Privacy Notice for Service Users
Who we are
Willen Hospice is a registered charity that provides specialist care for people whose illness no longer responds to curative treatment (also known as specialist palliative care). We provide specialist end-of-life care for adults, focusing on four key areas: specialist symptom control, emotional support, spiritual support and care for carers.
Willen Hospice (also known as the Hospice of Our Lady and St John) is registered under charity No. 270194 and is a company registered in England and Wales with Company No. 1231909.
Under Data Protection Legislation, Willen Hospice is the Data Controller in respect of all personal data processed by us in the course of us providing services to you.
Our contact details
Address: Willen Hospice, Milton Road, Willen Village, Milton Keynes, MK15 9AB
Personal data is any information that can be used to identify you. It can include name, address, phone number, email address, NHS numbers and medical information. The processing of personal data by organisations is governed by the Data Protection Act 2018 and the EU 2016/679 General Data Protection Regulation (GDPR). Collectively we call these two ‘Data Protection Legislation’.
We take your privacy seriously and we will only use the information we collect about you lawfully. This Privacy Notice sets out how we use your personal data.
What information we collect and how we collect it
If you are referred to us to be cared for as a patient, we will collect information about you from your GP or other health professional.
Example. If you are referred to us by a Milton Keynes GP, your personal information, such as your name, contact details, date of birth, NHS number and medical history will be made available to us through a computer system known as SystmOne. This is your Electronic Patient Record.
Example. If you are referred to us by a GP or other health professional that does not have access to your Electronic Patient Record, your personal information, such as your name, contact details, date of birth, NHS number and medical history will be passed to us manually on paper or by email.
We will collect personal data from you directly when you interact with us.
Example. If we are caring for you as a patient or supporting you as a carer, we will record how you are feeling, physically or emotionally on our records. If you are receiving spiritual support from our chaplain, we may record key points of discussions that take place.
Example. If you come to the Hospice as a visitor, we will ask for your name and car registration details.
If you are a relative or carer we may collect information about you from one or more sources.
Example. Your name and contact details may be provided to us by your relative for whom we are caring. We may also be given this information through the Electronic Patient Record.
What do we use your data for?
Primarily we process your data to provide care to you.
Example. If you are a patient, we use personal data such as your medical history in order to determine the best care plan for you and to provide such care.
Example. If you are a relative of a patient, we use personal data such as your name and address to offer you support.
Sometimes we use your data to contact you in case or urgent need.
Example. If you are a relative of a patient, we may use personal data such as your name and phone number to call you if there is a change in the health of your relative.
We may process your personal data for safety purposes.
Example. If you are a visitor to the Hospice we may use your car registration to identify you in case your vehicle needs to be moved in order to provide access for emergency vehicles.
From time to time we may process your personal data to invite you to events that we believe may be of interest to you.
Example. When one of your relatives dies whilst under our care, we will use your name and address to invite you to attend one of our memorial events.
We may also use your personal data to inform you of our fundraising activities, if you have given us permission to do so.
Example. If you attended one of our memorial services and gave us written consent, we may email you with details of our Tree of Life.
How do we process your data?
Patient records are stored in an NHS database called SystmOne. At various stages of patient care, information is downloaded from SystmOne onto paper for clinical use. These paper forms may have other information added by clinical staff after which the new information is transferred back to SystmOne and the paper shredded. Personal data belonging to carers and family members is stored electronically within the Hospice system or on paper.
The lawful bases of our processing
Data Protection Legislation sets out a number of reasons, or lawful bases, for which organisations may collect and process personal data. The law allows for six different lawful bases in total but only three are relevant to Willen Hospice’s Service Users.
1. Personal data is processed on the basis of it being a Legitimate Interest of Willen Hospice.
Example. You are a patient, family member or a carer. It is a Legitimate Interest of Willen Hospice to provide care to you. To provide such care it is necessary to process personal information such as your name, contact details, NHS number and medical information. This would also apply to you if you are a child being supported by our Patients and Family Services team.
Example. Your close friend or relative is one of patients. We believe it is a Legitimate Interest to be able to contact you in case of urgent need. We will record your name and contact details. You can ask us to stop processing this information at any time.
2. Personal data is processed on the basis of a Legal Requirement.
Example. You are a visitor to our Hospice. Under law, we have a duty of care to you whilst you are on our premises. This is why we ask you to enter your name into our Reception sign-in tablets when you arrive. We then know you are in the Hospice in the event of an emergency.
3. Personal data is processed on the basis of Consent.
Example. You are a patient being cared for by our Lymphoedema team. Sometimes the team would like to take photographs for training purposes. You may withdraw consent at any time.
Data Protection Legislation prevents the general processing of Special Category data such as Health data or ethnicity unless the purpose is one of a number of exceptions.
Example. As a patient being cared for by us, we make notes about your health so that we can decide how best to care for you. This purpose meets one of the exceptions which states that we can process your personal data if it is necessary for the provision of health care.
Your rights in relation to the personal information we hold about you
Data Protection Legislation gives you certain rights over the personal data held by organisations.
1. Right to be informed. You have the right to be told how your personal information will be used. This Privacy Notice, and shorter summary statements used in our communications, provide you with information regarding the type of personal data we collect, how we collect it and how we use it. If you would like further information, please email firstname.lastname@example.org.
2. Right of access. You may contact us to ask what personal information we are holding about you and to request a copy of that information. You must provide proof of your identity by sending us two pieces of approved identification. We have a month to comply with your request once we are satisfied that you have the right to see the requested records and have successfully confirmed your identity.
3. Right of rectification. You may ask us to correct any personal data where it is incomplete, incorrect or where it is out of date.
4. Right of erasure. You may request that we delete the information we hold about you. If there is no overriding legal reason why we cannot do that (for example, if you are a patient, we are required to keep medical records for a certain length of time) we will delete your record. We may suggest keeping basic details for a suppression list, to prevent us contacting you again, rather than complete deletion.
5. Right to restrict processing. In some situations, you have the right to ask for the processing of your personal data to be restricted, perhaps because you disagree with its accuracy or legitimate usage. We will still hold the data, but will not use it, until the restriction is lifted following the resolution of the disagreement.
6. Right to data portability. In some circumstances you can ask us to provide your personal data in an electronic form. This only applies to information processed under Consent or for the performance of a Contract so is unlikely to apply to many service users. It also only includes personal data that you have provided to us and is held in a system.
7. Right to object. You may object to the processing of your information for direct marketing purposes and in some other cases.
8. Right to automated decision making. Willen Hospice does not process information in way that would allow this right, therefore this does not apply to personal data held by us.
Who do we share your information with?
We share the personal data stored in your Electronic Patient Record with your GP. They already have most of the information but will have access to any additional information we have added during your time with us.
Example. If you are a patient being cared for by one of our clinical teams we will add health data to your medical record. This health data will be visible to your GP and any other health professional to whom you have been referred.
We share personal data with other organisations who are or will be involved in your care.
Example. We may share your name, contact details, date of birth, NHS number and medical information with Milton Keynes Urgent Care Services (part of Milton Keynes Council), should your condition warrant such a referral.
A limited amount of your personal data may be shared between Willen Hospice and Willen Hospice Ventures Limited.
Example. If you consent to hear more from us about our wider activities, we will pass your name and contact details to Willen Hospice Ventures Limited who will add this information to our supporter database.
Sometimes information is passed to third parties in order to provide services to you. These third parties are governed by contracts that ensure your rights and freedoms under Data Protection Legislation are protected.
Example. If you visit the Hospice you will be asked to enter your name and car registration number into our Visitor Sign-in System. This information is stored on a database belonging to the service provider, Teamgo, in Australia.
Example. If you are being cared for by our Lymphoedema team, your name and NHS number may be provided to one of our garment manufacturers in order for them to correctly manufacture and deliver the item.
We never sell or otherwise provide your personal data to any other third party organisations.
Retention period for your personal data
The law requires that we keep your personal data for no longer than necessary. The length of time each category of data is held by us varies according to the purpose for which it was collected.
Sometimes there are legal reasons that state a specific period of time.
Example. The Department of Health Records Management NHS Code of Practice states that hospital records must be kept for ‘8 years after the conclusion of treatment or death’.
Other data is removed from our systems in line with our retention policy.
Example. You attend one of our memorial services. Your name and contact details will be retained until after the next memorial service a few months later.
The security of your data
We maintain a high level of physical and electronic security in relation to the collection, storage and processing of your personal data. The Electronic Patient Record is protected by both passwords and smart cards issued only to authorised members of staff. We constantly review security measures and update where necessary. Personal data in all our databases is only accessible by appropriately trained employees and volunteers who need to access your personal data as an essential part of their role. All access is tracked through individual login credentials.
Paper records containing personal data of patients and other service users are stored in locked offices only accessible by those members of staff directly involved in providing services.
We process the Personal Data of children and young people (under the age of 18) when we provide support under our Patients and Family Services Team. We apply the same protections and safeguards as for other service users as described above. The rights of children are identical to the rights of adults.
Example. You’re aged 8 and we have been asked to offer you help because a relative of yours is very ill. We will keep a note of your name, address and phone number in order to contact you. We will also write down how you are feeling during the time we are helping you.
In the first instance please talk to us so that we can try and resolve the problem. If you wish to complain about the way we collect, store or use your personal data, please write to us:
If we are still unable to resolve your complaint you may also complain to the Information Commissioner’s Office on 0303 123 1113.
Changes to this Privacy Notice
We review and improve our procedures regularly and may update this Privacy Notice from time to time. We encourage you to check this page for any changes in order for you to stay informed about how we are protecting the personal information you have entrusted to us. If there are significant changes in the way we process your personal information, we will contact you as well as placing a prominent notice on our website.
This Privacy Notice was last updated on 18 January 2019 (v1.0).