Privacy and Data Protection

Information you need to know:

Saint Catherine’s is a ‘data controller’ under the (DPA) and GDPR meaning that ‘We have notified the Information Commissioner (ICO) that we process personal data’. We are registered as a ‘Data Controller with the ICO, our registration number is Z5653082 full details are publicly available from:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF
can be found on their web site

Information Commissioner’s Office

• You can Contact us at:
Saint Catherine’s Hospice 
Throxenby Lane 
Scarborough 
YO12 5RE

• You can email us at: general@saintcatherines.org.uk
• The Data Protection Officer is: Bruce & Butler

The General Data Protection Regulation (GDPR) is a regulation that the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

The principle of GDPR is to give control back to citizens and residents over their personal data and to simplify and clarify how and why information about you might be used. It becomes enforceable from 25 May 2018.

Under the GDPR Saint Catherine’s Hospice is a ‘Data Controller’ and we are working to be GDPR compliant. Part of our obligations under the GDPR is being open and transparent about the lawful basis under which we process personal data, what data we record and hold about our patients, the security we employ to keep it safe, what we do with it, who we might share it with and how long we keep it this, and ultimately dispose of it. We also set out your right of access to the data we hold about you.

The following pages and links set out in what we hope is an easily understood and easy to follow format, but that does not stop you contacting us if you have any questions. The contact details for our Data Protection Officer are under the contact us section.

Saint Catherine’s Hospice is a specialist palliative care provider, to be effective and give you the best possible care across all of the services we provide, we need to keep important information about our patients and, where appropriate, their next of kin.

The privacy and confidentiality of our patients data is an organisation wide priority. We follow the required national approach to this, called Information Governance. This requires us to have effective data protection measures in place, along with the correct processes for handling of personal and sensitive information about patients, staff and our volunteers, as well as how we work with any individual, business or organisation that supports us or partners with us. Information is dealt with legally, securely, efficiently and effectively.

In order to treat patients effectively we collect personal information about your treatment history and care in paper and/or electronic format.

Your information is used to ensure:

• Staff and services caring for you within Saint Catherine’s have accurate, up-to-date information to guide provision of the best care for you
• We can contact you in relation to your care and treatment
• Treatment and services we provide meet local community needs
• Efficient and effective referral to other services and providers where needed

Your information may also be used for other purposes:

• Public health needs
• Review and audit of the quality of care we provide
• To teach and train healthcare workers
• Conduct research
• Investigation of complaints
• Preparation of statistics to commissioning bodies
• Monitoring health budget spending

If you do not want certain information shared please talk to the person staff providing your care your care.

The information we hold about you may include the following

• Your full name and title
• Data of birth
• Home address, telephone number[s], email address
• Marital status
• GP’s name and surgery details
• Medical records and test results
• Troublesome symptoms that you tell us are important to be addressed
• Medications you are taking
• Details of your carer and family members and their contact details
• Any allergies
• Should you have a disability
• Racial and ethnic background
• Religious or spiritual believes
• All telephone calls, whether made or received by us, are recorded for quality, training and monitoring purposes. This includes calls made to our shops as well as the main hospice.
• We may also record meetings and video calls made on other platforms, such as Microsoft Teams or Zoom, where it is appropriate to do so.

The healthcare professionals within Saint Catherine’s Hospice who provide your care will use your information to:

• Confirm who you are when we contact you or when you contact us
• Make decisions about your ongoing care and treatment
• Make sure your care is safe and effective
• Check the quality of your care
• Enable us to contact your carer and/or next of kin as directed or consented to by you

We may also use your data, in an anonymised format, where you will not be personally identifiable, for one or more of the following purposes:

• Check and report on how effective the hospice’s services are
• To improve and develop our staff as part of our training programme [you will always be given the option to choose whether to be involved or not and we will only do so with your consent]
• To help us manage and plan our services, and to constantly be able to review and improve
• Investigate complaints, legal claims or important incidents
• As part of a research project, to enable us to continually strive to offer the best possible care [your consent will be required first and you remain anonymous]
• Ensure that money is used properly to pay for the services we provide
• Make sure our services are planned to meet patients’ needs both now and into the future

Saint Catherine’s staff and volunteers are legally obligated to keep patient information strictly confidential. We may keep your information in written form or on computers or computerised system(s). The information held in these systems is primarily used for healthcare purposes, but may also be used for other non-healthcare related purposes, and shared with other statutory bodies/organisations to enable them to fulfil their statutory obligations, as detailed under the GDPR.

The information will only be shared with other organisations where there is a statutory obligation to do so, or with the agreement of our Caldicott Guardian. Whenever possible all information that identifies you in such instances will be removed.

Sharing of sensitive personal information is strictly controlled by the GDPR. Saint Catherine’s is required to let you know who we share your information with.

In general those providing your care will commonly share your records with those organisations which have a genuine need for it and with your consent.

Internally: Our clinical and clinical administrative staff share your records in order to optimise your care and treatment. The same applies to those providing counselling, emotional and spiritual support. Any of Saint Catherine’s staff directly involved in your care are deemed to have a legitimate interest in your data.

Items of sensitive data where you have the option of consenting to it’s sharing, will only be available to those you have nominated. Unless we are required to share it within the limited criteria within the GDPR

External Sharing: Your records may be shared with other healthcare professionals or organisations for example, your GP, consultants, referring hospital or service. Information may be shared with trainee healthcare professionals to facilitate training, unless you withhold that consent.

We may be required to share certain information with management or governing bodies. As explained under ‘how do we use information about our patients?’

This could include those who we provide a commissioned service too, the Clinical Commissioning Groups [CCGs] and those who monitor and audit our performance the Care Quality Commission [CQC], any such data will only be used for purposes of contributing to audits, public health, and standards regulation.

When we pass on information we have a duty under the GDPR to ensure its transfer is secure and confidentiality is maintained.

We will never share recordings of telephone calls or any transcripts produced from these with any third party without the explicit consent of all participants.

Commonly we provide information to your GP, hospital consultant and other healthcare organisation involved in your care. We communicate by letter or email, proving them with referral details, discharge summaries and we usually ask you if you would like a copy, if you do, we will send you a copy of the letters.

You have the right of Consent in this matter, and If you have any concerns or reservations about sharing your information with a particular professional or organisation please discuss this with your clinical team. We will respect your decision.

There may be times when we are required by law to share your information without your consent.

Occasionally we are required by law to share information from your record. For example: if there is an infection control risk that could put others at risk; a request from the CQC for audit data; a formal court or police order; or where a crime has been committed.

Such exemptions are covered under the GDPR. In such cases where there is a legal basis under the GDPR we may be prevented from respecting your wishes not to share your data.

Saint Catherine’s take our duty to protect your personal information and confidentiality seriously. We place it as an organisation wide priority, and are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible. This applies to both computerised and paper records.

Various roles within the organisation are responsible for this are they include the following the  Senior Information Risk Owner (SIRO), our ‘Caldicott Guardian’, our Data Protection officer and IT manager, who between them are  responsible for the Use, Processing, Security and management of patient information and patient confidentiality.

We also have governance committees that span the activity of Saint Catherine’s. These committee’s meet regularly, with part of their remit being to ensure all staff are aware of their information governance responsibilities, that Saint Catherine’s follow best practice guidelines, ensure the necessary safeguards and appropriate use of person-identifiable and confidential information are in place, followed and maintained

All staff are required to undertake annual information governance training and are provided with an information governance user handbook that they are required to read, understand, agreed and to adhered to.

All of our staff are required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.

Additionally all working at, or for Saint Catherine’s is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by you as the data subject, unless it is required or permitted under the GDPR or other legislation.

You or your legal representative have the right to apply for access to data held about you, this includes the Information/data we hold about you at Saint Catherine’s.

You can make an informal request during a consultation, or you can formally call or write to us to request to see your records. In addition you also have the right to obtain copies of your records. We will send you the required requested documents to complete, please be aware we will require proof of Iditenty as part of the process.

We aim to respond to your request within 21 working days from receipt of the completed documents.

Please contact us to make an application, using any of the following:

The Data Protection Officer
Saint Catherine’s Hospice
Throxenbury Lane
Scarborough
YO12 5RE

Information.Governance@saintcatherines.org.uk

01723 351421

Saint Catherine’s will process information provided by applicants for the management of their application and the subsequent selection process. This involves providing details to the short-listing and selection panels. Other details are kept to help fulfil our obligations to monitor equality and diversity within the organisation and in the application process. You can find more information about the use of personal data throughout the application process.
Information will be retained on interview performance and the application in line with the retention periods of Saint Catherine’s. Our HR Department can provide you with more information should you have further questions on how we might use your personal information as an applicant.

As a registered charity, Saint Catherine’s Hospice is reliant on the support of businesses and other organisations and individuals who so generously donate and/or fundraise for us. We keep all records and personal information about our supporters and volunteers on a data management system called DonorFlex. This information is kept strictly confidential and in accordance with the Data Protection Act 1998.
The DonorFlex database is completely separate from and has no interaction with any clinical system or how we manage patient information. 
Your permission and authorisation (explicit consent) must be given before we can record your personal information on our supporter database and there is no access to any medical information if you are also one of our patients.
We will always ensure we respect your preferences on how and when we contact you.

You always have a choice and the right to change your mind or preferences at any time.
However, for those under our care [patients, carers or family members] failure to provide ‘necessary’ medical and personal information could result in us being unable to care for you. Your safety and appropriate care and treatment means we must maintain an accurate record of necessary information about you.
If you have any concerns about providing information or how we share it with other healthcare providers, please discuss this with our staff who are here to support you in any way they can and to elevate any concerns you might have. 
For those wishing to work with us or for us, failure to provide the necessary information could result in us being unable to process your application or bid to partner/work with us.