We are Severn Hospice, and we are the data controller for the personal data we process.
We provide care and support to people living with incurable illness across Shropshire, Telford and Mid Wales.
References in this notice to Severn Hospice, we, our, or us mean:
Severn Hospice
Registered Charity Number: 512394
Company Limited by Guarantee: 1608025
Registered Office:
Bicton Heath
Shrewsbury
SY3 8HS
This includes our training subsidiaries:
Severn Promotion Company Limited (2973920)
Hospice Projects Limited (2229635)

We are registered with the Information Commissioner’s Office (ICO) under registration number Z6022693.
We have appointed a Data Protection Officer responsible for overseeing data protection compliance: Ben Graham.

Appropriate Policy Document (APD)
When processing special category data, we maintain an Appropriate Policy Document (APD) as required by the Data Protection Act 2018.
The APD explains:

• how we comply with the data protection principles
• the safeguards we apply when processing sensitive data
• our retention and deletion practices

We collect information in several ways depending on how you interact with our services.

Patients
When you are referred to one of our services, we ensure that the person or organisation who refers you gives us enough relevant information to allow us to provide you with the care you need.
We may supplement this information with additional clinical information about you from any relevant previous hospital visits, directly from your GP or from other national NHS systems or other clinical organisations, where appropriate.
As part of your ongoing care, we collect and add information to the patient records that we create about you. This may be through paper-based or digital forms completed by you or staff members, or information given verbally to a member of staff which is then added to your patient records.

Family and Friends of Patients
If you are a family member or friend of a patient, we may collect and process personal information about you where this is necessary to support the patient’s care, involve you appropriately, or communicate with you.
This may include:

• Name
• Relationship to the patient
• Contact details (such as telephone number or email address)
• Information you provide to us when contacting the hospice or engaging with our services
  In some circumstances, we may also record information about your involvement in the patient’s care or support network. Where this information includes health or other special category data about you, it will be treated as special category personal data under Article 9 of the UK GDPR and handled with appropriate safeguards.
  We only collect information about family members and friends where it is necessary, relevant, and proportionate, and we restrict access to authorised staff in line with data protection law and ICO guidance.

Supporters
We might collect information relating to you via our website, a paper-based form, in person, or over the phone.
We may also collect information when you:

• Make a donation
• Register for or attend an event
• Sign up to receive communications
• Participate in fundraising activities
• Interact with us on social media or contact us directly

You may be asked if you are comfortable to have your photograph or video taken at events held by Severn Hospice. We use this footage or imagery to promote and explain hospice care and to gain further supporters in newspaper articles and supplements, magazines, and other media such as websites, information leaflets, presentations, and social media. You are under no obligation to be filmed or to share your images. If you would like to opt out, please let us know.
Please remember that once a piece is published in any format (for example in a newspaper or on a website), it may be copied and used by others. It is possible that the material will be viewed or heard for years to come and by those outside the local area.
For more information about the lawful bases we rely on when processing your personal data, please see the “Lawful Bases for Processing” section of this Privacy Notice.

Staff and Volunteers
You may give us information via a website, intranet, or paper-based form when applying for a role at Severn Hospice, when completing recruitment or volunteer paperwork and checks, and as part of your ongoing employment or volunteer role with us.

We may ask for references.

Sources of Data

We may receive personal information about you from a variety of sources, depending on your relationship with us.

From Healthcare Providers
If you are referred to our services, we may receive information from:

• NHS hospitals
• GPs
• Healthcare professionals
• National NHS systems

From Patients
Patients receiving care may provide contact details for relatives, carers, or friends involved in their care.

From Employers and Government Bodies (Staff/Volunteers)
We may receive information from:

• HMRC (tax codes, national insurance and tax payments)
• UK Government (e.g. DBS checks)
• Referees

From Third Parties
We may receive information from:

• Fundraising platforms (e.g. JustGiving)
• Payment processors
• Mailing houses or fundraising partners
• Suppliers and subcontractors (including technical, print, payment and delivery services and professional fundraising agencies)

From Publicly Available Sources
For fundraising research, we may review information from:

• Companies House
• Land Registry
• The electoral register
• Professional networking sites
• The Post Office’s National Change of Address database
  We may also obtain your personal information from third-party service providers to help us carry out research to identify potential new donors. Where we obtain personal data about you from third parties, we will provide this privacy information within one month, or sooner where required by law. Please see Supporter Profiling section of this privacy notice for more information.

From Fundraising Activity
We might also receive information relating to you from fundraising websites like JustGiving if you are using these portals to fundraise for us, or have supported someone who is fundraising for us.

General Statement
This information is processed only where necessary and in accordance with our Appropriate Policy Document (APD).
Individuals receiving clinical services from Severn Hospice will be described using the terminology of “patient” depending on the service context.

Severn Hospice is what’s known as the ‘controller’ of the personal information you provide to us. We only collect personal information that is necessary for the purposes described in this notice. Where we ask for personal information, we will indicate whether it is required or optional. Providing optional information is your choice

We will usually collect basic personal data about you such as:

• Name
• Postal address
• Telephone number
• Email address

Patients
If you are a patient, we will collect information necessary to provide safe and appropriate care. This may include:

• Date of birth / age
• Gender
• Medical conditions
• Medical history
• Details of clinical interventions
• Summaries of social work support provided
• Emergency contact details of a friend or relative
• Diversity monitoring information – Providing certain diversity monitoring information is optional and is used to help us monitor equality and improve our services

This information is collected to support your care and wellbeing and to ensure our services are delivered safely and appropriately.

Special category data (Article 9 UK GDPR)
Some of the personal data we process is special category personal data, which is given extra protection under Article 9 of the UK General Data Protection Regulation.

• This includes personal data revealing:
• Data concerning health or disability
• Gender reassignment
• Race or ethnic origin
• Religious or philosophical beliefs
• Sexual orientation

Much of the information we process about patients (for example, medical conditions, medical history, clinical interventions and some diversity monitoring information) falls within these categories.
We may also process information relating to sex, pregnancy and maternity, and marriage or civil partnership status. These are not special category data in themselves under Article 9, unless the information also reveals health data or another special category condition.
We only process special category data where it is necessary, where a valid Article 6 lawful basis applies, and where an appropriate Article 9(2) condition is met. We apply additional safeguards and restrict access to authorised staff in line with ICO guidance.

Supporters
If you are interacting with the hospice as a supporter, we collect your personal information in connection with specific activities, this includes giving us donations, taking part in one of our events and signing up as a gift aider when donating goods to one of our charity shops, then we will collect:

• Name
• Postal address
• Telephone number
• Email address
• Diversity Monitoring – Providing certain diversity monitoring information is optional and is used to help us monitor equality and improve our services
• We may also create records about your interests and preferences based on your interactions with us.

Sometimes, for example if you are taking part in an event, we may hold additional details such as:

• Date of birth/Age
• Gender
• Medical conditions
• Emergency contact details of a friend/relative

We will only collect this special category personal data if there is a clear reason for doing so, such as participation in a strenuous event, where we need this information to ensure we provide appropriate facilities and can give support in case of emergency.
If you make a donation or purchase, we may process payment-related information (such as transaction details). Payment card information is processed securely by our payment providers and is not stored by Severn Hospice.

Staff and Volunteers
If you work or volunteer with us, we need to collect:

• Bank details
• Date of birth/Age
• Diversity Monitoring – Providing certain diversity monitoring information is optional and is used to help us monitor equality and improve our services
• Medical information (where necessary)
• Emergency contact details of a friend/relative
• Previous employment details
• Additionally, if you are a Transport volunteer we may collect, as appropriate to your role and with your agreement:
• Driving license details
• MOT details
• Insurance details
• National Insurance number

For certain roles, particularly those involving contact with patients, vulnerable individuals, or access to sensitive environments, Severn Hospice may be required to carry out Disclosure and Barring Service (DBS) checks.
DBS checks may involve the processing of criminal offence data and, in some cases, special category personal data, as defined under the UK General Data Protection Regulation and the Data Protection Act 2018.
We only request DBS checks where they are legally required or necessary and proportionate to the role, and we process this information solely for the purposes of safeguarding, role suitability, and meeting our legal and regulatory obligations.
DBS information is handled with strict confidentiality, access is restricted to authorised personnel, and data is retained only for as long as necessary in accordance with our retention policy.

Website
If you use our website, we may process your IP address as well as certain information regarding the device you are using, e.g., is it a desktop or mobile device and which browser you are using. This may also include online identifiers such as cookie data and information about how you use our website.

CCTV
If you visit one of Severn Hospice’s buildings your image may be captured by our CCTV systems, this is to provision a safe and secure environment for the benefit of those who work at and visit us, and for the protection of our property, and crime prevention. Please see CCTV section of this privacy notice for further information.

All the information you give us is used to make sure we have your details accurate and up to date. We use the basic information you give us to remember who you are so that you don’t have to keep repeating yourself every time you interact with us.

We will only use your personal information for the purposes for which it was collected, unless we reasonably consider that we need to use it for another compatible purpose. Depending on your relationship with us, we use your information for different purposes and in slightly different ways.

We ensure that any use of personal data is proportionate and respects your privacy.

Patient Care
As a patient we use personal information:

• To provide you with the best possible care and support.
• For legal reasons, for example: Regulatory reporting, statutory requirements.
• To contact your next of kin in case of emergency.
• To keep your information up to date and accurate.

We also process patient information in accordance with the Common Law Duty of Confidentiality, which requires healthcare organisations to protect confidential patient information and only use or share it where there is a lawful basis or patient consent.

• maintain medical records
• coordinate care with healthcare professionals
• contact next of kin where necessary.
• Digital communications with patients
• We may use secure systems such as AccuRx for:
• appointment reminders
• secure messaging
• sharing images where clinically appropriate
• video consultations.
• Information shared through these systems may become part of your clinical record.
• Supporting Families and Bereavement Services

We may combine information we hold about you from different clinical sources to ensure our records are accurate and up to date.

During the course of providing care, patients may share contact details for family members, carers, or friends.

Family and Friends, and Bereavement Support
As a relative or friend of a patient that we have cared for we may use information to:

• communicate with you about the patient’s care, where appropriate
• allow you to engage with our various support and bereavement services.
• invite you to attend to free of charge remembrance or memorial events organised by Severn Hospice in memory of your loved ones.

Examples of remembrance events include (but are not limited to):

• Lights of Love
• Journey Through Art

We only contact individuals where their details have been provided in connection with a patient’s care and where it is reasonable to do so.

Individuals can request that we stop contacting them at any time, and we will respect those preferences where appropriate. Individuals will not be contacted if they have requested not to receive such communications.

Fundraising and Supporter Engagement
As a supporter of the hospice, we may use information held about you in the following ways:

• To take a payment from you (for example, if you have purchased an item from us online, if you have booked a place on one of our events, if you have donated using your debit/credit card, if you have signed up to our lottery)
• To claim Gift Aid from the government if you have signed up to the scheme with us
• To code and record transactions against your supporter record on our databases so that we can keep a record of the financial support you have given us (e.g. dates and values of donations).
• To keep a note of your preferences on what and how you want to engage with us. This includes keeping a record of all those supporters who have notified us they do not want any contact from us.
• To analyse the personal information, we collect to create a profile of your interests and preferences so we can better understand our supporters and make appropriate requests to our supporters who may be able and willing to give more than they already do. This profiling does not result in automated decisions that have legal or similarly significant effects on you
• To conduct research to find out more information about our supporters’ and prospective supporters’ backgrounds and interests, and to understand how you engage with us through our website to enable us to improve user experience.
• For administration purposes (for example, we may contact you to provide a receipt for a donation you have made, to send out materials for an event you have registered for, to process an order you have placed, to chase sponsorship payment, or notify you of details relating to your lottery subscription including sending out prizes).
• If you have registered for our Retail Gift Aid scheme, we are legally required to email or write to you if we make a claim.
• To contact your next of kin in case of emergency if you are taking part in a Severn Hospice event
• To raise funds (for example we may send you information about how you can support us, for example, by purchasing raffle tickets, donating to an appeal or volunteering with us) or upgrade your support for Severn Hospice (for example, by changing payment method or donation amount).
• To provide you with information about our work and activities, and to keep you up to date with how your support is helping our patients and those closest to them, this may include communications by post, email, telephone, or other appropriate channels.

We may combine information we hold about you from different internal Income Generation sources to ensure our records are accurate and up to date.

Staff and volunteer management
As a staff member or volunteer we use your information:

• For administration purposes (to manage and fulfil your contract with Severn Hospice).
• For holding records that we are legally required to keep, for example National Insurance, Gender Pay Gap reporting or HMRC requirements
• administer payroll. 
• To contact your next of kin in case of emergency.
• To ask for support at events or with other fundraising activities
•  To keep your information up to date and accurate.
•  To demonstrate compliance with government mandates

For more information about the lawful bases we rely on when using your personal data, please see the Lawful Bases for Processing Personal Information section of this Privacy Notice.

In some circumstances, Severn Hospice may provide support to children and young people, for example through our Social Work services. 

For children under the age of 13, we obtain consent from a parent or legal guardian before collecting any personal data directly from the child. Parents or guardians can review, correct, or withdraw consent at any time by contacting us. 

Where services are provided directly to children or young people, their personal information will be processed in accordance with our Children’s Privacy Notice, which explains in more detail how we collect, use and protect children’s personal data. 

The Children’s Privacy Notice can be accessed here: 

Parents, guardians and young people can review this document for information about how children’s data is handled. 

Additional Safeguards for Children’s Data
We take additional care when processing children’s personal data. 

Do Not Contact Status
Records relating to individuals under 18 will be marked “Do Not Contact” for marketing communications once they reach the age of 14. 

Donations from minors
We do not accept donations via our website from individuals under the age of 18. 

Retention
Children’s personal data is retained in accordance with our standard retention policy, typically 3–7 years depending on the activity. 

Re-engagement at age 18
If someone who previously interacted with Severn Hospice as a child re-engages after turning 18, a new record will be created to ensure consent and communication preferences are collected as an adult. 

If you interact with Severn Hospice through our charity shops, we may collect information including:

• name
• address
• email address
• telephone number

This information may be used to:

• administer Retail Gift Aid (in accordance with HMRC requirements)
• contact you regarding your Gift Aid declaration
• communicate about Severn Hospice’s work and fundraising activities

Lawful bases for processing and communication include consent for email marketing and legitimate interests for postal and telephone communications.

Where we rely on legitimate interests, we ensure that we balance our interests against your rights and expectations. We take steps to ensure these communications are expected, proportionate, and easy to opt out of at any time.

For more information about the lawful bases we rely on when using your personal data, please see the Lawful Bases for Processing personal Information section of this Privacy Notice.

Our website uses cookies and similar technologies to improve user experience and understand how visitors use our website. 

Cookies may collect information such as: 

• IP address 
• device type 
• browser type 
• pages visited 
• time spent on pages. 
• We may use analytics tools such as Google Analytics to help us understand website performance. 
• Cookies may be used for: 
• website functionality 
• performance monitoring 
• visitor analytics. 

You can manage your cookie preferences through your browser settings or via the cookie controls provided on our website. 

Non‑essential cookies, such as analytics cookies, are only used with your consent.

For more information please see our Cookie Policy:

Severn Hospice uses Closed Circuit Television (CCTV) systems at our premises, including our hospice sites, car parks and charity shops.

CCTV is used for the following purposes:

• ensuring the safety and security of patients, visitors, staff, and volunteers
• protecting our premises, property, and assets
• preventing and detecting crime
• supporting investigations where incidents occur

Lawful basis for processing
We process CCTV footage on the basis of our legitimate interests, specifically to maintain the safety and security of our premises and the people who use them. We ensure that these interests are balanced against your rights and freedoms.

Use and sharing of CCTV footage
CCTV footage is only accessed by authorised staff and is not routinely monitored.

Footage may be shared with:

• the police or other law enforcement agencies where necessary for the investigation or prevention of crime
• our insurers or legal advisers where required in connection with a claim or legal matter
• other parties where required by law or court order

Retention
CCTV footage is normally retained for a limited period of time (typically up to 30 days), unless it is required to be retained for longer for the investigation of an incident, legal claim, or regulatory purpose.

Signage
Where CCTV is in operation, appropriate signage is clearly displayed so individuals are aware they are being recorded.

Your rights in relation to CCTV
Images captured by our CCTV systems may constitute personal data where individuals can be identified. You have the right to request access to CCTV footage of yourself, and in certain circumstances to request its deletion or restriction of processing. To exercise your rights in relation to CCTV footage, please contact us using the details in the “Your rights” section of this Privacy Notice. Requests will be handled in accordance with data protection law, and we may need to verify your identity and clarify the date, time, and location of the footage requested.

We will only process personal data where we have a lawful basis under Article 6 of the UK GDPR. The lawful basis we rely on depends on the purpose for which we use your information, and in some cases more than one basis may apply.

Legitimate interests
We process personal data where it is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and freedoms.

• We carry out a Legitimate Interests Assessment (LIA) to ensure a fair balance.

This basis is used for:

• Providing hospice care and support services
• Fundraising and supporter engagement
• Maintaining accurate records
• Improving our services

You can request more information about our legitimate interests by contacting us.

Contract
We process personal data where it is necessary to:

• perform a contract with you; or
• take steps before entering into a contract

This includes:

• Employment and volunteer arrangements
• Event bookings and participation
• Service-related agreements

Legal obligation
We process personal data where necessary to comply with legal obligations, including:

• Reporting to HM Revenue & Customs (HMRC)
• Charity Commission requirements
• Employment and payroll obligations
• Financial and statutory reporting

Consent
We rely on consent where required by law.

This includes:

• Sending electronic marketing communications (e.g. email and SMS)
• Certain uses of special category data

You can withdraw your consent at any time by contacting us at using the information at the end of this privacy notice, by emailing us at information@severnhospice.co.uk or by using the unsubscribe link in our electronic communications. Withdrawal does not affect the lawfulness of processing before consent was withdrawn.

Special Category Data
Special category data is more sensitive personal data and includes information about:

• Health
• Disability
• Race or ethnic origin
• Religion or beliefs
• Sexual orientation
• Gender reassignment
• Genetic and biometric data

We will only process special category data where:

• a lawful basis under Article 6 applies; and
• a condition under Article 9 UK GDPR is met

Article 9 conditions we rely on:

Health and social care (Article 9(2)(h))
Processing is necessary for the provision of health or social care and treatment.

Employment and social protection (Article 9(2)(b))
Processing is necessary to meet obligations under employment and social security law.

Vital interests (Article 9(2)(c))
Processing is necessary to protect someone’s life where they are unable to give consent.

Substantial public interest (Article 9(2)(g))
Processing is necessary for equality monitoring and ensuring fair access to services.

Consent (Article 9(2)(a))
Where required, we will ask for your explicit consent.

Purposes and lawful bases for processing personal data
The table below summarises the purposes for which we process personal data, the types of data used, and the lawful basis relied upon.

*Providing equality and diversity information that is not required for the provision of care is optional. Where provided, it is used in anonymised or aggregated form to help us ensure our services are fair, accessible, and inclusive for all.

Safeguards
We apply appropriate safeguards when processing personal data, particularly special category data, including:

• Restricting access to authorised personnel
• Applying technical and organisational security measures
• Ensuring data is only used for specified, necessary purposes

Automated Decision-Making
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on individuals.

Important Information

• More than one lawful basis may apply depending on the context
• You have the right to object to processing based on legitimate interests
• You can withdraw consent at any time where we rely on it

No information given to our medical services, of you or your family members, will be processed in order to send you marketing materials.

Friends and family members identified by patients under the care of Severn Hospice may be invited to free of charge memorial services to celebrate their loved ones. Unless they have previously requested not to be contacted for this reason.

Please note, if you also interact with the Hospice as a supporter, you may receive marketing information via that channel.

Keeping in touch with our supporters is really important to us because it means, together, we can help more local people with incurable illnesses. Occasionally we like to keep our supporters posted with our news, appeals and ways they can support our work.

Sometimes, with your explicit consent, we will contact you using your email address to provide you with information about our work and/or ways you can support us.

Where you have provided your postal address, we may send you information about our work and/or ways you can support us by post unless you have told us that you do not wish to receive such information in this way.

We will only contact you for marketing purposes by telephone if you have not opted out from receiving such communications. We screen against the Telephone Preference Service (sometimes known as TPS) and if you are listed, we will not contact you in this way.

We rely on the legitimate interest legal basis for some of our processing for marketing purposes. This applies to the following:

• Where you are an existing supporter and we are contacting you by post and/or telephone about our news, appeals and other ways you can support our work.
• We consider that we have a legitimate interest in continuing to contact you by post and/or telephone once you have provided your details and there is no overriding prejudice to you or your rights by our use of the data in this way and for these purposes subject always to our carrying out appropriate checks with the relevant preference services.

We comply with the Code of Fundraising Practice, which governs charitable fundraising in the UK. 

We may contact supporters: 

• by email where consent has been given 
• by post where we rely on legitimate interests 
• by telephone where individuals have not opted out and checks are made against the Telephone Preference Service. 

Supporters can update communication preferences or opt out at any time, and doing so will not affect your access to care or services. We maintain a suppression list to ensure we do not contact individuals who have opted out.

In short: we use limited profiling to make our fundraising more effective and communications more relevant. You can object at any time.

We may carry out research and profiling to see if we can find new supporters who want to support and build a relationship with us. We also undertake research on existing supporters to see who may be well placed to provide additional financial or other support.

We may carry out research to create a profile of your interests, preferences, and ability to donate. At Severn Hospice, our work is only made possible thanks to the generosity of our supporters, so it’s vital that our fundraising efforts are as effective as they can be. By developing a better understanding of our supporters through researching them, including using publicly available sources, we can tailor and target our fundraising events and communications to those most likely to be interested in them. This enables us to make appropriate requests to those who may be willing and able to make a donation to us, donate more than they already do, or leave a gift in their will, and allows us to be more efficient and cost-effective with our resources and in the way that we raise funds. It also helps to ensure communications are relevant and timely and reduces the risk of someone receiving information that they might find irrelevant, intrusive, or even distressing, so that we can provide an improved experience for our supporters.

Profiles created through this process are based on analysis and reasonable inference. They are not definitive assessments of individuals and do not determine any legal or similarly significant effects.

Our Fundraising Team uses information that is already in the public domain (information that has been published in print or online) to identify high net worth individuals who may be interested in supporting our work with a major gift. This might also include estimating their gift capacity, based on their job or assets, history of charitable giving and how connected they are to Severn Hospice.

The publicly available sources of information we use may include Companies House, the electoral register, the phone book, the Charity Commission’s Register of Charities, Who’s Who, LinkedIn, company annual reports, and articles in newspapers and magazines. We do not use publicly available sources which we consider would be intrusive for this purpose, such as Facebook, X, JustGiving, genealogy websites, photograph sharing sites, or websites that are like these.

We also carry out research to identify existing supporters who may be able to join our major donor programme. This is based both on publicly available information, and information our supporters have given us (e.g. where a person lives, who they bank with, what their occupation is and their age).

We may from time to time engage a specialist third party prospect research company or consultant to assist us with our research. We always ensure that we have the appropriate contracts and processes in place with third parties in order to protect people’s personal data.

Where we use third party providers or publicly available data, we ensure that processing is proportionate, limited to what is necessary, and subject to appropriate contractual and security safeguards.

In order to process your personal information in this way, we rely on the lawful basis that doing so is in our legitimate interests and that these interests are not overridden by your rights and freedoms. In particular, we have a legitimate interest in being able to identify potential donors and to raise funds in order to support and further our services. We carry out Data Protection Impact Assessments for profiling activities.

You have the right to object to the processing of your personal data, including profiling carried out on the basis of legitimate interests. If you object, we will stop processing your data for this purpose unless we can demonstrate compelling legitimate grounds which override your rights and freedoms.

We are committed to ensuring you have control over your personal data. You may also ask us to restrict or stop profiling activity at any time.

We’re committed to you as much control over the data we collect as we can, and you have the right to object to profiling based on legitimate interests, or to opt out from us using your data for this activity at any time by contacting us at information@severnhospice.co.uk or by calling 01743 236565 and asking for the Information Governance Team.

We are also legally required to carry out checks on individuals who give us large donations, to comply with our duties in respect of anti-money laundering legislation and the prevention of fraud. Where such checks are carried out, this is done solely for compliance purposes and is not used for marketing or fundraising profiling.

 We will treat your information with the utmost care and will never sell or rent your personal information to other organisations.

As a patient, we will only share your information where it is appropriate and necessary to provide you with, or further your existing patient care.

As a member of staff, we are legally obliged to share certain pieces of information, for example to allow us to perform DBS checks or when sending payroll information to HMRC.

As a supporter, we may share your information with selected third parties such as suppliers including professional fundraisers, printers, mailing houses, and sub-contractors for the performance of any contract we enter into with them or you. We require such suppliers and any third party that processes data on our behalf to sign a legally binding contract that requires them to process personal data only on our instructions, keep it secure, and comply with data protection law.

Images captured from our CCTV systems will only be shared with police forces in relation to the investigation of a crime, or where a valid subject access request or legal requirement applies.

Regardless of our relationship with you, we may also share your personal information in the following circumstances:

• with your consent, or as otherwise disclosed at the time of data collection
• with contractors, suppliers, or other third parties that provide services on our behalf (including website hosting providers and organisations we use to conduct research on potential donors)
• where a contractor, supplier, or data processor we use is acquired by, merges with, or transfers its business to another organisation, in which case personal data may be transferred to the new provider or owner, subject to equivalent data protection safeguards
• as part of a transfer of services, functions, or data to or from the NHS or another health or social care provider, or other organisational restructuring where services are moved between providers (for example where a service is commissioned by or transferred to an NHS Trust or integrated care system)
• where required by law, regulation, court order, or other legal or regulatory process, or to protect our rights, property, or the rights and safety of others
• with our professional advisors, including lawyers, accountants, and auditors; or
• with your consent, or as otherwise disclosed at the time of data collection

Some of our third-party service providers may process personal data outside the United Kingdom.

Where this occurs, we ensure that appropriate safeguards are in place to protect your personal data in accordance with UK data protection law. These safeguards may include:

• UK adequacy regulations (where the destination country has been deemed to provide adequate protection)
• UK International Data Transfer Agreements (IDTA)
• Standard Contractual Clauses (SCCs) approved under UK law
• Additional technical and organisational security measures such as encryption and access controls

Where personal data is transferred outside the UK, we take reasonable steps to ensure it is treated securely and in line with this Privacy Notice. We regularly review our international transfer arrangements to ensure they remain compliant and appropriate.

At Severn Hospice we are committed to respecting and protecting your privacy, any information you provide to us is stored securely with strict procedures, technical and physical security features in place to try to prevent unauthorised access.

All staff receive regular data security training and all contracts, including staff, volunteers, suppliers, and software vendors, have data security clauses contained within them.

We use appropriate organisational, technical, and physical safeguards to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage, in line with Article 5(1)(f) of the UK GDPR. These includes:

• staff training
• access controls
• secure IT systems
• contractual data protection obligations with suppliers and processors

While we seek to use appropriate organisational, technical, and administrative measures to protect personal information within our organisation, unfortunately no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us using the details set out at the bottom of this notice.

All our security is regularly tested and audited, however no service can be completely secure, if you have any concerns or questions about our security then please do not hesitate to get in touch. If you have questions about our security, please email security@severnhospice.org.uk or call 01743 236565

We only collect and process personal information that is adequate, relevant and limited to what is necessary for the purposes for which it is processed, in accordance with Article 5(1)(c) of the UK GDPR.

This means we do not collect personal data “just in case” and we regularly review the information we hold to ensure it remains appropriate and proportionate. Where personal data is no longer needed for its original purpose, we take steps to delete or anonymise it.

We take reasonable steps to ensure that the personal information we hold about you is accurate and, where necessary, kept up to date, in accordance with Article 5(1)(d) of the UK GDPR.

You are encouraged to inform us if any of your information changes or if you believe the information we hold about you is incorrect or incomplete. Where we become aware that personal data is inaccurate or misleading, we will take reasonable steps to correct or update it without delay.

You also have the right to request the rectification of inaccurate personal data, and we will consider and respond to such requests in line with data protection law. Please see Your Rights section of this privacy notice for further information.

All of this means:

• Where appropriate, we rely on individuals to notify us of changes to their personal information, and we update records accordingly.
• We only collect personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.
• We do not collect or retain more personal data than we need.
• We take reasonable steps to ensure personal data we hold is accurate and kept up to date.

We have procedures in place to deal with any suspected personal data breach.

Where a breach is likely to result in a risk to individuals’ rights and freedoms, we will:

• report it in line with the NHS Data Security and Protection Toolkit (DSPT) requirements where applicable;
• report it to the Information Commissioner’s Office where required; and
• notify affected individuals where we are legally required to do so.

We also carry out Data Protection Impact Assessments where processing is likely to result in a high risk to individuals, and use these to identify and reduce risks before processing begins.

DPIAs help us to:

• identify and assess privacy risks
• reduce risks through appropriate safeguards
• ensure compliance with data protection law
• support accountability and transparency

Examples of processing activities where we may carry out DPIAs include profiling, processing of special category data at scale, and the use of new technologies or systems.

We are committed to maintaining the security and privacy of your medical records in compliance with all applicable laws and NHS and Social Care regulations.

We keep your personal information for as long as is necessary and in accordance with all legal information, taxation and accounting rules and regulations.

Please see the table below to see how long we will keep your personal information for:

You have a number of rights under data protection law in relation to your personal information. These rights help you understand and control how we use your data.

You have the right to:

• Access your personal data (commonly known as a Subject Access Request)
• Rectify inaccurate or incomplete information
• Erase your data (in certain circumstances)
• Restrict how we process your data
• Object to processing based on legitimate interests or for direct marketing
• Data portability – request that your data is transferred to you or another organisation
• Withdraw consent at any time where we rely on consent (for example, marketing communications)

How to exercise your rights

To make a request, please contact us:

Email: Information@severnhospice.org.uk

Post: FAO Information Governance, Severn Hospice, Bicton Heath, Shrewsbury, SY4 3HX

Phone: 01743 236565

Please include:

• the right you wish to exercise
• details of the information your request relates to (if known)

We may request proof of identity to protect your personal information.

You can also submit a Subject Access Request using our online form:

Timescales and limitations
We will respond to your request within one month. Where requests are complex or numerous, we may extend this by up to two further months in line with data protection law. If this happens, we will let you know within the first month.

In some cases, we may not be able to fully comply with a request. This may be because:

• we are required by law to retain certain information
• an exemption under data protection law applies
• the information is needed for clinical, legal, or safeguarding purposes

Where this applies, we will explain our decision.

Deceased patients’ records
Requests for access to records of deceased individuals are considered under the Access to Health Records Act 1990. These are assessed case by case and will only be granted where there is a legal right of access, such as a personal representative or someone with a claim arising from the death. Supporting documentation may be required.

Complaints
If you are unhappy with how we handle your personal data, please contact us in the first instance so we can resolve your concern.

If you are still dissatisfied, you can complain to the Information Commissioner’s Office (ICO):

Website: https://ico.org.uk/make-a-complaint/

Helpline: 0303 123 1113

 At Severn Hospice, we comply with the National Data Opt-Out. This allows you to choose whether your confidential patient information is used for research and planning purposes.

To find out more or to make your choice, please visit:

https://www.nhs.uk/your-nhs-data-matters

If you are happy for your confidential patient information to be used for research and planning, you do not need to do anything.

Any choice you make will not affect your individual care or treatment.

If you would like to discuss anything in this privacy notice or exercise your rights under data protection law, please contact us using the details below:

Email: information@severnhospice.org.uk

Write to us: FAO Information Governance, Severn Hospice, Bicton Heath, Shrewsbury, SY3 8HS

Please include your name, if applicable any reference number, and a contact telephone number so that we can get back in touch with you easily.

Telephone: 01743 236565

Phone lines are open Monday to Thursday from 9am to 5pm, Friday 9am to 4pm. Outside of these hours if you leave a message and a contact number and someone will return your call on the next working day.

Data Protection Officer contact details:

Name: Ben Graham,

Email: information@severnhospice.org.uk and start subject line with FAO Data Protection Officer.