1. Purpose of this Policy

St Elizabeth Care Agency has created this Privacy Policy to ensure compliance with legal and regulatory requirements regarding the Personal Data collected about you. This Privacy Policy explains what personal data might be collected, how and why it would be collected, who it might be shared with and how it is protected.

Appendix A outlines how you can complain to us or the Supervisory Authority, if you have concerns that this Policy is not being applied in relation to your personal data.

2. What personal information could be collected, and how?

The information collected about you is information that you have provided via the company website, by email, in writing, by telephone or in person; or any updates to that information you have provided since, to assist us in delivery care services to you. This includes the following personal data:

• Name, address, telephone number and email address
• Date of birth, ethnic origin, sex / gender and preferred pronouns
• Medical data – which might include medical diagnosis, medication and dosage data, mental health, learning needs or disability data and care plans
• Living needs care plans – which might include home and financial assistance records
• Financial information such as payment and banking data
• Donation and gift aid – but only in relation to those who donate to us
• Emergency, family, and next of kin contact details
• Photographs, videos, case studies – which we will only process with your explicit consent

This information is retained for the duration of your use of our service(s) plus 8 years thereafter, other than where there is a legal requirement to retain it for longer, and always in accordance with our data retention schedule.

Your financial information will be retained for the duration of your service agreement and for 6 years after.

Donation and gift aid data shall be retained for 6 years.

Your name, email address and home address which are used for our mailing lists, and photographs, videos and case studies shall be retained for as long as your consent is in place.

3. What legal basis is applied to the processing of your personal data?

• For the performance of a contract
• Vital Interests
• Legitimate interest
• Consent

4. How is your information stored and accessed?

Your information is stored and processed using St Elizabeth Care Agency internal systems and applications which is accessed controlled and only accessed by registered and approved users.

Users comprise of:
• Employees and volunteer carers of St Elizabeth Care Agency
• Selected and vetted service providers who work on behalf of the care agency – these include IT Services and Facilities providers.
• To emergency services in the event of an emergency
• To medical professionals or other care providers, when we believe that their services could further benefit you – we will only share your information in this instance with your explicit consent

St Elizabeth Care Agency does not transfer your personal data outside of the EEA.

5. How will St Elizabeth Care Agency use your information?

St Elizabeth Care Agency will use your personal information to maintain accurate records for providing care services for you, this includes;
• To provide proper and appropriate care according to your personal care plan and service agreement
• To contact you about details, changes and payments relating to your service agreement
• To keep you updated with news about events and services, via email bulletins and updates
• To keep you updated about fund raising initiatives, results and new campaigns

We do not use your data for automated decision-making or profiling.

6. Sharing your information

St Elizabeth Care Agency will not sell or disclose your information to third parties other than those needed to meet contractual or legal obligations or to protect the vital interests of the data subjects we collect data about. For marketing purposes, we have conducted a Legitimate Interest Assessment.

The information St Elizabeth Care Agency holds about you will only be used for the purposes stated and will be retained in line with the requirements of our retention schedule. St Elizabeth Care Agency may disclose your information to the following third party’s:
• Our services providers to ensure the provision of services and supplies needed to conduct business. Service providers are secured into nondisclosure and data processing agreements and may only access St Elizabeth Care Agency data to carry out their specified purposes.
• To emergency services and medical professionals to protect your vital interests
• To law enforcement agencies to detect and prevent criminal activity - this excludes private investigators. St Elizabeth Care Agency will not disclose Personal Data in this instance.

7. How will St Elizabeth Care Agency protect your information?

St Elizabeth Care Agency uses a range of security techniques to protect Personal Data, these are, but are not limited to;
• Data Protection policy;
• use of encryption techniques;
• control of mobile devices;
• employee cyber security and data protection training program(s);
• robust and up to date anti-malware software;
• secure data disposal;
• access control;
• network monitoring and management.

8. Your Rights

You have several rights regarding your Personal Data, and St Elizabeth Care Agency observes and complies with these rights by ensuring that you can have access, upon request, to any of the data we hold about you. You have other rights regarding your Personal Data that you may exercise if St Elziabeth’s Care Agency has no legal basis to reject your request, these rights are:
• You may object or restrict our handling of your data.
• You may have your data delivered to you in a portable, readable, and useable format.
• You may have your data corrected or updated at any time if you believe the data we hold is incorrect.
• You may have your data erased from our systems when we have no legal reason for retaining it.

Appendix A
The contact information provided below is to enable anyone to exercise their rights regarding their own personal data that we hold or process. If you wish to exercise your rights or make a complaint to us about how your data is handled, as detailed above, please contact our Data Protection Officer DPO on the below email address and we will respond to you within 30 days.

Relevant contact information:
dpo@stelizabethhospice.org.uk 
If you wish to make a complaint about the way St Elizabeth Care Agency handles your data, please contact the Information Commissioners Office (ICO) on the below contact details:
Wycliffe House, Wilmslow, Cheshire, SK9 5AF, Tel: 0303 123 1113 (local rate)
Or you can use the online service which allows you to make a complaint using the online form. You can report a breach, a concern or even just request more information. The ICO online can be found here: https://ico.org.uk/global/contact-us/