Privacy Policy

This Privacy Policy tells you we do with your personal data when you use our services, donate to us, or visit us either in person or on our website.

The first five sections are important information that is relevant to everyone. The policy is then layered for different groups of people, so that you can easily find the section that is relevant to you, without having to read through everything else.

Please note that this Privacy Policy is regularly being updated and reviewed, and you should check back at regular intervals to ensure you are reading the latest version.

Covid-19 and your information
- Please see our Supplementary Privacy Notice on Covid-19 for Patients
- The privacy notice for COVID-19 keyworker testing is available here.

1. Who we are

LOROS is a local charity providing free, high-quality, compassionate care and support to terminally ill adult patients, their family and carers across Leicester, Leicestershire and Rutland.

If you are a patient, a visitor, a member of staff or volunteer, a donor, supporter or customer, or user of our education and training services, then LOROS is the data controller for your personal data that we process, unless otherwise stated. This means that we determine how and why your personal data is processed.

Our registration number with the Information Commissioner’s Office is Z681013X
You can contact us using the details below:

By post to:
LOROS Hospice
Groby Road
Leicester LE3 9QE

By telephone:
(0116) 231 3771

By email:
info@loros.co.uk

Limited Companies

Raising funds is vital to enable us to continue delivering our care and services. Much of this is done by the Fundraising Team, and also via the Lottery and through the LOROS shops. We have two private limited companies who also act as data controllers. These are:

LOROS Lotteries Limited.

If you play the LOROS lottery or buy tickets from our bi-annual raffle or scratchcards, then LOROS Lotteries Limited is the data controller for your personal data. LOROS Lotteries Limited is a private limited company and our registration number with the Information Commissioner’s Office is Z600081X.

Postal address:
LOROS Lotteries Limited
LOROS
Groby Road
Leicetser
Leicester LE3 9QE

Telephone:
(0116) 231 8430

Email:
lottery@loros.co.uk

LOROS Enterprises Ltd.

If you visit one of our shops or online store then LOROS Enterprises Ltd is the data controller. LOROS Enterprises is a private limited company and our registration number with the Information Commissioner’s Office is (tbc).

Postal address:
LOROS Enterprises Ltd Enterprise House
Station Road
Glenfield
Leicester LE3 8BT

Telephone:
(0116) 231 3666

Email:
info@loros.co.uk

2. Our Data Protection Officer

If you have any questions about this policy, or about data protection, or you want to exercise your rights as detailed in Section 5, you should contact our data protection officer (DPO).

Our DPO is Naomi Lunn. You can contact her by:

Email:
dataprotection@loros.co.uk

Telephone:
0116 231 3771

Post to:
LOROS Hospice, Groby Road, Leicester. LE3 9QE

3. When and how we collect your data

A lot of the personal data we process is provided to us directly by yourselves for one of the following reasons:

  • You receive clinical care or complementary therapy at LOROS hospice
  • You are a visitor, carer of a patient, or have referred someone
  • You work or volunteer for us, or have applied to do so
  • You play the lottery, raffle or scratch card games
  • You have visited one of our shops or online store
  • You have made a donation, participated in an event, or supported our fundraising in one way or another (examples include: set up an online tribute; pledged a legacy gift; sponsored someone in aid of LOROS, attended a community event, or raised money through your company or employer)
  • You have registered for Retail Gift Aid
  • You have visited our website
  • You have asked to receive updates and communications
  • You have made an enquiry, request or complaint
  • You have attended a training course or booked facilities at our education centre
  • You have taken part in a research study or project
We also receive some personal data indirectly:
  • Referrals or transfers from other organisations or services such as the NHS or care homes / charities or local companies
  • An employee, volunteer, patient or event participant gives us your contact details as an emergency contact or reference, or you are booked into a training event

4. How Secure is Your Data?

We have physical, electronic and managerial procedures to safeguard and secure your personal data. These include encryption, access controls, firewalls and many other methods. We have an information security policy that we will abide by and will ensure that our staff are trained to keep your data as safe as possible.

If however, you have concerns or believe that your privacy has been breached, please contact us immediately at dataprotection@loros.co.uk or 0116 231 3771.

5. Your Rights

You have a number of rights, which you can exercise. Just send an email to our Data Protection Officer at dataprotection@loros.co.uk; call 0116 231 3771 or write to her at LOROS Hospice, Groby Road, Leicester. LE3 9QE

Right to be Informed – you have the right to know why we are collecting and what we are doing with your personal data.
That’s what this privacy policy does in detail. Where we can, we will also provide you with information when we actually collect your personal data – this could be in a number of ways, such as leaflets, statements on forms or verbally. We will try and make this as easy and as clear as we can for you.

Right of Access - you have the right to access information we hold about you.
You may have heard this called a ‘subject access request’. You have the right to ask for:

  • confirmation that we are processing your personal data;
  • a copy of the personal data;
  • other supplementary information (such as the purpose of the processing, who it is disclosed to, retention period and your other rights).
We will provide you with the information within one month of your request, unless the request is unfounded or excessive, or adversely affects the rights and freedoms of other people. If we are unable to comply with your request for any of these reasons, we will let you know, and why.

Right to Rectification - you have the right to make us correct any inaccurate personal data about you
You can also ask us to complete personal data you think is incomplete. We will respond to your request within one calendar month. If we are unable to comply with your request, we will let you know, and why.

Right to Erasure - you have the right to be ‘forgotten’ by us
There are certain circumstances when you can ask us to erase all of your personal data. This is generally where we are processing your personal data on the lawful basis of consent, legitimate interests or it relates to direct marketing. We will erase your data within one month of your request.

Please note that if you have told us that you don’t wish to receive marketing messages, we will still keep minimal contact details on our suppression list – this is so that we can ensure you definitely do not receive any marketing information from us. If you do exercise your right to erasure, you will also be erased from the suppression list – meaning that at some point in the future if we receive your details again, you may be sent marketing information.

There are times (such as when we are complying with a legal obligation or for health care) that this right does not apply. We will let you know if that is the case.

Right to Restriction of Processing – you can ask us to limit the ways in which we use your personal data
This could be because you have issues with the information we hold or how we process the data, or it could be while we are looking at the accuracy of your data or investigating an objection. If it is a temporary restriction, we will inform you before we lift the restriction.
We will act upon your request within one month.
There are times when this right does not apply. We will let you know if that is the case.

Right to Data Portability - you have the right to port your data to another service
You can ask us to give you your data in a format that is easy to move, copy or transfer from one IT system to another in a safe and secure way. We will provide the information in a structured, machine readable and commonly used format. This right only applies when:

  • the data has been provided to us;
  • we are using the lawful basis of your consent, or fulfilling a contract, to collect your data; and
  • the data is being carried out by automated means, and not on paper.

There are times when the right does not apply. We will let you know within one month of your request, if that is the case.

Right to Object - you can object to us processing your personal data
You can object to your personal details being used for direct marketing purposes. When you do this we will stop processing your data for this purpose.

For other purposes, if we are using the ‘legitimate interests’ lawful basis, you can object to the processing, as long as you tell us why. We will use these reasons to determine whether the objection is justified or whether we disagree.

Your rights are restricted where we are using your personal data for research purposes, and the research is carried out in the public interest. We will let you know our decision within one month of your request.

You can object to us using your personal data for profiling or making automated decisions about you

  • 'Automated decision making’ means a decision that is made solely by automated means, with no human involvement (such as a decision made online to award a loan).
  • Profiling means automated processing of personal data to decide or evaluate certain things about an individual (for example to find something out about what you like or to predict your behaviour).
Right to Withdraw Consent
Where we are processing your personal data based upon your consent, you can withdraw this at any time, and we will stop processing your data immediately.

Right to make a complaint
You have the right to complain to us and to a supervisory authority about how we use your personal data. Please tell us first so that we have a chance to address your concerns. If you are not happy with our response, you have the right to lodge a complaint with a supervisory authority. This is the Information Commissioner’s Office, who you can contact at:

The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113, or from outside the UK +44 1625 545 700
Website: www.ico.org.uk

6. Your Personal Data

This section is broken down into areas to give you more information according to your relationship with us. For each group, you will find out what data we collect, why we need it, what is our lawful basis for sharing it under GDPR, who we share it with and how long we keep it. The sections are layered so that you can easily go to the most relevant area without having to read through everything. The areas are:

Patients and Service Users

Data Controller: LOROS Hospice

This applies to you if you are under the care of LOROS Hospice and in receipt of one or more of our many services, such as home visits, complementary therapy, counselling and physiotherapy, or from any of the day therapy centres. It includes people who are referred to us but not yet receiving care; those who have previously received one or more of our services, and individuals enquiring into any of our services.

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

The types of personal data that we will collect and process will include: your name, address, date of birth, contact details including email and telephone, your next of kin and your doctor’s contact details.

If you are receiving treatment or care, we will also process more sensitive data that falls under the ‘special categories’ relating to: your medical history, current medical records and your ethnicity and religion. If you have been referred to us, this information will come from your doctor, health professional or the NHS.

We store this information securely on our computerised medical record system called SystmOne.

Purpose - Why do we need it?

We need your contact details and next of kin and doctors’ details so that we can contact you about your care and appointments, and ensure we know who to contact in the event of an emergency.

We need your medical records so that we can ensure you receive the best, safe and most appropriate care and treatment from us either at your home, clinics, within the hospice or Day Therapy Centres.

We need data about your ethnicity and religion so that we can understand the needs of patients from different groups and provide better and more appropriate services; identify patients at risk – some groups are more at risk of specific diseases; and help us to understand your individual needs. It is also a legal requirement to promote equality and to eliminate discrimination.

What is our lawful basis for collecting it?

Contact information – it is in our legitimate interests to be able to administer our appointments and your care in the most efficient and appropriate way.
GDPR reference Article 6(f)

Medical records – it is in both your and our legitimate interests for us to be able to care for you in the best and safest way; and the special category data can be processed for the provision of health and social care (in cases of emergency i.e. in matters of immediate life or death, it can be processed to protect your vital interests)
GDPR reference Article 6(f)
GDPR reference Article 9(2)(h)
GDPR reference Article 9(2)(c)

Ethnicity and religion – this data is processed as it is necessary for a legal obligation (Equality Act 2010) and as special category, for carrying out obligations in the field of employment and social security and social protection (Equality Act 2010)
GDPR reference Article 6(f)
GDPR reference Article 9(2)(c)

Who do we share it with?

Your medical records on SystmOne will be shared with other NHS providers who are involved in your care if they are needed. We will also, where relevant, share your details with any other care agencies, including Social Services, as well as with Clinical Commissioning Groups and Lead Care Providers (who are contracted for care purposes). This is to ensure you are receiving holistic and appropriate care. SystmOne is a secure system with access and password controls.

We will also share some of your details with companies who will need it in order to provide appropriate medical or other equipment for you. For example, Home Oxygen providers, compression garment manufacturers and charities. We will only share the minimum data that is required and will ensure that appropriate security measures are applied for example encryption, secure fax or protected databases.

In some cases we will share your data with relevant authorities so that we can order you required help or services, such as the city and county councils for blue badges, or the Department of Work and Pensions for benefits.

How long do we keep it?

Medical records on service users will be retained in accordance with the national guidance for health and social care records, starting from the date that the provision of care has ended and in compliance with our own data retention policy.

All other personal data will not be kept for longer than it is required and will be securely kept or destroyed in line with the LOROS data retention policy.

Relatives and Visitors

Data Controller: LOROS Hospice
This applies to you if you are a relative, friend or carer of someone who is or who was previously in our care, or are visiting patients at the hospice.

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

The types of personal data that we will collect and process will include: your name, car registration if you have parked here, contact details if you are the next of kin or emergency contact for one of our patients or service users. We also operate CCTV around the hospice.

Purpose - Why do we need it?

When you visit the hospice we need your name and car registration to ensure your safe visit to the hospice and to meet fire and other building safety regulations. We may also need to find you if there is a need to move your vehicle.

We use CCTV for public and staff safety, and to prevent crime.

If you are the next of kin or emergency contact for a patient, we need your contact details in order to be able to get in touch if you are needed in an emergency or other urgent event. If you are bereaved, we will offer you ongoing support and let you know about our remembrance services, book of remembrance and other ways to remember your loved ones such as our Light Up a Life campaign. We will also send you a bereavement card.

If you do make a gift in your loved ones’ name, we will record your details to ensure that you do not receive any other communications at a sensitive time.

Please note that details about how much has been raised in a person’s name will only be disclosed to the next of kin, and only the total amount will be disclosed, not individual donors’ information, or amount given.

We conduct research studies in order to improve our service for both patients and their next of kin; and it is possible that we will contact you in the future to ask whether you would consent to participating in a research study or survey to tell us about your experience of the hospice.

If you receive a service from the hospice, such as counselling or complementary therapy, you are a service user and should read the patient and service user section.

What is our lawful basis for collecting it?

Visitor information – as well as being sensible practice, keeping a log of visitors is necessary for a legal obligation (the Regulatory Reform (Fire Safety) Order 2005)
GDPR reference Article 6(c)

It is in our legitimate interests to use CCTV to prevent crime and to keep our patients, visitors, staff and volunteers safe.
GDPR reference Article 6(f)

Next of kin and emergency contact details – this is processed in the legitimate interests of the patient or service user, and will only be used in the event of an emergency or at a patient’s request.
GDPR reference Article 6(f)

It is in our legitimate interests, and those of service users, to use your contact details to ask for your consent to participate in surveys or research.
GDPR reference Article 6(f)

If you are bereaved we will only use your details to offer you services that are in your legitimate interests, and it will be up to you to decide if and how you would like to talk to us about remembering your loved ones.
GDPR reference Article 6(f)

Who do we share it with?

We do not share these details with anyone, unless required to do so by law.

We will only share CCTV images if required to do so by authorised bodies, for example the Police who will only use it for crime detection, prevention or investigation. Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.

How long do we keep it?

Our visitors book is retained for 12 months before being securely destroyed.

A record of bereaved next of kin is securely stored for one year from the date of the remembrance service and then securely destroyed.

If you have made a donation or participate in our Light up a Life campaign, then your details are retained on Raiser’s Edge, our supporter database, indefinitely or until you ask for them to be removed. We will be implementing a data retention schedule shortly for this data. See the section on donors for more details.

CCTV images are kept for 30 days and then deleted, unless there is a specific requirement to retain them for longer, for example where a crime is being investigated.

Supporters and donors

Data Controller: LOROS Hospice
This group includes anybody who has made, pledged or offered to make a financial or non-financial donation of any sort to LOROS Hospice. It also includes individuals who have expressed an interest in supporting our work, have requested information from our Fundraising team, completed an event, sponsorship, or event application form. It does not include Lottery, raffle or scratch card players – who are covered in a separate section.

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

The types of information that we will collect or process include your name, address, gender, date of birth, contact details including email and telephone, any donation amounts or regular gifts given; details of any previous support including participation at events or information relevant to your participation at that event; other relevant support; communication preferences and a record of the previous communications we have had with you. Information about our supporters is held securely on our database called Raiser’s Edge.

Purpose - Why do we need it?

We need to keep these details for fundraising and marketing purposes. We are a charity and we want to provide the best care for all of our hospice users, and to do this we need to generate income in order to ensure this is provided free of charge to all local people. We will send out relevant marketing and fundraising information via post and email and plan to also do this via text in the future.

We need your details so that we can contact you and:
  • manage the events that you might be taking part in
  • keep you informed of news and developments at LOROS, and to help you to feel connected to our cause.
  • promote all the different events, campaigns and activities that we have going on
  • thank supporters and showcase the difference your donations make to the organisation and to local people
  • showcase our care services and raise awareness of the many ways we can help those living with a terminal illness
  • dispel myths about hospice care, encouraging more people to access our care – especially hard to reach groups
  • drive traffic to our website to find out more
  • ensure that your details are accurate and up-to-date
We will carry out targeted fundraising and marketing to ensure that we are contacting you with the most relevant information through your preferred channels. For example, if you have already participated in an event or bought a product; we will continue to contact you about that and/or similar events or products, unless you ask us not to.

We want to make sure our communication with you is relevant, and you are hearing about areas that are of interest to you, such as volunteering, events, research and how your support is helping us. To do this we will use data analysis such as profiling techniques and insight companies to provide us with information about you, which you have shared regarding your lifestyle and purchasing habits. We will ensure that any companies that provide us with this information have a proper lawful basis for doing so.

You can opt out of your data being used for profiling. However, this may mean that you stop receiving relevant marketing communications from us or they become more generic and less relevant to you as they are no longer based on your interests in our cause. If you do wish to opt-out please contact our Data Protection Officer using the details at the start of this policy.

We use your details for data cleansing. We want to keep your details accurate and up-to-date – and so we use the Royal Mail's data on re-directing post to ensure that we can maintain contact with you when you have moved. We also use services to notify us of the recently deceased to avoid any distress that continued communications may cause.

Sometimes we use publicly available data (such as contact information) to help us perform due diligence checks, or screening. This is to prevent abuse by fraudsters or criminals posing as genuine donors, or to ensure that there are no conflicts of interest from potential supporters or organisations. We also research trusts and their associated trustees to check their interests and criteria before applying to external grant makers for funding towards the work of the hospice and particular projects. We also research companies and employees prior to writing a sponsorship proposal.

If you request to receive no further information from us, we will also keep your personal data on our suppression list so that we can always ensure that you do not receive any unwanted communication.

What is our lawful basis for collecting it?

It is in our legitimate interests to collect and process your personal data in order to be able to send you relevant marketing and fundraising material by post.
GDPR reference Article 6(f)

We will always collect your consent to send you marketing and fundraising information by email, and ultimately by text message. If you have already purchased a product or participated in an event, we will use the ‘soft opt-in’ basis that you have already shown an interest in receiving communications about this relevant product or event; and will continue to send you emails unless you ask us not to.
GDPR reference Article 6(a)

If you have chosen to participate in an event or challenge, and have paid to do so, or bought a product, we will process your personal details as it is necessary for the performance of a contract.
GDPR reference Article 6(b)

Who do we share it with?

We will share your name and address with mailing companies before we send out any post to you. These include Blackbaud and Whittington Moore. If you are participating in an event we will share your personal data with the relevant event organisers or administrators where required. For example we use Obstacle Race Magazine for Mudnificent7.

How long do we keep it?

We currently keep all of our records on Raiser’s Edge indefinitely or until we are informed of a change in situation or asked to delete them. We will be implementing a data retention schedule shortly for this data.

Lottery, Raffle and Scratch Card players

Data Controller: LOROS Lotteries Limited
This applies to you if you have previously or currently played the LOROS Lottery, purchased LOROS raffle tickets or scratch cards, or won any cash prizes.

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

The types of information that we will collect or process include your name, address, date of birth, contact details including email and telephone, your assigned lottery number and payment details. If you are a Lottery player, your information is stored securely on our donorflex database as well as our Raiser’s Edge supporters’ database. If you have previously bought raffle tickets, your details will be stored on Raiser’s Edge and Carn software. If you are a scratch card winner we will use your details to generate your winners’ cheque and then will store your name only. If you have ordered cards in bulk, we will store your details on Raiser’s Edge.

Purpose - Why do we need it?

Lottery Players – we need your personal details so that we can run the lottery draw effectively; to be able to inform you if you are a winner; to fulfil rules and regulations from the Gambling Commission (such as ensuring you are old enough to play); to process payments to play (including as a gift); to maintain our donor records; and to enable the Lottery to generate income to run LOROS services.

Unless you have asked not to be contacted, we will also use your details to send you news, marketing and fundraising information that we think you will be interested in, including the raffle draws. For further information on this, see the section on supporters and donors.

Raffle ticket customers – we need to process your details to be able to run the raffle draw; to contact you if you are a winner, and to enable the raffle to generate income to run LOROS services. We need your payment details if you are choosing to pay by card, in order to process your payment (please note that these details are destroyed immediately after processing).

If you win over £10 on a scratch card, we need your details in order to be able to pay your winnings via cheque.

If you order scratch cards in bulk, we need your personal details in order to be able to process your order efficiently.

In certain circumstances, we want to promote further income generation and a positive message through marketing case studies on previous lottery/raffle/scratch card winners. We may process your personal details in order to do this, but we will always ask for your consent before any publicity takes place.

We use your details for data cleansing. We want to keep your details up to date, particularly if you have won – and so we use the Royal Mail's data on re-directing post to ensure that we can maintain contact with you when you have moved. We also use services to notify us of the recently deceased to avoid any distress that continued communications may cause.

If you request to receive no further information from us apart from anything other than your Lottery account, we will also keep your personal data on our suppression list so that we can always ensure that you do not receive any unwanted communication.

What is our lawful basis for collecting it?

If you have chosen to play the Lottery, purchase a raffle ticket or a bulk order of scratch cards, then we will process your personal data as it is necessary for the performance of a contract
GDPR reference Article 6(b) We also collect your date of birth as it is necessary for a legal obligation (Gambling Act 2005)
GDPR reference Article 6(c)

It is in our legitimate interests to collect and process your personal data in order to be able to send you relevant marketing and fundraising material (such as raffle tickets) by post.
GDPR reference Article 6(f)

We will always collect your consent to send you marketing and fundraising information by email, and ultimately by text message.
GDPR reference Article 6(a)

If you have already purchased a product or participated in an event, we will use the ‘soft opt-in’ basis that you have already shown an interest in receiving communications about this relevant product or event; and will continue to send you emails unless you ask us not to.

Who do we share it with?

We share your data with the companies that process the Lottery (donorflex) and Raffle (Carn) draws. Both of these are secure, access controlled databases.

We share your data securely with payment processing companies. These are Secure Collections (for direct debit processing) RSM 2000 and Sage Pay (for card payments)

We also share your personal details with mailing companies who print and mail out our raffle tickets. The company is chosen prior to each raffle campaign. These details are always transferred securely using encryption or SFTP transfer.

How long do we keep it?

We currently keep all of our records on donorflex and Raiser’s Edge indefinitely or until we are informed of a change in situation or asked to delete them.
We will be implementing a data retention schedule shortly for this data. Any paper files relating to card payments are destroyed immediately after processing via secure shredding. Other payment details such as direct debit and cash rounds are kept securely for 6 years after processing.

Raffle ticket stubs are destroyed securely 8 weeks after the raffle draw.

Bulk scratch card order forms are retained (minus payment details) for 6 years after the transaction.

Gift subscription order forms are retained for 6 years after the transaction.

Website visitors

Data controller: LOROS Hospice
This applies to you when you visit www.loros.co.uk

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

We use a third party service, Google Analytics, to collect certain information about the time you spend on our website. The types of information that we will collect or process includes information about your computer, including where available your IP address, operating system and browser type. The information is not linked to individuals, and is turned into statistics so that it does not identify anyone.

There are areas on the website where we do ask for and collect your personal data and this will be for a specific reason, for example in contact forms, when you book or pay for an event or when using the online shop.

Purpose - Why do we need it?

We use the statistical data to find out more about users' browsing actions and patterns. It enables us to measure the effectiveness of the website, measure visitor numbers and then to identify areas for improvement.

We do not use the information to identify anyone who is visiting our website. When we do ask for your personal details, the reason for this will be clear – for example if you are making a query and you require a response; or booking an event and your details are needed to be able to join.

What is our lawful basis for collecting it?

It is in our legitimate interests to monitor our website and to improve the website and the services and experience for to our users, as well as to attract more people to use the site.
GDPR reference Article 6(f)

Where we ask for your personal details for a specific reason, our legal basis will be stated within the relevant area of the privacy policy (for example if you are making a donation look at the section for donors or if you are shopping online look at shop customers).

Who do we share it with?

Information about your use of our website, including your IP address, will be transmitted to, and stored by, Google. This information will be subject to Google's Privacy Policy . You can find out how Google uses this information here. For more information on how we use Cookies, visit our cookies policy here.

When you fill in on an online form, data is shared with Wufoo, who provide a web based program that we use to create forms and surveys on our website. Only information that comes from surveys is stored securely within Wufoo. For contact or query forms, the data will be used to fulfil its purpose (for example to create an email if it is a query, or to go onto our supporter database if it is making a donation) but not stored on Wufoo.

How long do we keep it?

We do not keep the data; Google Analytics retains it, before automatically deleting it after 14 months. When data reaches the end of the retention period, it is deleted automatically on a monthly basis.

Survey data on Wufoo is currently retained indefinitely, but will be subject to and added into our retention policy in the near future.

Shop Visitors, Customers, and Retail Gift Aid

Data Controller:
LOROS Enterprises for store and online shop visitors
LOROS Hospice for Retail Gift Aid

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

This applies to you if you visit one of our shops throughout Leicestershire and Rutland, and if you browse or use our online store, www.shop.loros.co.uk
It also applies if you register for Retail Gift Aid when you make a donation of goods for us to sell.

What data do we collect?

When you purchase something from our online store, the types of information that we will collect or process includes the personal information you give us such as your name, address and email address. Direct payment gateways will use your credit or debit card data.

When you browse our online store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system. See the section on visitors to our website for more information about this.

When you visit one of our shops, it is likely that there are CCTV cameras recording the entrance and exit points, as well as the tills. Where this is the case, posters will be on display letting you know that CCTV is being used.

When you register for Retail Gift Aid we will collect your name, address and email address.

Purpose - Why do we need it?

When using our online store, we need your personal information to be able to deal effectively with your transaction, for example to complete a transaction, verify your credit card, place an order, arrange for a delivery or return a purchase. If you request it, we will send you emails about our store, new products and other updates.

We use CCTV as a crime deterrent and for security and safety of the public and our staff. This information is only accessible to and viewed by relevant staff if required.

We use the details you give us when registering for Retail Gift Aid so that we can contact you to ask whether you wish to retain or donate the gift aid proceeds made from the sale of your items, to LOROS. Retail Gift Aid helps your donations go even further to raise vital funds for LOROS. We will also use your details to send you further details about our news, activities and appeals via post, unless you opt out; and by email if you ask us to.

What is our lawful basis for collecting it?

If you have made a purchase at our online store, then we will process your personal data as it is necessary for the performance of a contract to enable us to complete the transaction.
GDPR reference Article 6(b)

It is in our legitimate interests to use CCTV in our stores in order to prevent crime and ensure the safety of our customers and staff.
GDPR reference Article 6(f)

It is in our legitimate interests to contact you and claim Retail Gift Aid so that we can raise even more funds for LOROS; it is also in our legitimate interests to contact you with further news and marketing via post.
GDPR reference Article 6(f)

We will always collect your consent to send you marketing and fundraising information by email
GDPR reference Article 6(f)

Who do we share it with?

Our store is hosted on Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you.
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.

If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.

For more insight, you may also want to read Shopify’s Terms of Service or Privacy Statement. Certain third-party service providers, such as payment gateways and other payment transaction processors, e.g. PayPal or your bank, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers, and under which jurisdiction they may fall.

Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.

We will only share CCTV images if required to do so by authorised bodies, for example the Police who will only use it for crime detection, prevention or investigation. Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.

We are required by law to share your details relating to Retail Gift Aid with HMRC (Her Majesty’s Revenue and Customs) after each donation that is made to LOROS.

How long do we keep it?

If you pay online at the online store, your purchase transaction data is stored only as long as is necessary to complete your purchase transaction. After that is complete, your purchase transaction information is deleted.
Unless you have opted out, your contact details will be retained on our supporter database indefinitely, but this is under review in our retention policy.

CCTV images are kept for 30 days and then deleted, unless there is a specific requirement to retain them for longer, for example where a crime is being investigated.

Details for retail gift aid are currently kept indefinitely although that retention period is currently under review.

LOROS Staff, Volunteers and Applicants

Data Controller: LOROS Hospice
This applies to you if you work for LOROS either as a paid member of staff or as a volunteer. It also applies to you if you apply for a job or volunteering role at LOROS.

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

As a member of staff or volunteer, the types of information that we will collect or process include your name, address, contact details, date of birth, next of kin and emergency contact details. We will also process special category data where applicable such as bank details, payroll records, pension and benefits information, sickness and health information, disciplinary and grievance records, DBS checks and documentation.

If you apply for a job or volunteering role at LOROS we will collect and store your name and contact details; your employment history; your qualifications; your health data if applicable, your immigration status as well as your ethnicity and other special category data such as disabilities and current salary.

We also use CCTV on hospice and shop premises.

Purpose - Why do we need it?

For our staff, we need information in order to be able to perform obligations under the contract of employment such as paying salaries and statutory (such as maternity or sick) pay and so that we can support you when you need it (for example if you are sick or require adjustments made to your working conditions). We need to keep records of working hours to comply with the Directive on working hours. We need to gather data on gender, ethnicity, sexual orientation, religion, disability, and other special categories in order to meet our legal obligations under the Equalities Act, but also so that we can better understand our staff demography and ensure that we make LOROS a great place to work.

For volunteers, we need to ensure that we match the right volunteer to the right role, and at the right time.

Staff details are stored securely on our Select HR System. Volunteer details are stored securely on our Raiser’s Edge database.

We also need to be able to respond to reference requests from other employers.

For applicants, we need to be able to contact you to process your application; to ensure we employ the right people with the right skills and qualifications; to ensure that you are eligible to work in the UK; and that we offer any reasonable adjustments you may require during the recruitment process. For some posts we are legally and morally required to collect information about criminal convictions and offences.

We use CCTV on hospice and shop premises in order to act as a deterrent to crime and to keep our staff and volunteers safe. Prevention of crime includes internal fraud and theft, and in shops, cash register points will be monitored by CCTV. Images are only viewed if required.

In certain cases, if considered appropriate, CCTV footage may be used to support disciplinary cases or complaints that involve staff or volunteers.

What is our lawful basis for collecting it?

Information about staff is collected to comply with a legal obligation and as part of a contractual obligation
Special category data is collected and processed for the purposes of obligations and rights in the field of employment and social protection law.
The relevant laws are:
  • Sick Pay Act 1994
  • Working Time Regulations 1998
  • National Minimum Wage Act 1998
  • Employment Act 2002
  • Agency Workers Regulations 2010
  • Pensions Act 2008
  • Equality Act 2010
GDPR reference Article 6(c)
GDPR reference Article 6(b)
GDPR reference Article 9.2(b)

If you are applying for a job or volunteering role at LOROS, we process your personal data because it is necessary for us to perform a contract or to take steps at your request, before entering a contract.
GDPR reference Article 6(b)

We process your special category personal data when you apply for a job or volunteering role, because it is a legal obligation under the field of employment and social protection law to collect information about eligibility to work in the UK, (Nationality Immigration and Asylum Act 2002) and about reasonable adjustments relating to disability (Equality Act 2010).
GDPR reference Article 9.2(b)

It is in our legitimate interests to use CCTV to prevent crime; to keep our staff and volunteers safe; to prevent employee misconduct, ensuring compliance with health and safety procedures, and to defend any legal claims if required.
GDPR reference Article 6(f)

Who do we share it with?

Where employees have opted into the relevant scheme, information is shared with pensions provider, Berkeley Burke.

Statistical information (that has been anonymised) about ethnicity and disability is submitted to the Government.

Medical or relevant data will be shared with Occupational Health if a referral is required. Any reference requests received will receive relevant personal data.

Where a DBS (Disclosure and Barring Service) check is required, your data will be shared with the DBS Service to conduct criminal record checks.

We will only share CCTV images if required to do so by authorised bodies, for example the Police who will only use it for crime detection, prevention or investigation. Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.

How long do we keep it?

All staff and volunteer data is kept for the duration of your employment or volunteering role, and then for six years afterwards, before being deleted and/or destroyed. Some data where occupational health is involved will be kept for 10 years.

For job and volunteering applicants, we keep the data of unsuccessful candidates for 6 months; if you are successful we will transfer your data to your own personal file and it will be treated as the staff data above.

CCTV images are kept for 30 days and then deleted, unless there is a specific requirement to retain them for longer, for example where a crime is being investigated.

Education and Training and PDC Service users

Data Controller: LOROS Hospice
This applies to you if apply to attend, or attend a training course at LOROS hospice. It also applies to you if you book and use a room at our Professional Development Centre (PDC).

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

The types of information that we will collect or process when you apply to attend a course include your name and contact details, as well as any relevant qualifications or interests. We will also ask you to tell us if you have any access or learning requirements or dietary needs.

When you book a meeting room in our centre, we will collect your name and contact details, along with finding out any requirements you or your attendees may have.

In one of the meeting rooms, and one of the training rooms, there is a permanent live recording of proceedings, however these can only be accessed on request or by the relevant people, and only saved when set to record.

Purpose - Why do we need it?

We need your contact details to be able to process the course booking, allocate you a place and use the relevant details to gain funding and process invoices. Information is also required to ensure refreshments are booked and that any requirements are met, such as hearing loops, parking spaces and dietary requirements. Data about your current qualifications is needed to ensure you are applying for the most relevant course.

Unless you choose to opt out, we will also contact you with information about future courses that we think you will be interested in.

When you book a room, we need your contact details to be able to process the room booking appropriately; to invoice and receive payment for the rooms; and to be able to contact you if required. Unless you choose to opt out, we will also contact you with relevant offers and marketing information about room bookings and similar services in the future. Information on special requirements is asked to be provided anonymously and is only to ensure we meet any needs you may have.

Recording in the Saunders Room is there to be accessed should anyone wish to save, keep or broadcast a presentation or meeting. It is not viewed in realtime and is only accessible to people with relevant access to the system.

Recordings in the clinical training room is only used for training purposes, and will only be extracted should someone wish to request viewing of their practical training. It is not viewed in realtime and is only accessible to people with relevant access to the system.

What is our lawful basis for collecting it?

If you are applying for a training course, we process your personal data because it is necessary for us to perform a contract or to take steps at your request, before entering a contract.
GDPR reference Article 6(b)

Any special category data relating to requirements such as access is processed for the purposes of obligations and rights in the field of employment and social protection law (in this case the Equality Act 2010).
GDPR reference Article 9.2(b)

It is in our legitimate interests to encourage you to use our training courses again, and to send you news about the hospice and future events. Because you have already been on a training course with us, we will use the ‘soft opt-in’ basis to send you details of other courses that you think you will be interested in.
GDPR reference Article 6(f)

If you are booking a meeting room, we process your personal data because it is necessary for us to perform a contract or to take steps at your request, before entering a contract.

Because you have already been on a training course with us, we will use the ‘soft opt-in’ basis to send you details of other courses that you think you will be interested in.
GDPR reference Article 6(b)

Who do we share it with?

Once you have gained a qualification, we will share your data with your education provider, if they require it. Where an employer sends their staff to attend our training courses, we will also share with them, details of your attendance and any course outcomes (including qualifications).

Nothing else is shared.

How long do we keep it?

Hard copy registers and application forms are kept for one year and then shredded securely. The archiving process for electronic documents is currently being looked into and we will update here when the schedule has been finalised.

Recordings within rooms are realtime only and only accessible if requested to be recorded and saved. Otherwise they are not available after the event.

Research

Data Controller:
LOROS Hospice (for the volunteer database)
Project Sponsor (for each individual research project)
This applies to you if participate in a research study. You could be a patient, a relative or carer, a member of staff, or a healthy volunteer.

What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?

What data do we collect?

The types of information that we will collect or process will depend upon which research study you are taking part in. Often it will contain special category data, such as health information. For each study we keep a site file which needs to contain a recruitment log and original consent forms which are both classed as identifiable data. The study site files are kept in a locked cabinet in a secure location with restricted access.

Purpose - Why do we need it?

LOROS is a research-active hospice. Research provides evidence to support better care in the future and studies are conducted for many reasons, such as finding new and better ways to care for and treat patients and to improve services and outcomes for service users, staff and members of the public. As a research-active hospice we are required to comply with regulatory requirements that govern research and Good Clinical Practice; these include information governance and data collection and protection.

For some studies, usually not patients, we maintain a database of research participants who agree to be contacted with details of further studies in which they may be interested. We will always ask for your consent to keep these details and will contact you every 3 years to ask your permission to keep your details. You may contact the research team at any time to request that your contact details are removed from the database and there will be no further contact from ourselves.

What is our lawful basis for collecting it?

The lawful basis depends upon the nature of the research study. If we are not the project sponsor, we will not decide the lawful basis. Each research study will document the correct lawful basis for collecting the personal data.

We will always ask for your consent to maintain your details on our database for future studies.
GDPR reference Article 6(a)

Who do we share it with?

Research study data will be shared as required by each individual project; it is usually anonymised or pseudonymised so that it is not possible, or very difficult, to relate personal data back to an individual.

Details of who the data may be shared with will be documented in the regulatory applications for individual study and may vary depending on the study. Each Participant Information Sheet will contain this detail and the consent process will also include this.

For all research studies the consent process will include a specific consent to allow access to your research data to authorised individuals from the Sponsor or Regulatory Authorities for monitoring and audit purposes. This is important as this process is ensuring that we are conducting the research to regulatory requirements and good clinical practice.

If you are on our database for future research participants, we will not share your data with anyone. The database is kept securely and access to it is restricted to essential members of the research team.

How long do we keep it?

Personal data for each individual research study is different and the period for which it is to be kept / archived will be detailed in the protocol and regulatory application and approval and we are obliged to keep it in accordance with these requirements.

Consent to stay on the volunteers database will be refreshed every 3 years, and you will remain on this list as long as your consent is active.