Privacy Notice for Royal Devon University Hospitals NHS Foundation Trust Charity (Royal Devon Hospital Charity)
This Privacy Notice tells you how the Royal Devon University Hospitals NHS Foundation Trust Charity (registered charity number 1061384) uses and manages the personal data or information we hold about you and how we are committed to ensuring that your privacy is protected. The charity will operate under Royal Devon Hospitals Charity.
If we ask you to provide certain information by which you can be identified, it will only be used in accordance with this privacy statement and with current Data Protection Laws.
What is a ‘Privacy Notice’?
A ‘privacy notice’ describes how we use and share the personal information we hold about our service users, doner, the public and staff.
A privacy notice is a legal requirement under Data Protection legislation and is here to help you be aware of your rights, our duties and how we protect your privacy by keeping your information confidential and secure. Under this legislation, the Royal Devon is the data controller of this information.
Who we are?
We fundraise over and above what the NHS is able to provide to make a real difference to our patients, their families, and our amazing staff that treat them.
The NHS body is the sole charity trustee of the charitable funds in its corporate capacity. There is a Charitable Funds Committee which reports back to the full board (NHS Body) on issues such as setting the charity’s strategy, policies and budgets and overseeing the charities operations.
What personal information do we collect about you and how do we obtain it?
Personal information identifies a living individual, so any of your personal information that can be attributed to you personally in both electronic and paper records. Organisations that use personal information must do so in line with the provisions of the UK GDPR and Data Protection Act 2018.
Examples of the personal information that we may hold about you are:
- Full name and title.
- Contact information including address and postcode. This can also include a place of work.
- Phone numbers and email addresses.
- Bank account details (if donating by debit or credit card/setting up a direct debit for regular donations).
- Date of birth.
- We may collect information relating to your health (for example if you are taking part in an event or volunteering for us).
- Emergency next of kin details (if you are volunteering for us).
If you sponsor a person or donate via one of our online giving platforms, such as Enthuse and you indicate that you would like to hear from us, then they may pass on your contact details to us so that we can tell you more about our Charity. You should check the Privacy Statements of sites such as Enthuse before you give them your information.
Why we collect information about you?
We may use personal information for the following reasons:
- Internal record keeping.
- To thank you for your donations, volunteering, or other support.
- To respond to you if you have made an inquiry.
- We may share your name, and details of your donation, with the Royal Devon and Exeter NHS Foundation Trust to ensure your donations are used according to your wishes. This will be limited to executive members of staff only. You can let us know if you would prefer for your details to remain anonymous and we will always respect your wishes.
- If you start filling in a form on our website but don’t complete it, we may contact you to find out if there is a problem with our website, and to ask if we can be of any help.
- If you agree to sign up for Gift Aid, we may collect information such as your name, address, and confirmation that you are a UK taxpayer, to claim the tax back on your donation.
We may use your personal information to send you direct marketing communications about our charity’s activities, events, and fundraising appeals. This may include emails, postal mailings, and phone calls. We will always give you the option to opt out of receiving these communications and we will never sell or share your personal information with third parties for marketing purposes.
What is our legal basis for processing personal data about you?
All the personal information that we collect, and use is handled in accordance with the Data Protection Act principles. These state that personal data processing must be:
1. Lawful and fair.
2. Specified, explicit, and legitimate.
3. Adequate, relevant, and not excessive
4. Accurate and kept up to date.
5. Kept for no longer than is necessary.
6. Held securely.
We process your data as described in this Privacy Notice because we have a legitimate interest to meet our charitable objectives. Some processing of data may be carried out to perform a contract with you, or it is required by law, such as the completion of due diligence, or obligations for processing Gift Aid on your donations.
We will only use your email to contact you for fundraising or marketing purposes if we have your explicit consent.
We may also undertake postal marketing communications where we have your consent or have a legitimate interest to do so. For example, in some cases, we may not yet have received consent from you to contact you, but feel that you may be interested in our communications, for example, if you have recently supported us in some way, perhaps by donating or signing up for a fundraising event. We will always carry out an assessment beforehand to ensure that the way we use your data is fair and does not exceed what you would reasonably expect to receive from us.
To opt out of receiving marketing communications, please email firstname.lastname@example.org or call 01271 311 772. You will always be given the opportunity to opt out of communication by any channel, at any time, and we will always make it clear to you how to do this in our correspondence.
Who do we share personal information with and why?
We may share your name, and details of your donation, with other areas of the Trust, that sit side outside of the charity. You can let us know if you would prefer for your details to remain anonymous and we will always respect your wishes. We do not share personal data outside of the Trust.
How do we keep your personal information safe and secure?
Our staff are trained to handle your information correctly and protect your privacy and keep your information secure. We aim to maintain high standards and regularly check and report on how we are doing. Where we fall below acceptable standards we investigate and report serious incidents to the Information Commissioner’s Office (ICO). We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
As an individual interacting with us, we want you to know that we take your privacy seriously. We understand the importance of protecting your personal data and complying with the Privacy and Electronic Communications Regulations (PECR). Our commitment to your privacy is a core part of our values as a Charity, and we will ensure that we operate in an open, transparent, and responsible manner in all our electronic communications with you.
Royal Devon Hospitals Charity ensures that your data will always remain secure. Information collected via our NISYST POS (point of sale) systems will be secured on a cloud-based Microsoft Azure encrypted server for information-related transactions and Gift Aid. Information collected via our website and Enthuse will be stored via Harlequins CRM (Customer Relationship Management) software and stored on secure encrypted servers hosted by Royal Devon University Hospital Trust.
How long do we keep your records?
We do not keep your records for longer than necessary. All our records are destroyed in accordance with the NHS Retention Schedules, which sets out the appropriate length of time different types of records are retained. If you have provided information for purpose of Gift Aid, Royal Devon Hospitals Charity must keep Gift Aid declarations and records until six years after the end of the accounting period they relate to. All records are destroyed confidentially once their retention period has been met and the Trust has made the decision that the records are no longer required.
What are your information rights?
You have a number of rights under the Data Protection Act:
1. To be informed why, where, and how we use your information.
2. To ask for access to your information.
3. To ask for your information to be corrected if it is inaccurate or incomplete.
4. To ask us to restrict the use of your information in certain circumstances.
5. In limited circumstances to ask us to copy or transfer your information from one IT system to another.
6. To object to how your information is used.
7. To challenge decisions made without human intervention (automated decision making).
How do I obtain a copy of my personal information?
Our contact details:
Royal Devon University Hospitals NHS Foundation Trust Charity
The Charity Fundraising Office, Room E121
Royal Devon University Healthcare NHS Foundation Trust
Barrack Road, EXETER
By email: email@example.com
Web pages: firstname.lastname@example.org
Data Protection Officer:
If you have any questions or concerns about how we manage your information, then please contact the Data Protection Officer for our Trust:
Data Protection Officer – Rhiannon Platt
Royal Devon University Healthcare NHS Foundation Trust
Information Governance Office
Royal Devon and Exeter Hospital (Wonford)
By email: email@example.com
Information Commissioner’s Office:
The Information Commissioner’s Office (ICO) is the body that regulates Data Protection and Freedom of Information https://ico.org.uk/ .
If you are not satisfied with our DPO response or believe we are not processing your personal data in accordance with the law, you can complain to the ICO at:
Information Commissioner’s Office
Tel: 0303 123 1113
For the latest and most up-to-date version of this Privacy Notice, please visit our website. Please note that this Privacy Notice is subject to change in the event of any updates or modifications to our processes.