Privacy and Data Protection
Data Protection Notification
Information you need to know:
Saint Catherine’s is a ‘data controller’ under the (DPA) and GDPR meaning that ‘We have notified the Information Commissioner (ICO) that we process personal data’. We are registered as a ‘Data Controller with the ICO, our registration number is Z5653082 full details are publicly available from:
Information Commissioner’s Office
Wilmslow SK9 5AF
can be found on their web site
• You can Contact us at:
Saint Catherine’s Hospice
The General Data Protection Regulation (GDPR) is a regulation that the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
The principle of GDPR is to give control back to citizens and residents over their personal data and to simplify and clarify how and why information about you might be used. It becomes enforceable from 25 May 2018.
Under the GDPR Saint Catherine’s Hospice is a ‘Data Controller’ and we are working to be GDPR compliant. Part of our obligations under the GDPR is being open and transparent about the lawful basis under which we process personal data, what data we record and hold about our patients, the security we employ to keep it safe, what we do with it, who we might share it with and how long we keep it this, and ultimately dispose of it. We also set out your right of access to the data we hold about you.
The following pages and links set out in what we hope is an easily understood and easy to follow format, but that does not stop you contacting us if you have any questions. The contact details for our Data Protection Officer are under the contact us section.
Saint Catherine’s Hospice is a specialist palliative care provider, to be effective and give you the best possible care across all of the services we provide, we need to keep important information about our patients and, where appropriate, their next of kin.
The privacy and confidentiality of our patients data is an organisation wide priority. We follow the required national approach to this, called Information Governance. This requires us to have effective data protection measures in place, along with the correct processes for handling of personal and sensitive information about patients, staff and our volunteers, as well as how we work with any individual, business or organisation that supports us or partners with us. Information is dealt with legally, securely, efficiently and effectively.
Why do we collect personal data about you?
In order to treat patients effectively we collect personal information about your treatment history and care in paper and/or electronic format.
Your information is used to ensure:
- Staff and services caring for you within Saint Catherine’s have accurate, up-to-date information to guide provision of the best care for you
- We can contact you in relation to your care and treatment
- Treatment and services we provide meet local community needs
- Efficient and effective referral to other services and providers where needed
Your information may also be used for other purposes:
- Public health needs
- Review and audit of the quality of care we provide
- To teach and train healthcare workers
- Conduct research
- Investigation of complaints
- Preparation of statistics to commissioning bodies
- Monitoring health budget spending
If you do not want certain information shared please talk to the person staff providing your care your care.
What types of data do we hold?
The information we hold about you may include the following
- Your full name and title
- Data of birth
- Home address, telephone number[s], email address
- Marital status
- GP’s name and surgery details
- Medical records and test results
- Troublesome symptoms that you tell us are important to be addressed
- Medications you are taking
- Details of your carer and family members and their contact details
- Any allergies
- Should you have a disability
- Racial and ethnic background
- Religious or spiritual believes
How do we use information about our patients?
The healthcare professionals within Saint Catherine’s Hospice who provide your care will use your information to:
- Confirm who you are when we contact you or when you contact us
- Make decisions about your ongoing care and treatment
- Make sure your care is safe and effective
- Check the quality of your care
- Enable us to contact your carer and/or next of kin as directed or consented to by you
We may also use your data, in an anonymised format, where you will not be personally identifiable, for one or more of the following purposes:
- Check and report on how effective the hospice’s services are
- To improve and develop our staff as part of our training programme [you will always be given the option to choose whether to be involved or not and we will only do so with your consent]
- To help us manage and plan our services, and to constantly be able to review and improve
- Investigate complaints, legal claims or important incidents
- As part of a research project, to enable us to continually strive to offer the best possible care [your consent will be required first and you remain anonymous]
- Ensure that money is used properly to pay for the services we provide
- Make sure our services are planned to meet patients’ needs both now and into the future
Saint Catherine’s staff and volunteers are legally obligated to keep patient information strictly confidential. We may keep your information in written form or on computers or computerised system(s). The information held in these systems is primarily used for healthcare purposes, but may also be used for other non-healthcare related purposes, and shared with other statutory bodies/organisations to enable them to fulfil their statutory obligations, as detailed under the GDPR.
The information will only be shared with other organisations where there is a statutory obligation to do so, or with the agreement of our Caldicott Guardian. Whenever possible all information that identifies you in such instances will be removed.
Sharing of sensitive personal information is strictly controlled by the GDPR. Saint Catherine’s is required to let you know who we share your information with.
In general those providing your care will commonly share your records with those organisations which have a genuine need for it and with your consent.
Internally: Our clinical and clinical administrative staff share your records in order to optimise your care and treatment. The same applies to those providing counselling, emotional and spiritual support. Any of Saint Catherine’s staff directly involved in your care are deemed to have a legitimate interest in your data.
Items of sensitive data where you have the option of consenting to it’s sharing, will only be available to those you have nominated. Unless we are required to share it within the limited criteria within the GDPR
External Sharing: Your records may be shared with other healthcare professionals or organisations for example, your GP, consultants, referring hospital or service. Information may be shared with trainee healthcare professionals to facilitate training, unless you withhold that consent.
We may be required to share certain information with management or governing bodies. As explained under ‘how do we use information about our patients?’
This could include those who we provide a commissioned service too, the Clinical Commissioning Groups [CCGs] and those who monitor and audit our performance the Care Quality Commission [CQC], any such data will only be used for purposes of contributing to audits, public health, and standards regulation.
When we pass on information we have a duty under the GDPR to ensure its transfer is secure and confidentiality is maintained.
Sharing your information with other healthcare providers and organisations
Commonly we provide information to your GP, hospital consultant and other healthcare organisation involved in your care. We communicate by letter or email, proving them with referral details, discharge summaries and we usually ask you if you would like a copy, if you do, we will send you a copy of the letters.
You have the right of Consent in this matter, and If you have any concerns or reservations about sharing your information with a particular professional or organisation please discuss this with your clinical team. We will respect your decision.
Sharing my information without my consent
There may be times when we are required by law to share your information without your consent.
Occasionally we are required by law to share information from your record. For example: if there is an infection control risk that could put others at risk; a request from the CQC for audit data; a formal court or police order; or where a crime has been committed.
Such exemptions are covered under the GDPR. In such cases where there is a legal basis under the GDPR we may be prevented from respecting your wishes not to share your data.
Security of your information
Saint Catherine’s take our duty to protect your personal information and confidentiality seriously. We place it as an organisation wide priority, and are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible. This applies to both computerised and paper records.
Various roles within the organisation are responsible for this are they include the following the Senior Information Risk Owner (SIRO), our ‘Caldicott Guardian’, our Data Protection officer and IT manager, who between them are responsible for the Use, Processing, Security and management of patient information and patient confidentiality.
We also have governance committees that span the activity of Saint Catherine’s. These committee’s meet regularly, with part of their remit being to ensure all staff are aware of their information governance responsibilities, that Saint Catherine’s follow best practice guidelines, ensure the necessary safeguards and appropriate use of person-identifiable and confidential information are in place, followed and maintained
All staff are required to undertake annual information governance training and are provided with an information governance user handbook that they are required to read, understand, agreed and to adhered to.
All of our staff are required to protect your information, and inform you of how your information will be used. This includes, in most circumstances, allowing you to decide if and how your information can be shared.
Additionally all working at, or for Saint Catherine’s is subject to the common law duty of confidentiality. Information provided in confidence will only be used for the purposes advised and consented to by you as the data subject, unless it is required or permitted under the GDPR or other legislation.
How to access your personal information
You or your legal representative have the right to apply for access to data held about you, this includes the Information/data we hold about you at Saint Catherine’s.
You can make an informal request during a consultation, or you can formally call or write to us to request to see your records. In addition you also have the right to obtain copies of your records. We will send you the required requested documents to complete, please be aware we will require proof of Iditenty as part of the process.
We aim to respond to your request within 21 working days from receipt of the completed documents.
Please contact us to make an application, using any of the following:
The Data Protection Officer
Saint Catherine’s Hospice
Information for job applications
Saint Catherine’s will process information provided by applicants for the management of their application and the subsequent selection process. This involves providing details to the short-listing and selection panels. Other details are kept to help fulfil our obligations to monitor equality and diversity within the organisation and in the application process. You can find more information about the use of personal data throughout the application process.
Information will be retained on interview performance and the application in line with the retention periods of Saint Catherine’s. Our HR Department can provide you with more information should you have further questions on how we might use your personal information as an applicant.
As a registered charity, Saint Catherine’s Hospice is reliant on the support of businesses and other organisations and individuals who so generously donate and/or fundraise for us. We keep all records and personal information about our supporters and volunteers on a data management system called DonorFlex. This information is kept strictly confidential and in accordance with the Data Protection Act 1998.
The DonorFlex database is completely separate from and has no interaction with any clinical system or how we manage patient information.
Your permission and authorisation (explicit consent) must be given before we can record your personal information on our supporter database and there is no access to any medical information if you are also one of our patients.
We will always ensure we respect your preferences on how and when we contact you.
What if I do not want you to keep information about me?
You always have a choice and the right to change your mind or preferences at any time.
However, for those under our care [patients, carers or family members] failure to provide ‘necessary’ medical and personal information could result in us being unable to care for you. Your safety and appropriate care and treatment means we must maintain an accurate record of necessary information about you.
If you have any concerns about providing information or how we share it with other healthcare providers, please discuss this with our staff who are here to support you in any way they can and to elevate any concerns you might have.
For those wishing to work with us or for us, failure to provide the necessary information could result in us being unable to process your application or bid to partner/work with us.