Privacy Policy
This Privacy Policy tells you we do with your personal data when you use our services, donate to us, or visit us either in person or on our website.
The first five sections are important information that is relevant to everyone. The policy is then layered for different groups of people, so that you can easily find the section that is relevant to you, without having to read through everything else.
Please note that this Privacy Policy is regularly being updated and reviewed, and you should check back at regular intervals to ensure you are reading the latest version. LOROS is currently compliant with the national data opt-out policy. For more information, see this section.
Covid-19 and your information
- Please see our Supplementary Privacy Notice on Covid-19 for Patients
- The privacy notice for COVID-19 keyworker testing is available here.
1. Who we are
LOROS is a local charity providing free, high-quality, compassionate care and support to terminally ill adult patients, their family and carers across Leicester, Leicestershire and Rutland.
If you are a patient, a visitor, a member of staff or volunteer, a donor, supporter or customer, or user of our education and training services, then LOROS is the data controller for your personal data that we process, unless otherwise stated. This means that we determine how and why your personal data is processed.
Our registration number with the Information Commissioner’s Office is Z681013X
You can contact us using the details below:
By post to:
LOROS Hospice
Groby Road
Leicester LE3 9QE
By telephone:
(0116) 231 3771
By email:
info@loros.co.uk
Limited Companies
Raising funds is vital to enable us to continue delivering our care and services. Much of this is done by the Fundraising Team, and also via the Lottery and through the LOROS shops. We have two private limited companies who also act as data controllers. These are:
LOROS Lotteries Limited.
If you play the LOROS lottery or buy tickets from our bi-annual raffle or scratchcards, then LOROS Lotteries Limited is the data controller for your personal data. LOROS Lotteries Limited is a private limited company and our registration number with the Information Commissioner’s Office is Z600081X.
Postal address:
LOROS Lotteries Limited
LOROS
Groby Road
Leicetser
Leicester LE3 9QE
Telephone:
(0116) 231 8430
Email:
lottery@loros.co.uk
LOROS Enterprises Ltd.
If you visit one of our shops or online store then LOROS Enterprises Ltd is the data controller. LOROS Enterprises is a private limited company and our registration number with the Information Commissioner’s Office is (tbc).
Postal address:
LOROS Enterprises Ltd Enterprise House
Station Road
Glenfield
Leicester LE3 8BT
Telephone:
(0116) 231 3666
Email:
info@loros.co.uk
2. Our Data Protection Officer
If you have any questions about this policy, or about data protection, or you want to exercise your rights as detailed in Section 5, you should contact our data protection officer (DPO).
Our DPO is Naomi Lunn. You can contact her by:
Email:
dataprotection@loros.co.uk
Telephone:
0116 231 3771
Post to:
LOROS Hospice, Groby Road, Leicester. LE3 9QE
3. When and how we collect your data
A lot of the personal data we process is provided to us directly by yourselves for one of the following reasons:
- You receive clinical care or complementary therapy at LOROS hospice
- You are a visitor, carer of a patient, or have referred someone
- You work or volunteer for us, or have applied to do so
- You play the lottery, raffle or scratch card games
- You have visited one of our shops or online store
- You have made a donation, participated in an event, or supported our fundraising in one way or another (examples include: set up an online tribute; pledged a legacy gift; sponsored someone in aid of LOROS, attended a community event, or raised money through your company or employer)
- You have registered for Retail Gift Aid
- You have visited our website
- You have asked to receive updates and communications
- You have made an enquiry, request or complaint
- You have attended a training course or booked facilities at our education centre
- You have taken part in a research study or project
- Referrals or transfers from other organisations or services such as the NHS or care homes / charities or local companies
- An employee, volunteer, patient or event participant gives us your contact details as an emergency contact or reference, or you are booked into a training event
4. How Secure is Your Data?
We have physical, electronic and managerial procedures to safeguard and secure your personal data. These include encryption, access controls, firewalls and many other methods. We have an information security policy that we will abide by and will ensure that our staff are trained to keep your data as safe as possible.
If however, you have concerns or believe that your privacy has been breached, please contact us immediately at dataprotection@loros.co.uk or 0116 231 3771.
5. Your Rights
You have a number of rights, which you can exercise. Just send an email to our Data Protection Officer at dataprotection@loros.co.uk; call 0116 231 3771 or write to her at LOROS Hospice, Groby Road, Leicester. LE3 9QE
Right to be Informed – you have the right to know why we are collecting and what we are doing with your personal data.
That’s what this privacy policy does in detail. Where we can, we will also provide you with information when we actually collect your personal data – this could be in a number of ways, such as leaflets, statements on forms or verbally. We will try and make this as easy and as clear as we can for you.
Right of Access - you have the right to access information we hold about you.
You may have heard this called a ‘subject access request’. You have the right to ask for:
- confirmation that we are processing your personal data;
- a copy of the personal data;
- other supplementary information (such as the purpose of the processing, who it is disclosed to, retention period and your other rights).
Right to Rectification - you have the right to make us correct any inaccurate personal data about you
You can also ask us to complete personal data you think is incomplete. We will respond to your request within one calendar month. If we are unable to comply with your request, we will let you know, and why.
Right to Erasure - you have the right to be ‘forgotten’ by us
There are certain circumstances when you can ask us to erase all of your personal data. This is generally where we are processing your personal data on the lawful basis of consent, legitimate interests or it relates to direct marketing. We will erase your data within one month of your request.
Please note that if you have told us that you don’t wish to receive marketing messages, we will still keep minimal contact details on our suppression list – this is so that we can ensure you definitely do not receive any marketing information from us. If you do exercise your right to erasure, you will also be erased from the suppression list – meaning that at some point in the future if we receive your details again, you may be sent marketing information.
There are times (such as when we are complying with a legal obligation or for health care) that this right does not apply. We will let you know if that is the case.
Right to Restriction of Processing – you can ask us to limit the ways in which we use your personal data
This could be because you have issues with the information we hold or how we process the data, or it could be while we are looking at the accuracy of your data or investigating an objection. If it is a temporary restriction, we will inform you before we lift the restriction.
We will act upon your request within one month.
There are times when this right does not apply. We will let you know if that is the case.
Right to Data Portability - you have the right to port your data to another service
You can ask us to give you your data in a format that is easy to move, copy or transfer from one IT system to another in a safe and secure way. We will provide the information in a structured, machine readable and commonly used format.
This right only applies when:
- the data has been provided to us;
- we are using the lawful basis of your consent, or fulfilling a contract, to collect your data; and
- the data is being carried out by automated means, and not on paper.
There are times when the right does not apply. We will let you know within one month of your request, if that is the case.
Right to Object - you can object to us processing your personal data
You can object to your personal details being used for direct marketing purposes. When you do this we will stop processing your data for this purpose.
For other purposes, if we are using the ‘legitimate interests’ lawful basis, you can object to the processing, as long as you tell us why. We will use these reasons to determine whether the objection is justified or whether we disagree.
Your rights are restricted where we are using your personal data for research purposes, and the research is carried out in the public interest.
We will let you know our decision within one month of your request.
You can object to us using your personal data for profiling or making automated decisions about you
- 'Automated decision making’ means a decision that is made solely by automated means, with no human involvement (such as a decision made online to award a loan).
- Profiling means automated processing of personal data to decide or evaluate certain things about an individual (for example to find something out about what you like or to predict your behaviour).
Where we are processing your personal data based upon your consent, you can withdraw this at any time, and we will stop processing your data immediately.
Right to make a complaint
You have the right to complain to us and to a supervisory authority about how we use your personal data. Please tell us first so that we have a chance to address your concerns. If you are not happy with our response, you have the right to lodge a complaint with a supervisory authority. This is the Information Commissioner’s Office, who you can contact at:
The Office of the Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Helpline: 0303 123 1113, or from outside the UK +44 1625 545 700
Website: www.ico.org.uk
6. Your Personal Data
This section is broken down into areas to give you more information according to your relationship with us. For each group, you will find out what data we collect, why we need it, what is our lawful basis for sharing it under GDPR, who we share it with and how long we keep it. The sections are layered so that you can easily go to the most relevant area without having to read through everything. The areas are:
- Patients and Service Users
- Relatives and Visitors
- Supporters and donors
- Lottery, Raffle and Scratch Card players
- Website visitors
- Shop Visitors, Customers, and Retail Gift Aid
- LOROS Staff, Volunteers and Applicants
- Education and Training and PDC Service users
- Research
Patients and Service Users
Data Controller: LOROS Hospice
This applies to you if you are under the care of LOROS Hospice and in receipt of one or more of our many services, such as home visits, complementary therapy, counselling and physiotherapy, or from any of the day therapy centres. It includes people who are referred to us but not yet receiving care; those who have previously received one or more of our services, and individuals enquiring into any of our services.
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
National Data Opt out
What data do we collect?
The types of personal data that we will collect and process will include: your name, address, date of birth, contact details including email and telephone, your next of kin and your doctor’s contact details.
If you are receiving treatment or care, we will also process more sensitive data that falls under the ‘special categories’ relating to: your medical history, current medical records and your ethnicity and religion. If you have been referred to us, this information will come from your doctor, health professional or the NHS.
We store this information securely on our computerised medical record system called SystmOne.
Purpose - Why do we need it?
We need your contact details and next of kin and doctors’ details so that we can contact you about your care and appointments, and ensure we know who to contact in the event of an emergency.
We need your medical records so that we can ensure you receive the best, safe and most appropriate care and treatment from us either at your home, clinics, within the hospice or Day Therapy Centres.
We need data about your ethnicity and religion so that we can understand the needs of patients from different groups and provide better and more appropriate services; identify patients at risk – some groups are more at risk of specific diseases; and help us to understand your individual needs. It is also a legal requirement to promote equality and to eliminate discrimination.
What is our lawful basis for collecting it?
Contact information – it is in our legitimate interests to be able to administer our appointments and your care in the most efficient and appropriate way.
GDPR reference Article 6(f)
Medical records – it is in both your and our legitimate interests for us to be able to care for you in the best and safest way; and the special category data can be processed for the provision of health and social care (in cases of emergency i.e. in matters of immediate life or death, it can be processed to protect your vital interests)
GDPR reference Article 6(f)
GDPR reference Article 9(2)(h)
GDPR reference Article 9(2)(c)
Ethnicity and religion – this data is processed as it is necessary for a legal obligation (Equality Act 2010) and as special category, for carrying out obligations in the field of employment and social security and social protection (Equality Act 2010)
GDPR reference Article 6(f)
GDPR reference Article 9(2)(c)
Who do we share it with?
Your medical records on SystmOne will be shared with other NHS providers who are involved in your care if they are needed. We will also, where relevant, share your details with any other care agencies, including Social Services, as well as with Clinical Commissioning Groups and Lead Care Providers (who are contracted for care purposes). This is to ensure you are receiving holistic and appropriate care. SystmOne is a secure system with access and password controls.
We will also share some of your details with companies who will need it in order to provide appropriate medical or other equipment for you. For example, Home Oxygen providers, compression garment manufacturers and charities. We will only share the minimum data that is required and will ensure that appropriate security measures are applied for example encryption, secure fax or protected databases.
In some cases we will share your data with relevant authorities so that we can order you required help or services, such as the city and county councils for blue badges, or the Department of Work and Pensions for benefits.
How long do we keep it?
Medical records on service users will be retained in accordance with the national guidance for health and social care records, starting from the date that the provision of care has ended and in compliance with our own data retention policy.
All other personal data will not be kept for longer than it is required and will be securely kept or destroyed in line with the LOROS data retention policy.
National Data Opt Out
How the NHS and care services use your information
Whenever you use a health or care service, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters. On this web page you will:
- See what is meant by confidential patient information
- Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
- Find out more about the benefits of sharing data
- Understand more about who uses the data
- Find out how your data is protected
- Be able to access the system to view, set or change your opt-out setting
- Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
- See the situations where the opt-out will not apply
You can also find out more about how patient information is used at:
hra.nhs.uk/information-about-patients/ (which covers health and care research); and understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)
You can change your mind about your choice at any time.
Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your specific agreement.
Health and care organisations have until 2020 to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care. Our organisation is currently compliant with the national data opt-out policy.
Relatives and Visitors
Data Controller: LOROS Hospice
This applies to you if you are a relative, friend or carer of someone who is or who was previously in our care, or are visiting patients at the hospice.
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
The types of personal data that we will collect and process will include: your name, car registration if you have parked here, contact details if you are the next of kin or emergency contact for one of our patients or service users. We also operate CCTV around the hospice.
Purpose - Why do we need it?
When you visit the hospice we need your name and car registration to ensure your safe visit to the hospice and to meet fire and other building safety regulations. We may also need to find you if there is a need to move your vehicle.
We use CCTV for public and staff safety, and to prevent crime.
If you are the next of kin or emergency contact for a patient, we need your contact details in order to be able to get in touch if you are needed in an emergency or other urgent event. If you are bereaved, we will offer you ongoing support and let you know about our remembrance services, book of remembrance and other ways to remember your loved ones such as our Light Up a Life campaign. We will also send you a bereavement card.
If you do make a gift in your loved ones’ name, we will record your details to ensure that you do not receive any other communications at a sensitive time.
Please note that details about how much has been raised in a person’s name will only be disclosed to the next of kin, and only the total amount will be disclosed, not individual donors’ information, or amount given.
We conduct research studies in order to improve our service for both patients and their next of kin; and it is possible that we will contact you in the future to ask whether you would consent to participating in a research study or survey to tell us about your experience of the hospice.
If you receive a service from the hospice, such as counselling or complementary therapy, you are a service user and should read the patient and service user section.
What is our lawful basis for collecting it?
Visitor information – as well as being sensible practice, keeping a log of visitors is necessary for a legal obligation (the Regulatory Reform (Fire Safety) Order 2005)
GDPR reference Article 6(c)
It is in our legitimate interests to use CCTV to prevent crime and to keep our patients, visitors, staff and volunteers safe.
GDPR reference Article 6(f)
Next of kin and emergency contact details – this is processed in the legitimate interests of the patient or service user, and will only be used in the event of an emergency or at a patient’s request.
GDPR reference Article 6(f)
It is in our legitimate interests, and those of service users, to use your contact details to ask for your consent to participate in surveys or research.
GDPR reference Article 6(f)
If you are bereaved we will only use your details to offer you services that are in your legitimate interests, and it will be up to you to decide if and how you would like to talk to us about remembering your loved ones.
GDPR reference Article 6(f)
Who do we share it with?
We do not share these details with anyone, unless required to do so by law.
We will only share CCTV images if required to do so by authorised bodies, for example the Police who will only use it for crime detection, prevention or investigation. Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.
How long do we keep it?
Our visitors book is retained for 12 months before being securely destroyed.
A record of bereaved next of kin is securely stored for one year from the date of the remembrance service and then securely destroyed.
If you have made a donation or participate in our Light up a Life campaign, then your details are retained on Raiser’s Edge, our supporter database, indefinitely or until you ask for them to be removed. We will be implementing a data retention schedule shortly for this data. See the section on donors for more details.
CCTV images are kept for 30 days and then deleted, unless there is a specific requirement to retain them for longer, for example where a crime is being investigated.
Supporters and donors
Data Controller: LOROS Hospice
This group includes anybody who has made, pledged or offered to make a financial or non-financial donation of any sort to LOROS Hospice. It also includes individuals who have expressed an interest in supporting our work, have requested information from our Fundraising team, completed an event, sponsorship, or event application form. It does not include Lottery, raffle or scratch card players – who are covered in a separate section.
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
Purpose - Why do we need it?
We need your details so that we can contact you and:
- manage the events that you might be taking part in
- keep you informed of news and developments at LOROS, and to help you to feel connected to our cause.
- promote all the different events, campaigns and activities that we have going on
- thank supporters and showcase the difference your donations make to the organisation and to local people
- showcase our care services and raise awareness of the many ways we can help those living with a terminal illness
- dispel myths about hospice care, encouraging more people to access our care – especially hard to reach groups
- drive traffic to our website to find out more
- ensure that your details are accurate and up-to-date
We want to make sure our communication with you is relevant, and you are hearing about areas that are of interest to you, such as volunteering, events, research and how your support is helping us. To do this we will use data analysis such as profiling techniques and insight companies to provide us with information about you, which you have shared regarding your lifestyle and purchasing habits. We will ensure that any companies that provide us with this information have a proper lawful basis for doing so.
You can opt out of your data being used for profiling. However, this may mean that you stop receiving relevant marketing communications from us or they become more generic and less relevant to you as they are no longer based on your interests in our cause. If you do wish to opt-out please contact our Data Protection Officer using the details at the start of this policy.
We use your details for data cleansing. We want to keep your details accurate and up-to-date – and so we use the Royal Mail's data on re-directing post to ensure that we can maintain contact with you when you have moved. We also use services to notify us of the recently deceased to avoid any distress that continued communications may cause.
Sometimes we use publicly available data (such as contact information) to help us perform due diligence checks, or screening. This is to prevent abuse by fraudsters or criminals posing as genuine donors, or to ensure that there are no conflicts of interest from potential supporters or organisations. We also research trusts and their associated trustees to check their interests and criteria before applying to external grant makers for funding towards the work of the hospice and particular projects. We also research companies and employees prior to writing a sponsorship proposal.
If you request to receive no further information from us, we will also keep your personal data on our suppression list so that we can always ensure that you do not receive any unwanted communication.
What is our lawful basis for collecting it?
GDPR reference Article 6(f)
We will always collect your consent to send you marketing and fundraising information by email, and ultimately by text message. If you have already purchased a product or participated in an event, we will use the ‘soft opt-in’ basis that you have already shown an interest in receiving communications about this relevant product or event; and will continue to send you emails unless you ask us not to.
GDPR reference Article 6(a)
If you have chosen to participate in an event or challenge, and have paid to do so, or bought a product, we will process your personal details as it is necessary for the performance of a contract.
GDPR reference Article 6(b)
Who do we share it with?
How long do we keep it?
Lottery, Raffle and Scratch Card players
Data Controller: LOROS Lotteries LimitedThis applies to you if you have previously or currently played the LOROS Lottery, purchased LOROS raffle tickets or scratch cards, or won any cash prizes.
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
Purpose - Why do we need it?
Unless you have asked not to be contacted, we will also use your details to send you news, marketing and fundraising information that we think you will be interested in, including the raffle draws. For further information on this, see the section on supporters and donors.
Raffle ticket customers – we need to process your details to be able to run the raffle draw; to contact you if you are a winner, and to enable the raffle to generate income to run LOROS services. We need your payment details if you are choosing to pay by card, in order to process your payment (please note that these details are destroyed immediately after processing).
If you win over £10 on a scratch card, we need your details in order to be able to pay your winnings via cheque.
If you order scratch cards in bulk, we need your personal details in order to be able to process your order efficiently.
In certain circumstances, we want to promote further income generation and a positive message through marketing case studies on previous lottery/raffle/scratch card winners. We may process your personal details in order to do this, but we will always ask for your consent before any publicity takes place.
We use your details for data cleansing. We want to keep your details up to date, particularly if you have won – and so we use the Royal Mail's data on re-directing post to ensure that we can maintain contact with you when you have moved. We also use services to notify us of the recently deceased to avoid any distress that continued communications may cause.
If you request to receive no further information from us apart from anything other than your Lottery account, we will also keep your personal data on our suppression list so that we can always ensure that you do not receive any unwanted communication.
What is our lawful basis for collecting it?
GDPR reference Article 6(b) We also collect your date of birth as it is necessary for a legal obligation (Gambling Act 2005)
GDPR reference Article 6(c)
It is in our legitimate interests to collect and process your personal data in order to be able to send you relevant marketing and fundraising material (such as raffle tickets) by post.
GDPR reference Article 6(f)
We will always collect your consent to send you marketing and fundraising information by email, and ultimately by text message.
GDPR reference Article 6(a)
If you have already purchased a product or participated in an event, we will use the ‘soft opt-in’ basis that you have already shown an interest in receiving communications about this relevant product or event; and will continue to send you emails unless you ask us not to.
Who do we share it with?
We share your data securely with payment processing companies. These are Secure Collections (for direct debit processing) RSM 2000 and Sage Pay (for card payments)
We also share your personal details with mailing companies who print and mail out our raffle tickets. The company is chosen prior to each raffle campaign. These details are always transferred securely using encryption or SFTP transfer.
How long do we keep it?
We will be implementing a data retention schedule shortly for this data. Any paper files relating to card payments are destroyed immediately after processing via secure shredding. Other payment details such as direct debit and cash rounds are kept securely for 6 years after processing.
Raffle ticket stubs are destroyed securely 8 weeks after the raffle draw.
Bulk scratch card order forms are retained (minus payment details) for 6 years after the transaction.
Gift subscription order forms are retained for 6 years after the transaction.
Website visitors
Data controller: LOROS HospiceThis applies to you when you visit www.loros.co.uk
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
There are areas on the website where we do ask for and collect your personal data and this will be for a specific reason, for example in contact forms, when you book or pay for an event or when using the online shop.
Purpose - Why do we need it?
We do not use the information to identify anyone who is visiting our website. When we do ask for your personal details, the reason for this will be clear – for example if you are making a query and you require a response; or booking an event and your details are needed to be able to join.
What is our lawful basis for collecting it?
GDPR reference Article 6(f)
Where we ask for your personal details for a specific reason, our legal basis will be stated within the relevant area of the privacy policy (for example if you are making a donation look at the section for donors or if you are shopping online look at shop customers).
Who do we share it with?
When you fill in on an online form, data is shared with Wufoo, who provide a web based program that we use to create forms and surveys on our website. Only information that comes from surveys is stored securely within Wufoo. For contact or query forms, the data will be used to fulfil its purpose (for example to create an email if it is a query, or to go onto our supporter database if it is making a donation) but not stored on Wufoo.
How long do we keep it?
Survey data on Wufoo is currently retained indefinitely, but will be subject to and added into our retention policy in the near future.
Shop Visitors, Customers, and Retail Gift Aid
Data Controller:LOROS Enterprises for store and online shop visitors
LOROS Hospice for Retail Gift Aid
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
This applies to you if you visit one of our shops throughout Leicestershire and Rutland, and if you browse or use our online store, www.shop.loros.co.uk
It also applies if you register for Retail Gift Aid when you make a donation of goods for us to sell.
What data do we collect?
When you browse our online store, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system. See the section on visitors to our website for more information about this.
When you visit one of our shops, it is likely that there are CCTV cameras recording the entrance and exit points, as well as the tills. Where this is the case, posters will be on display letting you know that CCTV is being used.
When you register for Retail Gift Aid we will collect your name, address and email address.
Purpose - Why do we need it?
We use CCTV as a crime deterrent and for security and safety of the public and our staff. This information is only accessible to and viewed by relevant staff if required.
We use the details you give us when registering for Retail Gift Aid so that we can contact you to ask whether you wish to retain or donate the gift aid proceeds made from the sale of your items, to LOROS. Retail Gift Aid helps your donations go even further to raise vital funds for LOROS. We will also use your details to send you further details about our news, activities and appeals via post, unless you opt out; and by email if you ask us to.
What is our lawful basis for collecting it?
GDPR reference Article 6(b)
It is in our legitimate interests to use CCTV in our stores in order to prevent crime and ensure the safety of our customers and staff.
GDPR reference Article 6(f)
It is in our legitimate interests to contact you and claim Retail Gift Aid so that we can raise even more funds for LOROS; it is also in our legitimate interests to contact you with further news and marketing via post.
GDPR reference Article 6(f)
We will always collect your consent to send you marketing and fundraising information by email
GDPR reference Article 6(f)
Who do we share it with?
Your data is stored through Shopify’s data storage, databases and the general Shopify application. They store your data on a secure server behind a firewall.
If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). All direct payment gateways adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover.
For more insight, you may also want to read Shopify’s Terms of Service or Privacy Statement. Certain third-party service providers, such as payment gateways and other payment transaction processors, e.g. PayPal or your bank, have their own privacy policies in respect to the information we are required to provide to them for your purchase-related transactions. For these providers, we recommend that you read their privacy policies so you can understand the manner in which your personal information will be handled by these providers, and under which jurisdiction they may fall.
Once you leave our store’s website or are redirected to a third-party website or application, you are no longer governed by this Privacy Policy or our website’s Terms of Service.
We will only share CCTV images if required to do so by authorised bodies, for example the Police who will only use it for crime detection, prevention or investigation. Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.
We are required by law to share your details relating to Retail Gift Aid with HMRC (Her Majesty’s Revenue and Customs) after each donation that is made to LOROS.
How long do we keep it?
Unless you have opted out, your contact details will be retained on our supporter database indefinitely, but this is under review in our retention policy.
CCTV images are kept for 30 days and then deleted, unless there is a specific requirement to retain them for longer, for example where a crime is being investigated.
Details for retail gift aid are currently kept indefinitely although that retention period is currently under review.
LOROS Staff, Volunteers and Applicants
Data Controller: LOROS HospiceThis applies to you if you work for LOROS either as a paid member of staff or as a volunteer. It also applies to you if you apply for a job or volunteering role at LOROS.
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
If you apply for a job or volunteering role at LOROS we will collect and store your name and contact details; your employment history; your qualifications; your health data if applicable, your immigration status as well as your ethnicity and other special category data such as disabilities and current salary.
We also use CCTV on hospice and shop premises.
Purpose - Why do we need it?
For volunteers, we need to ensure that we match the right volunteer to the right role, and at the right time.
Staff details are stored securely on our Select HR System. Volunteer details are stored securely on our Raiser’s Edge database.
We also need to be able to respond to reference requests from other employers.
For applicants, we need to be able to contact you to process your application; to ensure we employ the right people with the right skills and qualifications; to ensure that you are eligible to work in the UK; and that we offer any reasonable adjustments you may require during the recruitment process. For some posts we are legally and morally required to collect information about criminal convictions and offences.
We use CCTV on hospice and shop premises in order to act as a deterrent to crime and to keep our staff and volunteers safe. Prevention of crime includes internal fraud and theft, and in shops, cash register points will be monitored by CCTV. Images are only viewed if required.
In certain cases, if considered appropriate, CCTV footage may be used to support disciplinary cases or complaints that involve staff or volunteers.
What is our lawful basis for collecting it?
Special category data is collected and processed for the purposes of obligations and rights in the field of employment and social protection law.
The relevant laws are:
- Sick Pay Act 1994
- Working Time Regulations 1998
- National Minimum Wage Act 1998
- Employment Act 2002
- Agency Workers Regulations 2010
- Pensions Act 2008
- Equality Act 2010
GDPR reference Article 6(b)
GDPR reference Article 9.2(b)
If you are applying for a job or volunteering role at LOROS, we process your personal data because it is necessary for us to perform a contract or to take steps at your request, before entering a contract.
GDPR reference Article 6(b)
We process your special category personal data when you apply for a job or volunteering role, because it is a legal obligation under the field of employment and social protection law to collect information about eligibility to work in the UK, (Nationality Immigration and Asylum Act 2002) and about reasonable adjustments relating to disability (Equality Act 2010).
GDPR reference Article 9.2(b)
It is in our legitimate interests to use CCTV to prevent crime; to keep our staff and volunteers safe; to prevent employee misconduct, ensuring compliance with health and safety procedures, and to defend any legal claims if required.
GDPR reference Article 6(f)
Who do we share it with?
Statistical information (that has been anonymised) about ethnicity and disability is submitted to the Government.
Medical or relevant data will be shared with Occupational Health if a referral is required. Any reference requests received will receive relevant personal data.
Where a DBS (Disclosure and Barring Service) check is required, your data will be shared with the DBS Service to conduct criminal record checks.
We will only share CCTV images if required to do so by authorised bodies, for example the Police who will only use it for crime detection, prevention or investigation. Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing. We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and the Home Office.
How long do we keep it?
For job and volunteering applicants, we keep the data of unsuccessful candidates for 6 months; if you are successful we will transfer your data to your own personal file and it will be treated as the staff data above.
CCTV images are kept for 30 days and then deleted, unless there is a specific requirement to retain them for longer, for example where a crime is being investigated.
Education and Training and PDC Service users
Data Controller: LOROS HospiceThis applies to you if apply to attend, or attend a training course at LOROS hospice. It also applies to you if you book and use a room at our Professional Development Centre (PDC).
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
When you book a meeting room in our centre, we will collect your name and contact details, along with finding out any requirements you or your attendees may have.
In one of the meeting rooms, and one of the training rooms, there is a permanent live recording of proceedings, however these can only be accessed on request or by the relevant people, and only saved when set to record.
Purpose - Why do we need it?
Unless you choose to opt out, we will also contact you with information about future courses that we think you will be interested in.
When you book a room, we need your contact details to be able to process the room booking appropriately; to invoice and receive payment for the rooms; and to be able to contact you if required. Unless you choose to opt out, we will also contact you with relevant offers and marketing information about room bookings and similar services in the future. Information on special requirements is asked to be provided anonymously and is only to ensure we meet any needs you may have.
Recording in the Saunders Room is there to be accessed should anyone wish to save, keep or broadcast a presentation or meeting. It is not viewed in realtime and is only accessible to people with relevant access to the system.
Recordings in the clinical training room is only used for training purposes, and will only be extracted should someone wish to request viewing of their practical training. It is not viewed in realtime and is only accessible to people with relevant access to the system.
What is our lawful basis for collecting it?
GDPR reference Article 6(b)
Any special category data relating to requirements such as access is processed for the purposes of obligations and rights in the field of employment and social protection law (in this case the Equality Act 2010).
GDPR reference Article 9.2(b)
It is in our legitimate interests to encourage you to use our training courses again, and to send you news about the hospice and future events. Because you have already been on a training course with us, we will use the ‘soft opt-in’ basis to send you details of other courses that you think you will be interested in.
GDPR reference Article 6(f)
If you are booking a meeting room, we process your personal data because it is necessary for us to perform a contract or to take steps at your request, before entering a contract.
Because you have already been on a training course with us, we will use the ‘soft opt-in’ basis to send you details of other courses that you think you will be interested in.
GDPR reference Article 6(b)
Who do we share it with?
Nothing else is shared.
How long do we keep it?
Recordings within rooms are realtime only and only accessible if requested to be recorded and saved. Otherwise they are not available after the event.
Research
Data Controller:LOROS Hospice (for the volunteer database)
Project Sponsor (for each individual research project)
This applies to you if participate in a research study. You could be a patient, a relative or carer, a member of staff, or a healthy volunteer.
What data do we collect?
Why do we need it?
What is our lawful basis for collecting it?
Who do we share it with?
How long do we keep it?
What data do we collect?
Purpose - Why do we need it?
For some studies, usually not patients, we maintain a database of research participants who agree to be contacted with details of further studies in which they may be interested. We will always ask for your consent to keep these details and will contact you every 3 years to ask your permission to keep your details. You may contact the research team at any time to request that your contact details are removed from the database and there will be no further contact from ourselves.
What is our lawful basis for collecting it?
We will always ask for your consent to maintain your details on our database for future studies.
GDPR reference Article 6(a)
Who do we share it with?
Details of who the data may be shared with will be documented in the regulatory applications for individual study and may vary depending on the study. Each Participant Information Sheet will contain this detail and the consent process will also include this.
For all research studies the consent process will include a specific consent to allow access to your research data to authorised individuals from the Sponsor or Regulatory Authorities for monitoring and audit purposes. This is important as this process is ensuring that we are conducting the research to regulatory requirements and good clinical practice.
If you are on our database for future research participants, we will not share your data with anyone. The database is kept securely and access to it is restricted to essential members of the research team.
How long do we keep it?
Consent to stay on the volunteers database will be refreshed every 3 years, and you will remain on this list as long as your consent is active.