Privacy Notice - Isabel Hospice

Privacy Notice

This Privacy Notice explains how we use personal data about patients, supporters, volunteers and others. You may wish to read the sections most relevant to you using the headings below.

Who we are

In this privacy policy, whenever you see the words ‘we’, ‘us’ or ‘our’, it refers to:

  • The charity Isabel Hospice – Registered Charity number 1046826
  • The company Isabel Hospice Trading Limited – Company number 02417607

Isabel Hospice Trading Limited sells a range of goods through our shop network and online. Isabel Hospice Trading enters into corporate partnership arrangements; all of its profits are passed to Isabel Hospice Charity.

As a charity, we want to provide the best care for all of our Hospice users. To do this we need to generate income and awareness, to ensure that care can continue to be provided free of charge to everyone in our community.

Our commitment to data protection law

Your information is collected, stored and protected in accordance with the Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the Data Use and Access Act 2025 (which amends UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications Regulations (PECR)

The Privacy Policy in brief

It’s important that you read the full Privacy Notice to understand what information we hold, how we may use it, and what your rights are. Personal information is any information that can be used to identify you. Organisations are permitted to process data if they have a legal basis to do so.

A brief summary of the policy includes that:

  • We collect information that is either personal data (such as names, addresses, telephone numbers) or non-personal data (such as your Internet Protocol (IP) address, web pages accessed etc.)
  • To ensure that we can provide the most effective care we may collect information which includes your medical history, medication, allergies.
  • We also collect information about our supporters, donors, fundraisers, volunteers and employees.
  • We collect information to provide services or goods, to provide information, to fundraise, for administration, research, profiling, analysis, and for the prevention/detection of crime.
  • We will only use your personal information for direct marketing in compliance with the UK GDPR and Privacy and Electronic Communications Regulations (PECR). You have an absolute right to object to direct marketing, including any profiling for direct marketing purposes, at any time.

Your information is collected, stored and protected in accordance with the Data Protection Act 2018, the UK GDPR, and the Data Use and Access Act 2025.

We never sell your data, and we will never share it with another company or charity for marketing purposes.

We only share data where we are required by law, when it is needed by other health and care services to co-ordinate and deliver the care you need, or with carefully selected trusted suppliers who do work for us. All our suppliers are required by their contract to treat your data as carefully as we would, to only use it as instructed, and to allow us to check that they do this.

Our websites use cookies – for more information check www.isabelhospice.org.uk/cookies

Patients and Service users

How do we get information and why do we have it?

The personal information we collect is provided directly from you for one of the following reasons:

  • you have provided information to seek care – this is used directly for your care, and also to manage the services we provide, to clinically audit our services, investigate complaints, or to be used as evidence as part of an investigation into care
  • you have sought funding for continuing health care or personal health budget support
  • you have applied for a job with us or work for us
  • you have signed up to our newsletter/patient participation group
  • you have made a complaint

We also receive personal information about you indirectly from others, in the following scenarios:

  • from other health and care organisations involved in your care so that we can provide you with care
  • from family members or carers to support your care

What information do we collect?

Personal information

We currently collect and use the following personal information:

  • personal identifiers and contacts (for example, name, contact details, NHS number)
  • photographic identity (photo ID) (for example, photographs of staff for ID badges or our website)

More sensitive information

  • data concerning physical or mental health (for example, details about your appointments or diagnosis)
  • data revealing racial or ethnic origin
  • data concerning a person’s sex life
  • data concerning a person’s sexual orientation
  • biometric data (where used for identification purposes)
  • data revealing religious or philosophical beliefs
  • data relating to criminal or suspected criminal offence

Who do we share information with?

We may share your information with other organisations directly involved in your care, including via national services such as GP Connect, which enables authorised clinical staff to view relevant information from your GP record for direct care. Sharing respects patient choices and is limited to care settings or statutory purposes (e.g. medical examiner death reviews).

We may also share information with:

  • third party data processors (such as IT systems suppliers)
  • planners of health and care services (such as Integrated Care Boards)

In some circumstances we are legally obliged to share information, for example:

  • when required by NHS England to develop national IT and data services
  • when registering births and deaths
  • when reporting some infectious diseases
  • when a court orders us to do so
  • where a public inquiry requires the information

We will also share information if the public good outweighs your right to confidentiality, for example:

  • where a serious crime has been committed
  • where there are serious risks to the public or staff
  • to protect children or vulnerable adults

We may de-identify your information so it can be used for purposes beyond your individual care (e.g., planning and research) while maintaining your confidentiality.

If you are a patient or next of kin and are already on our supporter database, we will update your record to ensure you do not receive inappropriate communications at a sensitive time. Those who have not previously engaged in supporting the Hospice will not be contacted for marketing purposes. We use your personal information for marketing where you have given us permission or where we are permitted to do so under data protection and electronic marketing laws, such as sending postal communications or making telephone calls where you have not objected.

We send email or SMS marketing only where we hold your explicit consent, in line with PECR rules. From 5 February 2026, charities may use the new ‘charitable purpose soft opt‑in’ for email/SMS — but only where you (a) have expressed interest in, or offered support to, our charitable purposes; (b) were provided with a clear opt‑out at the point your details were collected; and (c) the communication solely furthers our charitable purposes. This soft opt‑in is not retroactive and cannot be applied to individuals already on our database. We will follow ICO’s final guidance once published.

Data used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes; we would only use it in this way with your specific agreement.

What is our lawful basis for using information?

Personal information (Article 6 UK GDPR)

Depending on the activity, we rely on one or more of the following lawful bases:

  • Consent (Article 6(1)(a)) – e.g., for certain marketing communications.
  • Contract (Article 6(1)(b)) – e.g., where we provide paid-for services or manage supporter transactions.
  • Legal obligation (Article 6(1)(c)) – e.g., where the law requires us to process data (courts, HMRC/Gift Aid).
  • Public task (Article 6(1)(e)) – e.g., delivering Care Quality Commission (CQC)‑regulated care in the public interest.
  • Legitimate interests (Article 6(1)(f)) – e.g., day‑to‑day administration, prevention of fraud, or non‑intrusive direct marketing where permitted.
  • Recognised legitimate interests (Data (Use and Access) Act 2025 (DUAA) – for limited, law‑defined public‑interest purposes (such as safeguarding or crime prevention) that do not require a balancing test. We will only rely on this basis where the law permits.

More sensitive information (Special category and criminal offence data)

  • Employment, social security and social protection (Article 9(2)(b) and DPA 2018 Sch.1).
  • Substantial public interest (Article 9(2)(g) and DPA 2018 Sch.1).
  • Health or social care (Article 9(2)(h) with a basis in law).
  • Public health (Article 9(2)(i) with a basis in law).
  • Archiving, research and statistics (Article 9(2)(j) with a basis in law).
  • Legal claims (Article 9(2)(f)).

How we match purposes to lawful bases

  • Delivering and coordinating care (including Multi Disciplinary Team, (MDTs)) and GP Connect): Public task; Special category: health (Art.9(2)(h)).
  • Safeguarding and prevention/detection of crime: Legal obligation / Substantial public interest; DUAA recognised legitimate interests where applicable.
  • Clinical audit, quality monitoring and CQC compliance: Public task / Legal obligation; Special category: health.
  • Fundraising administration and Gift Aid: Legal obligation (Gift Aid); Legitimate interests (admin).
  • Supporter marketing (post/phone where permitted): Legitimate interests with the right to object; consent where required (email/SMS).
  • Research and planning (de‑identified wherever possible): Public interest / research basis with safeguards; special category under Art.9(2)(j) where applicable.

Common law duty of confidentiality

We satisfy the duty of confidentiality because:

  • you provide consent (implied for direct care; explicit for certain other uses)
  • we have legal authority or support from the Secretary of State (e.g. via Confidentiality Advisory Group (CAG)) where seeking consent is not practicable
  • we are legally required to collect, share or use the data
  • for specific cases, the public interest to share data overrides the duty of confidentiality (assessed case‑by‑case)

How do we store your personal information?

Health and care records are retained in line with the Records Management Code of Practice for Health and Social Care. Other records, including supporter and fundraising data, are retained in line with our internal data retention policy and relevant legal requirements.

National Data Opt-Out

The information collected about you when you use health and care services can also be used for purposes beyond your individual care (e.g., improving quality, research, preventing illness, monitoring safety, planning services). Where possible, we use anonymised data. You can choose to opt out without affecting your individual care,

Donors, Supporters and Customers

We need your details so that we can:

  • manage the events that you take part in
  • keep you informed of news and developments
  • promote events, campaigns and activities
  • thank supporters and show the impact of donations
  • create standing orders or direct debits and process donations
  • showcase our care services and raise awareness
  • claim Gift Aid (for donations and goods donated for sale)
  • arrange collection or delivery for shop donations or purchases
  • ensure we contact you with relevant information and keep details accurate

We rely on one or more of the following reasons to use and share your personal data:

  • Contract – to fulfil arrangements (e.g., monthly direct debit).
  • Consent – to send certain digital marketing (email/SMS).
  • Legitimate interests – to monitor and improve services or send appropriate postal/telephone marketing (you can object at any time).
  • Legal obligation – statutory or legal requirements (e.g., Gift Aid).

What personal information do we hold about supporters?

  • Name and contact details
  • Bank details where needed for payments
  • Your reasons for supporting Isabel Hospice (if you choose to share this)
  • Your profession (if relevant)
  • Contact preferences
  • Age or date of birth (where relevant to participation in an event)
  • Accessibility or medical information (where relevant to an event)
  • Accident/incident details relating to our premises or events

Information about our supporters is held securely on our database (e.g., Raiser’s Edge). If you would prefer us not to store certain information, please let us know.

Building profiles of supporters and targeting our communications

We sometimes use ‘profiling’ (as defined in UK GDPR) to understand supporter interests and tailor communications. If you object to profiling for direct marketing, we will stop this processing immediately, as required under the UK GDPR.

We may use publicly available sources (e.g., Companies House, Electoral Register, LinkedIn, property and political registers, rich lists, news archives) and, from time to time, specialist partners to help us focus our fundraising responsibly and conduct due diligence in line with our Gift Acceptance Policy. You can opt out of this processing.

How we use your personal information for marketing and fundraising

We use your personal information for marketing where you have given us permission or where we are permitted to do so under data protection and electronic marketing laws, such as sending postal communications or making telephone calls where you have not objected.

Sharing your story or photographs

We aim to retain photographs and case studies for up to two years for new use (seeking refreshed consent where we wish to continue using them), and event photography for up to five years.

Isabel Hospice Community Groups

Our community groups are volunteer committees fundraising locally. They operate independently but in partnership with the Hospice, receive our training and comply with data protection law and our policies. Fundraising data is securely shared with us and protected in the same way as all supporter data.

Local Hospice Lottery

We run our lottery in partnership with Local Hospice Lottery Ltd (company number 03226004). If you play, you can choose to share your data with us. Your name, address and marketing preferences may be shared securely and stored on our database. If you cease your contract with Local Hospice Lottery, your data will be shared once again so we can keep our database up to date.

Suppliers who help us deliver services and marketing

We do not share or sell your data to other charities or companies for marketing. We do use trusted suppliers to administer services you’ve requested (e.g., mailing houses, donation processors, event organisers, campaigning tools, website hosts, database support). We also use suppliers for marketing fulfilment (email platforms, mailing houses, telemarketing). All suppliers are contractually required to protect your data and only act on our instructions. Where appropriate we encrypt personal data that we transmit to suppliers.

International data transfers

Some suppliers may process data outside the UK. Where this happens, we use a lawful transfer mechanism such as a UK adequacy regulation, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU standard contractual clauses. We also assess the destination’s laws and implement additional safeguards where needed.

How we keep your personal information up to date

We have a legal obligation to keep personal information accurate. We:

  • give you opportunities to correct or change your information
  • screen postal data against change‑of‑address datasets where permitted
  • use publicly available information to verify accuracy
  • confirm details when you contact us
  • record and act on undelivered mail or email

Changing your preferences and opting out of profiling

You can opt out of profiling used for direct marketing, which may result in more generic communications. You are welcome to change your contact preferences at any time. If you request no further information from us, we will retain minimal details to ensure we do not contact you in future (suppression list).

Profiling does not involve making automated decisions that have legal or similarly significant effects on you.

How we keep your personal information safe

We take our obligations seriously. Access to personal information is restricted to trained staff and nominated volunteers on a need‑to‑know basis, using role‑based controls that are monitored regularly. Our website and systems are protected against unauthorised access. We require our suppliers to implement appropriate technical and organisational measures and, where appropriate, to encrypt personal data shared with them.

How long we keep your personal information

We keep personal information in line with our data retention policy and applicable codes of practice. In certain circumstances we have a statutory obligation to retain information for a set period (typically six–seven years), mainly concerning financial information such as donations or Gift Aid.

Your individual rights

Under data protection law, you have rights including access, rectification, erasure, restriction, objection, and data portability.

When responding to subject access requests, we conduct a reasonable and proportionate search and may seek to clarify scope to help locate your data more efficiently. Where permitted by law, we may pause the response period while we await clarification.

You have an absolute right to object to direct marketing at any time. This includes any profiling we carry out for direct marketing purposes. When you exercise this right, we will stop using your personal information for marketing immediately

Automated decision‑making and profiling

We do not make decisions based solely on automated processing that have legal or similarly significant effects about you. If this changes, we will tell you, explain your rights (including to obtain human review, to express your point of view and to contest the decision) and identify the lawful basis relied upon.

Do you have to provide your personal data?

For direct care, if you choose not to provide information we may be unable to assess your needs or deliver certain services safely. For financial transactions, we may be unable to process payments or claim Gift Aid without required information. Where information is optional, we will make this clear.

Where we obtain data from others

In addition to information you give us directly, we may receive data from: other health and care organisations involved in your care; family members/carers; public sources; donation and event platforms (where you have agreed to share your details). We will tell you the categories of data and sources on request.

Controllers and joint controllers

For some activities we act as the controller; for others we may be a joint controller with partner organisations (e.g., NHS bodies for integrated care). Where we are joint controllers, we agree our respective responsibilities and will make the essence of that arrangement available to you on request.

How to raise a concern or make a complaint about your data

Please contact our Data Protection Officer (details below) if you have concerns about how we use your data. We operate an internal data protection complaints process and will investigate and respond. If you remain unhappy, you can complain to the Information Commissioner’s Office (ICO).

Links to other websites

Our website links to other sites not operated by us. This notice does not cover those sites. We encourage you to read their privacy notices.

Contacting us

If you have a query regarding your data, please contact our Data Protection Officer, Karolyn Hallam:
Data Protection Officer, Isabel Hospice, 99 Bridge Road East, Welwyn Garden City, AL7 1GD.
Email: informationsecurity@isabelhospice.org.uk
If you remain unhappy with how we have used your data, you can complain to the ICO (Helpline: 0303 123 1113 | https://ico.org.uk/).

Cookies

We only place non‑essential cookies (such as analytics or marketing cookies) with your explicit consent, in line with PECR and ICO guidance.
Our cookie banner provides clear choices, including a ‘Reject all’ option, as required by ICO enforcement expectations.


Date of last review

This privacy notice was last updated on February 2026 and will be due further review in February 2027.