff member’s manager or clinical supervisor in order to provide a safety mechanism to continuously assess competency, and for the health and wellbeing of our staff. However, this is done anonymously, so the manager or supervisor is unaware of who you are.

When we discharge you from our care, we will use your contact details, and the details of your GP, to send out a discharge letter to you as the patient if required, and to your GP.

As part of our PallCall service, we may receive requests for advice over the telephone from patients, their carer(s) or other external health care professionals. We keep a record of advice given for quality review purposes to ensure the right advice is being given and we will also forward this information on to your / the person’s current care team.

Our Bereavement Support service will use the contact details of our patients’ Next of Kin/Family Member(s) to offer support after they are bereaved. We explain this in our bereavement pack and they have the right to object to us contacting them for this purpose, and should they object, we will not contact them to offer this service.

You have the right not to consent to any of the above, or to withdraw your consent at any time, by notifying any of your care providers who will discuss this with you and aim to find the best approach to delivering your care safely within your requirements.

We have a legal obligation to provide information to HMRC regarding Gift Aid claims and will do so to comply with this. We will only send information that is directly relevant for this purpose, and not use it for any other purpose.

The rules within which we must comply are stated here: https://www.gov.uk/claim-gift-aid/gift-aid-declarations

Events processing and lottery

For events that you have paid to attend, we will collect your details for payment, and contact. These are necessary for us to perform our duties under our contract with you. Some events may request further details such as next of kin, where we are responsible for your health and safety. We will only contact your next of kin or pass it onto an emergency care provider if there is a health and safety reason to do so. If you are paying by debit or credit card, we will only use your payment data to process the payment for that event. We will also process your contact details to contact you for events publicity (see below), unless you object to us doing so.

Our literature will explain that event participants have a right to object to us using their contact details to contact them about future events.

We will only process your details for the lottery if you have signed up to do the lottery. This is handled by an external company with whom we have a contract. The contact includes a responsibility to abide by the current Data Protection legislation. Contacting you about the lottery is part of the contract you have signed up to.

Our lottery database is handled externally and is not cross referenced with our Donor database. However, we do share information for data cleansing purposes e.g. where a donor is deceased.

Donations

We will contact you via ‘Thank you letters’, if we need to clarify anything about your donation with you, and via our Newsletters.

You can object to us processing your data for any of the reasons stated in this section, at any time. If you do object, we will stop processing your data immediately and will only reinstate processing if we can confidently prove that we have an overriding reason to do so, which does not impact on you in a detrimental manner.

We also ask if you are able to Gift Aid your donations and we will keep information specifically for this reason, as required by HMRC.

Marketing

We conduct a range of fundraising and marketing activities in relation to:

  • Our cause, campaigns and projects
  • Events and challenges
  • Our retail hub and special offers

We promote our activities though a range of methods and channels, including online and social media platforms. We use personal information to thank you for supporting us and to provide you with further communications about our activities according to your preferences and interests.

We believe that it is fair and reasonable for us to contact you to let you know when events are taking place that are the same or similar to ones that you have previously participated in, unless you object to us doing so. This is necessary for us to be able to continue to provide a viable fundraising service for the Hospice.

By taking a targeted approach to events notification, we feel that this is proportionate and there is no risk of harm or detriment to the recipients. We will always provide details on the right to object to us contacting people in this way and will stop doing so should we receive an objection.

You can update your preferences at any point by contacting us via the details above.

We will not contact you about events if you haven’t participated in any of our events, unless you have given us your consent to contact you for this purpose.

Website Data

When you visit our website, we may collect a variety of information about you to support us in providing you with the best possible service.

You may be asked to supply personal information in certain sections of this (the Barnsley Hospice) website. Personal information means anything that helps us to identify you, such as your name, address or email address. If you supply this information we will not pass it on to any third party. All personal information supplied will only be used for the purpose it was supplied. All data is held securely. We endeavour to take all reasonable steps to protect your personal information; however, we cannot guarantee the security of any data you disclose online. By adding your personal information on this website, you accept the inherent security risks of communications over the internet and you agree not to hold Barnsley Hospice responsible for any breach of security unless this is due to our negligence or wilful default.

The information we collect from our website is used in several ways to help us provide you with a good service and to help us understand how our website is used:
We use information to process your donations and other financial transactions and to address any enquiries and comments, as set out in our ‘Donor Records’ section above.
We use information to supply you with goods and news of events and developments if you request them or give us permission to contact you, as set out in our ‘Donor Records’ section above.
We use information gathered to provide statistics that will guide the future content of our website. If at any time you wish us to remove your personal information from our web servers, you can request this in writing via post or email (contact details given at the end of this document).
When ‘ticking’ any checkbox on this website which indicates that you are willing to be contacted by us, you agree to receiving communications from us via that particular method of communication (e.g. email, letter, text). We take this to mean that you do not consider this as a breach of your rights under the Privacy and Electronic Communication (EC Directive) Regulations 2003.

If you use our website to send feedback or request more information about a particular service or event, the personal information you provide will only be used to answer your enquiry.

In order to process credit card, direct debit or other financial transactions we may ask for your bank or card details. In order to input this information, you will be directed to a secure page for financial transactions. Barnsley Hospice does not store or record any of your bank or card details. Whether you wish to make a donation, pay for goods or events, or set up a sponsored event, all financial interactions are carried out by our chosen Payment Service Providers who are fully compliant with the Payment Card Industry Data Security Standards (PCI DSS).

Payments made on our website are processed by WorldPay (www.worldpay.com/uk). This data is encrypted and credit or debit card information and bank details are not held on our web servers.

Our website may contain links to other sites that are not owned or managed by Barnsley Hospice. Please be aware that we cannot take responsibility for any personal data you choose to enter within these external sites.

How long do we keep your data

Our Data Retention Schedule sets out the criteria we use for how long we keep data.

We will retain personal data for the minimum period required by legislation or national guidance provided by statutory authorities (for example, patient information is kept in line with the NHSX Records Management Code of Practice, 2021).

When no longer required for day to day processing, personal information will be archived, either electronically or if in hard copy, stored in a secure location at the Hospice, or offsite with an approved data management company. All data will be destroyed after the data retention period has ceased.

As we are able to claim gift aid retrospectively for up to 4 years, we believe it is fair for us to keep donor details on our database for up to 4 years, even if the donor has opted out of receiving any marketing or promotional material, or objects to us contacting them under any other legitimate interest. This is because, should they make a future donation and gift aid it, including any other donations they have made in the last 4 years, we would be unable to action this without keeping this record.

Changes to this Privacy Notice

We may from time to time need to update and amend this notice in light of changes in the law or developments in our own or industry standards. Alterations to this policy will be posted on our website.

Complaints

Should you wish to lodge a complaint about the use of your information, details of our complaints policy can be found on our website, or you can email us at: enquiries@barnsley-hospice.org or in writing to: Senior Information Risk Owner, Barnsley Hospice, 104-106 Church Street, Gawber, Barnsley. S75 2RL.
If you are still unhappy with the outcome of your enquiry you can write to the Information Commissioner at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or call 01625 545700.

Data Protection Requirements means the EU General Data Protection Regulation, the Data Protection Act 2018, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice)(Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and all other applicable laws and regulations relating to processing of personal data and privacy in any applicable jurisdiction as amended and replaced, including where applicable the guidance and codes of practice issued by the UK Information Commissioner or such other relevant data protection authority.

Last updated: 10 May 2023

Skip to content