This policy applies to all employees of HIPZ (whether permanent, fixed-term or temporary) and any other person engaged by HIPZ, including without limitation seconded staff, agency staff, contractors, volunteers, or agents. This interplays with all policies of the organisation.
To meet our commitment to you HIPZ will comply with the eight enforceable principles of good practice, which means that we will:
- Observe fully the conditions regarding the fair collection and use of personal data
- Meet our obligations to specify the purposes for which personal data is collected and used
- Collect and process appropriate personal data to the extent that it is needed to fulfil operational or legal requirements
- Ensure the quality of the personal data to collect, store and use
- Apply checks to determine the length of time personal data is held and used
- Ensure that the rights of individuals about whom the personal data is held can be fully exercised under the appropriate legislation
- Take the appropriate technical and organisational security measures to safeguard personal data
- Ensure that personal data is not transferred abroad without suitable safeguards.
Further details in relation to these principles and how HIPZ addresses them are described below.
As data processors we not only meet the legislative requirements as set out under the Data Protection Act 1998 (DPA); the Privacy and Electronic Communications Regulations (PECR) and the General Data Protection Regulation (GDPR) but we always seek to meet and where possible, exceed what people would reasonably expect of us with regard to their personal data.
The HIPZ UK Operations and Development Director is the owner of this policy and is responsible for maintaining and updating it. All workers should read and understand this policy and shall be responsible for complying with it.
The HIPZ UK Operations and Development Director is responsible for ensuring compliance with GDPR and with this policy. Any questions or concerns about the operation of this policy should be referred in the first instance to the UK Operations and Development Director.
The information we collect
The types of information that we may be required to handle include details of current, past and prospective employees, suppliers, Trustees, supporters and others that we communicate with. We also hold information about patients, both through direct information gathered by HIPZ programme staff and through the use of the Ministry of Health’s Hospital Management Information System, to which HIPZ has access.
The information, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the GDPR and other regulations. The GDPR imposes restrictions on how we may use that information.
Personal information is collected directly from you when you interact with HIPZ, for example when you make a donation, volunteer with us or participate in one of our events; when you send an email or make an enquiry; apply for a role with us, or when signing up to a campaign or for our email newsletter. Information may be collected in person, over the phone, through our websites, social media, on forms completed at an event or from something you’ve posted to us.
The information we hold will typically include some of, or all of, your name, postal and email addresses, your phone number(s), and may include information like your date of birth and your bank account details if required, to enable you to support us financially for example through a regular direct debit. We may also ask you to provide specific information about your interests or lifestyle and where appropriate, for example if you take part in a challenge event, may collect details about your health or your passport information. We may also collect or receive information about you from other sources (including public sources). This is explained in the ‘How we might use your information’ section below.
Sometimes, we may also link your personal record to family members, friends, colleagues or other acquaintances that we know are connected to you. We do this when you or the other party have indicated there is a connection as this helps us to when we correspond with you, or them, for example, if we hold an event and want to ensure we are inviting people who would enjoy meeting with each other.
How we process data
Data will be processed in line with data subjects’ rights under the Data Protection Act 1998 and the General Data Protection Regulation from May 25th 2018. Data subjects have the following rights:
- The right to be informed how Personal Data is processed
- The right of access to your Personal Data
- The right to edit and update your personal information
- The right to have your personal information deleted
- The right to restrict processing of your personal information
- The right to object
- The right to lodge a complaint with a supervisory authority
How we retain and manage data
We will retain your personal information for no longer than we believe is necessary for the purposes for which it is processed (in accordance with our internal policies including our data retention policy). If you ask us not to contact you, we will keep some basic information about you on a suppression list in order to avoid sending you unwanted materials in the future.
We will ensure that appropriate security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.
The GDPR requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.
Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:
(a) Confidentiality means that only people who are authorised to use the data can access it. In particular for data subjects health information only appropriate health care professionals and administrators of the system should have access.
(b) Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
(c) Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.
Security procedures include:
(d) Secure lockable desks, cupboards and filing cabinets. Desks, cupboards and filing cabinets should be locked at the end of the working day if they hold confidential information of any kind. (Personal information is always considered confidential.)
(e) Methods of disposal. Paper documents should be shredded.
(f) Equipment. Data users should ensure that individual monitors do not show confidential information to passers-by and that they log off from or lock their computer when it is left unattended.
How we might use information about you
If you are a supporter who receives marketing and fundraising materials or makes donations we may use your information for administration purposes.
Processing your donation
When you make a donation to HIPZ, we will use your payment and contact details, payment amount, date and time of payment to process that payment and take any follow-up administrative action needed, for example, sending a confirmation of your gift to you.
If you choose to include Gift Aid with a donation to us, then we will always ask for your address and UK taxpayer status as this information is required by law. You can read more about how Gift Aid works here: www.gov.uk/donating-to-charity/gift-aid. This information is needed for us to fulfil our obligations under tax and charity law. Information associated with Gift Aid declarations must be retained by us for a minimum of 7 years but may be retained longer. This information will be shared with HMRC for tax regulation purposes and may also be shared with the Fundraising Regulator and the Charity Commission in the event of an enquiry or investigation.
Responding to enquiries
If you contact us with a question, comment, compliment or complaint then we will keep a record of this correspondence and any associated documents so that we have the information available in the event of a follow-up, dispute or investigation.
Notifying you of changes to policies
If we make significant changes to policies which may affect you, we will use your contact details to inform you of the changes.
Requesting information if you are attending our events
If you participate in an event that we have, or someone else has, organised in aid of or on behalf of HIPZ, we may ask you to provide information to make sure we can manage the event safely and efficiently. We may also ask you for details of any accessibility need which you may have, so that we ensure our event is inclusive, in line with the provisions of the Equality Act 2010.
We may use your information to invite you to consider new and different ways that you could support or become more involved with our work such as participating in different events, raising or giving funds or involving others and spreading the word.
Sharing marketing and fundraising materials with you
Marketing and fundraising materials that we might share with you include information about our activities and their impact, news, events and fundraising appeals, and other ways you can become involved with us.
Where you have provided your postal address we may send this information to you by post or where you have provided a phone number we may call you unless you have asked us not to. If you are registered with the Telephone Preference Service then we won’t call you unless you have specifically told us we can. We may also email you this information or send by SMS (text messaging) if you have agreed for us to do so.
You can let us know at any time if you’d prefer to change how we share information with you or stop it altogether. Simply email firstname.lastname@example.org to let us know your preferences or use the area we provide on our postal communications to let us know of the changes you would like us to make. If you have consented to receive emails from us, you can also use the unsubscribe link contained within the emails at any time.
Using your information to enforce and comply with the law
As with all charities, we ensure that our activities comply with the law. This means that we may need to share or use your personal information if we are required to do so by law, for example; in response to a warrant or court order, and we may use information from other sources for the purposes of fraud prevention, for example to comply with money laundering regulations, or to protect people’s rights, property or safety.
If certain levels of donation are made, the Fundraising Regulator’s Code of Fundraising Practice requires us, and all charities in the UK, to perform certain checks on the donation. More details can be found at https://www.fundraisingregulator.org.uk/.
If you are applying for a paid or volunteer role within HIPZ
Your CV, covering letter, supporting information and any other documents submitted as part of your application for any position with HIPZ will be used during the recruitment process to short-list suitable candidates who will be invited to proceed to interview stage, and to select the final candidate that the role will be offered to. These documents will also be used to assess suitability for volunteer positions.
During the recruitment process, we may perform some checks on your identity, your right to work in the UK, your eligibility to work with vulnerable people and children. We will also take up employment references.
If your application is successful, this information will then form part of your personnel file.
We delete the personal information of unsuccessful applications 12 months after the application process ends in case there are follow-up queries about the process, unless a candidate requests that we keep their details for longer. Statistical information like ethnicity, sexuality and disability is kept to ensure that our recruitment processes are inclusive and not discriminatory, but this is completely anonymised.
If we are required by law to share your information, (for example; in response to a warrant or court order), we will do so.
If you are an Employee
Data about staff may be processed for legal, personnel, administrative and management purposes and to enable the data controller to meet its legal obligations as an employer, for example to pay staff, monitor their performance and to confer benefits in connection with their employment. Examples of when sensitive personal data of staff is likely to be processed are set out below:
(a) information about an employee’s physical or mental health or condition in order to monitor sick leave and take decisions as to the employee’s fitness for work;
(b) the employee’s racial or ethnic origin or religious or similar information in order to monitor compliance with equal opportunities legislation;
(c) in order to comply with legal requirements and obligations to third parties.
A formal request from a data subject for information that we hold about them must be made in writing. A £10 fee is payable by the data subject for provision of this information. Any member of staff who receives a written request should forward it to HIPZ’s UK Operations and Development Director immediately.
Any member of staff dealing with enquiries from third parties should be careful about disclosing any personal information held by us. In particular they should:
(a) Check the identity of the person making the enquiry and whether they are legally entitled to receive the information they have requested.
(b) Suggest that the third party put their request in writing so the third party’s identity and entitlement to the information may be verified.
Where providing information to a third party, do so in accordance with the eight data protection principles.
How to handle a breach of this policy
Any breach must be reported to the UK Operations and Development Director, who in turn will inform the Chairman and Board of Trustees. All breaches must be assessed in line with the Information Commissioners Office (ICO) requirements and appropriate breaches reported to the ICO and the Charity Commission. Examples of incident types are: a cyber attack, data loss, or tail gaiting into the office systems.
Monitoring and Review of Policy
This policy is reviewed every two years by our Board of Trustees to ensure it is achieving its stated objectives. Recommendations for any amendments are reported to the UK Operations and Development Director.
Policy last updated March 2020.