Last updated: 11 April 2022
What is a 'privacy notice'?
A ‘privacy notice’ is a statement issued by an organisation which explains how personal and confidential information about individuals and organisations is collected, used and shared. This Privacy Notice is for Portsmouth Hospitals Charity (or Charity) and relates to the information we collect about individuals and organisations who engage with the Charity. This could include activities relating to:
Who are we and what do we do?
Portsmouth Hospitals Charity is the main charity of Portsmouth Hospitals NHS Foundation Trust. The Charity supports the work of Portsmouth Hospitals University NHS Trust (the Trust). The Trust has issued a separate privacy notice located here. For the purposes of this Privacy Notice the terms ‘we’, ‘us’ or ‘our’ refer to both the Charity and Trust (as Corporate Trustee of the Charity).
We function in accordance with the requirements of the Charities Act 2016 and we are regulated by the Charity Commission (registration no. 1047986). The Charity manages the receipt and distribution of charitable donations. The Charity distributes donations in the form of grant funding to enable the provision of improvements to facilities, equipment and services provided by the Trust and those who support these activities to enable patients to get treated faster and in greater comfort. The Charity supports all wards and departments of the Trust and aims to improve facilities, equipment and patient experience.
Why have we issued this notice?
This Privacy Notice demonstrates the Charity’s commitment to openness and accountability. We take the legal requirement to protect personal and confidential information in all that we do extremely seriously and take the necessary steps to meet our legal duties including compliance with:
- Accessible Information Standards
- Common Law Duty of Confidentiality
- Computer Misuse Act 1990
- Copyright Design and Patents Act 1988
- Data Protection Act 2018
- Freedom of Information Act 2000
- General Data Protection Regulation 2018
- Information Security Code of Practice
- Public Records Act 1958
- Records Management Code of Practice
How do we collect your information?
Depending on how you engage with the Charity, you may provide us with your information to:
- Make a donation
- Buy an event or raffle ticket
- Request promotional materials for ‘in aid of’ events
- Register your own charitable event or fundraising page
- Register to receive a newsletter
- Volunteer for the Charity
In the examples above, we will ask you to provide us with some of your personal information in order for us to process your request. This information may be supplied to us directly from you including submission via:
- Telephone; or
- Face-to-face discussions with you
- Charity/Trust webpages
You may also provide information to us by engagement with relevant third-parties e.g. Eventbrite | Facebook | JustGiving | Much Loved | Enthuse| PayPal and/or external event organisers you sign up with for participation in events ‘in aid of’ Portsmouth Hospital Charity. If you choose to use a third party website to provide us with your information or donations, please make sure you read their privacy notice as this will explain how they collect and process your information.
What information do we collect?
The Charity will only collect the minimum information we require about you for the purpose it is being obtained.
This may include details such as:
- Your name and contact information (e-mail, address and telephone number);
- Your interests including: (i) wards and departments that you are keen to support (ii) hobbies of interest to you aligned to Charity events (e.g. running or cycling) which may impact on allocation of you donation(s);
- Donation information including: amount and gift aid eligibility, consent and declaration information; and,
- Media consent information.
For monitoring purposes, we may also be required to collect your date of birth where it is necessary for an age specific/restricted event or activity. Should you wish to make a donation to the Charity directly using a debit or credit card, we will collect the necessary payment from you to process this transaction.
When you interact with Charity/Trust webpages, we may collect statistical data about your online visit. This may include details such as:
- the address of the website through which you gained accessed (for example, if you linked to our website through a Google search),
- the date of your online visit and the internet browser that you used.
No personal data which directly identifies you is collected.
Does the Charity have access to my Medical Records?
No. The Charity will never access medical records held by the Trust to collect your information.
What about photographs we take?
As part of activities and events run by or involving the Charity we may take photographs which could include you and/or general members of the public. Official photographs taken on behalf of the Charity are only obtained by a specifically appointed person. Photographs taken by other fundraisers or general members of the public for personal/domestic purposes do not fall within the responsibility of the Trust/Charity and are therefore not included within the scope of this Privacy Notice.
We will endeavour to make individuals aware if/when official photographs or videos are being taken by the Charity and how the photographs might be used (e.g. uploaded online, used in newsletters and on social media). These photographs are taken for genuine and reasonable purposes as part of the legitimate interests of the Charity (for example to promote the activities and impact of the Charity/Trust and inspire further donations. Individuals will be made aware of their right to decline being part of the photograph/having their photograph taken.
Parental permission will be obtained for photographs of children under 18 years through a specific consent form (subject to the nature of the event).
Official photographs taken on behalf of the Charity are used for promotional purposes to raise awareness of the Charity, its activities and also to encourage fundraising. To enable this, photographs may be uploaded to the following websites, which are publicly available for anyone to view without an account/login:
Portsmouth Hospitals Charity
Why do we collect your information?
We will only process your personal data when the law allows us to. Under this Privacy Notice, this includes:
- Where you have provided your consent (for example, through a form or other declaration)
- Where it is necessary for our legitimate interests (i.e. it is of clear benefit to us or a third party, the privacy impact on you is limited and it is a reasonable expectation)
- Where we need to comply with a legal or regulatory obligation (for example, for the prevention and detection of fraud)
- We collect, store and use the minimum amount of personal information required in order to help us manage the Charity and to fulfil your requests - including processing donations, gift aid, newsletter requests, events and enquiries. If you have made a donation or have raised money for us, we will also thank you either by e-mail and/or post.
- Where we have your consent, we may also use your information to keep you up to date on our work supporting the Trust. For example, we may contact you with details about future events, other activities and appeals.
How do we keep your information safe and maintain confidentiality?
Under the Data Protection Act 2018 and General Data Protection Regulation (GDPR), there are strict principles which govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All of our records are restricted so that only those individuals who have a legitimate need to know can get access to the information. This might be through the use of technology or other environmental safeguards.
All systems access is governed by strict controls which are compliant with our information governance and IT security policies. Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide to us in confidence will only be used in connection with the purpose for which it was provided, unless we have specific consent from you or there are other special circumstances covered by law.
Under the NHS Confidentiality Code of Conduct, all of our staff are required to protect information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Every NHS organisation has a senior person that is responsible for the overall protection, security and confidentiality of information. This person is known as the Senior Information Risk Owner and sits within our Governance Directorate at the Trust.
Where your information is stored and for how long is it kept?
Your information may be stored within electronic and/or paper records, depending on how and where it was collected. These records are maintained by the Trust/Charity. Under the NHS Records Management Code of Practice, we are required to retain information for a specific minimum period after the processing has finished. The exact retention period will vary depending on the information type and purpose of processing. The information you provide to the Charity for the purposes described in this notice will be held for a minimum of six years.
When information has reached the minimum retention period and is assessed as no longer being required, it is permanently deleted (electronic) or disposed of via confidential shredding bags (hard copy). If you would prefer not to have your information held for the period specified above, you have the right to request that your information is deleted earlier. To do this, simply contact the Charity using the details provided at the end of this notice. We will endeavour to process your deletion request within 28 calendar days, and will confirm to you in writing when this has been completed.
Do we share your information with anyone else outside the organisation?
As part of our legal duty to protect the charitable funds that we administer, we may be required to share your information with other relevant external bodies for the collection of funds or for the prevention and detection of fraud. Where mandatory disclosure is necessary only the minimum amount of information is released. If you have opted in to receiving e-mail communication from us, we may send you e-mails directly through the Trust’s e-mail servers. As part of our activities we engage with external event organisers for certain activities and occasions. Where you have registered for any of these events or indicated an interest to get involved, it may be necessary for us to share your details with the relevant external organiser(s).
This will be made clear at the time of your registration and only the minimum data necessary will be shared for the purpose of managing the event.
All sharing of information, both internally and with any third parties is completed using secure methods and governed by strict controls to ensure appropriate protection at all times. Unless there is a valid reason permitted by law, or there are exceptional circumstances (such as a likely risk to the safety of you or others), we will not disclose to any other third parties any of your information which can be used to identify you without your consent.
We will never sell your information for any purpose, or provide third parties with your information for the purpose of marketing or sales.
Do you have any control over how we use your information?
Under the terms of the Data Protection Act 2018 and the General Data Protection Regulation, you have a number of rights in relation to your personal information and how it is used. Under GDPR you have the right to access the information we hold about you, both in paper and electronic formats. We may not be able to supply you with some information if:
- it has been provided by someone else who has not given permission for you to see it
- it relates to criminal offenses
- it is being used to detect or prevent crime
- it could cause physical or mental harm to you or someone else.
Your additional rights under GDPR
- The right to be informed how we collect, use, store and share your information in a clear and transparent manner
- The right to access to the information we hold about you
- The right to rectification in specific circumstances
- The right to erasure in specific circumstances
- The right to restrict processing
- The right to data portability
- The right to object to processing
- The right not to be subject to automated decision-making including profiling.
How can you make a complaint?
You have the right to make a complaint if you feel unhappy about how we hold, use or share your information. Depending on the nature of your complaint, we would recommend contacting the Complaints Team who will help you to identify the most appropriate procedure to follow based on the specifics of your complaint. Alternatively you may wish to contact the Information Commissioner’s Office directly via the contact details below. Please note that the Information Commissioner will not normally consider an appeal until you have exhausted your rights of complaint to us directly.
Information Commissioner’s Office
Phone: 0303 123 1113
Should you feel that our response to a complaint you have made is unsatisfactory you can contact the Fundraising Regulator via:
49-51 East Road London
Phone: 0300 999 3407
How do I contact the Charity?
You can contact the Charity via:
Portsmouth Hospitals Charity
Queen Alexandra Hospital
Tel: 023 9228 3392