How we respect privacy when we deal with personal information collected by our organisation

Who we are:
Epsom and St Helier Hospitals Charity are a data controller. Our address for communications is:
Epsom Hospital
Dorking Road
Epsom
KIT18 7EG
Our telephone number is 01372 735 735

The Epsom and St Helier Hospitals Charity is a registered charity (registered number 1049197).

We exist to raise funds and receive donations for the benefit of the patients and staff of Epsom and St Helier University Hospitals NHS Trust. The trust board is the Corporate Trustee of the Charity.

We take the principles of data minimisation and removal seriously and have internal policies in place to ensure that we only ever ask for the minimum amount of data for the associated purpose and delete that data once it is no longer required

This privacy notice sets out how Epsom and St Helier NHS Charitable Fund Charitable Fund (also known as Epsom and St Helier Hospitals Charity) and referred to throughout this policy as ‘the Charity’ uses and protects any personal information that you give to The Charity.

If you have any comments or questions about this notice, feel free to contact the Fundraising Team at esth.fundraising@nhs.net/ 01372 735 735 or our Data Protection Officer paul.kenny@nhs.net/020 8296 2244.

1. Personal data that we process and the Lawful basis for processing

The following table explains the types of data we collect and the legal basis, under current data protection legislation, on which this data is processed.

PurposeData Categories (key elements)Lawful Basis
Enquiring about our organisation and its workName, email, phone number, age, gender, messageLegitimate interests – it is necessary for us to read and store your message so that we can respond as appropriate.
Subscribing to email or campaign updates about our workName, email, phone number, age, gender, messageConsent – you have given your active consent which you can withdraw at any time.
Making a donation and/or signing up for Gift Aid.Name, email, address, telephone number, age, gender, payment information, size (for promotional clothing), messageLegitimate interests – this information is necessary for us to fulfill your intention of donating money and for us to fulfil our legal and financial responsibilities and reporting.
Registering for eventsName, email, address, telephone number, age, gender, payment information, size (for promotional clothing)Legitimate interests – it is necessary for us to read and record your interest or commitment in participating in an event.
Contract – by paying fees you have entered into a contractual relationship with us which will be clearly set out in terms and conditions for each event and which will enable us to run our events and fulfil our legal responsibilities and for financial reporting.
Website functionalityWebsite activity collected through cookiesLegitimate interests
it is necessary for us to store a small amount of information, usually through cookies, to deliver personalized functionality and to help us ascertain the effectiveness of our website.

2. How we use your data

We will only use your data in a manner that is appropriate considering the basis on which that data was collected, as set out in the table at the top of this policy. For example, we may use your personal information to:

  • reply to enquiries you send to us;
  • handle donations or other transactions that you initiate;
  • where you have specifically agreed to this, send you marketing communications by email relating to our work which we think may be of interest to you.
  • Linking records to create groups based on family members, friends, colleagues or membership of organisations
  • as anonymised aggregated data profiling to help us improve our operations and marketing

Please note when you send an email:

  • Please note that we may use email monitoring or blocking software.
  • You have a responsibility to ensure that any email you send to us is within the bounds of the law.
  • Please note that emails sent to us may not be secure in transit, that we cannot take any responsibility for the security of your email before it is received by the Trust and we may choose not to reply via email if we have concerns regarding confidentiality and/or security.
  • If you email us or give us your email address then you accept that we may communicate with you via email.
  • Email is not a guaranteed delivery service – if your communication is important please confirm we have received it by other means.

3. When we share your data

We will only pass your data to third parties in the following circumstances:

  • you have provided your explicit consent for us to pass data to a named third party;
  • we are using a third party purely for the purposes of processing data on our behalf and we have in place a data processing agreement with that third party that fulfils our legal obligations in relation to the use of third party data processors; or
  • we are required by law to share your data.

In addition, we will only pass data to third parties outside of the EU where appropriate safeguards are in place as defined by Article 46 of the General Data Protection Regulation.

4. How long we keep your data

We take the principles of data minimisation and removal seriously and have internal policies in place to ensure that we only ever ask for the minimum amount of data for the associated purpose (see Sections 1 and 2) and delete that data once it is no longer required.

We will hold your personal information on our systems for as long as is necessary for the relevant activity, for example we will keep a record of donations subject to gift aid for at least seven years to comply with HMRC rules.

If you request that we stop sending you marketing materials we will keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us.

Upon request we will delete your personal data from our systems (known as ‘Right to be Forgotten’), to the extent that we are permitted to by law or regulatory guidelines.

5. Rights you have over your data

You have a range of rights over your data, which include the following:

  • Where data processing is based on consent, you may revoke this consent at any time and we will make it as easy as possible for you to do this (for example by putting ‘unsubscribe’ links at the bottom of all our marketing emails).
  • You have the right to ask for rectification and/or deletion of your information.
  • You have the right to be informed about how we collect and use your data.
  • You have the right of access to your information.
  • You have the right to object – where the processing is based on legitimate interests including profiling; direct marketing including profiling and processing for the purposes of statistics. You must have an objection based on ‘grounds to relating to your particular situation’. We will stop processing your information unless we can demonstrate compelling legitimate grounds for the processing which overrides your interests, rights and freedoms or the process is for the establishment, exercise or defence of legal claims.
  • You have right to restrict the processing of your data – you may request a restriction verbally or in writing. This is not an absolute right and will depend on the circumstances of the request. The length of time the restriction will apply for will depend on the circumstances of your request and if you restrict our processing or your data we are permitted to store the personal data but not use it. We would respond to your request within one calendar month. If you would like to access the rights listed above, or any other legal rights you have over your data under current legislation, please get in touch with us.

6. Cookies & usage tracking

A cookie is a small file of letters and numbers that is downloaded on to your computer when you visit a website. Cookies are used by many websites and can do a number of things, eg remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website.

Where cookies are used to collect personal data, we list these purposes in section 1 above, along with other personal data that we collect. However, we also use some cookies that do not collect personal information but that do help us collect anonymous information about how people use our website. We use Google Analytics for this purpose. Google Analytics generates statistical and other information about website usage by means of cookies, which are stored on users’ computers. The information collected by Google Analytics about usage of our website is not personally identifiable. The data is collected anonymously, stored by Google and used by us to create reports about website usage. Google’s privacy policy is available at http://www.google.com/privacypolicy.html.

7. Social Media

When you use our website or interact with our social media presence (eg Twitter, Instagram and Facebook) your data (e.g. comments, likes, reviews) may be visible to providers of social networking services and their users.

We suggest that you review the privacy and security settings of your social media accounts to ensure you understand how your data maybe shared and used.

Information on visitors to the website are collected by Google Analytics which collects information on pages visited, length of visit, URL and search terms of referring sites, your browser’s capabilities, and your IP address. Google will not associate this with any other data held by Google. You can opt out of Google Analytics with their opt-out browser add-on or any of a number of third party privacy extensions for your browser.

We do analyse the server log files which contain details of the Internet address (IP address) of computers using the site, pages looked at, the times of day and the type of web browser used. None of this information is linked to individuals.

8. Mailing lists

We may ask you if you would like to be added to one of our mailing lists in order for you to receive information on our activities and other information we feel may be of interest to you.

You can stop receiving such communications at any time by letting us know and this will be made clear when you sign up.

9. Children’s Data

In England, Northern Ireland and Wales, a child is someone who has not yet reached their 18th birthday.

Therefore, children under 18 can fundraise, participate in events and receive our general communications (newsletters and emails) only with the consent of their parent or guardian for each individual activity.

Their data will be held on file only for the smooth processing and administration of that activity. When the activity is completed or expires, their record will be deleted unless we have the consent of the parent or guardian to retain the information via our notification to keep it.

For example, this may be to thank a child for any fundraising they may have undertaken or to ensure effective administration of their participation in an event we have organised.

The consent of the parent or guardian or the child themselves can be withdrawn at any time.

10. Modifications

We may modify this Privacy Notice from time to time and will publish the most current version on our website. If a modification meaningfully reduces your rights, we’ll notify people whose personal data we hold and is affected.

11. Complaints

If you feel that we have not adequately dealt with your complaint regarding how we process your information you can raise the issue with the Information Commissioner who is the supervisory authority for the United Kingdom (the Regulator) at the address below:

Information Commissioner’s Office
By phone: 0303 123 1113
By letter: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
By email casework@ico.org.uk Website: ico.org.uk