Privacy Policy

Saint Francis Hospice Privacy Policy

Saint Francis Hospice takes privacy and the protection of personal and sensitive information seriously. We are committed to protecting your data and complying with the data regulations to their full extent.

Our Privacy Policy explains how we use and protect your personal information, to show that we are adhering to the new General Data Protection Regulations (GDPR), which came into force in May 2018 and includes information relating to your enforceable rights.

The Data Protection Act 2018 requires every organisation that processes personal information to be registered with the Information Commissioner's Office (ICO). Our registration number is Z7709195 and you can find us on the Information Commissioner's register by clicking here and searching for us by using our registration number.

Who are we?

Saint Francis Hospice is a registered charity (Registered Charity Number 275913) committed to providing outstanding, person-centered care to those affected by any life-limiting illness. We are only part-funded by the NHS and rely heavily on supporters and the ability to fundraise to generate the millions of pounds needed each year to keep our services free of charge.

Our Caldicott Guardian is our Director of Quality, Care and Support Services.
Our Senior Information Reporting Officer (SIRO) is our Director of Finance and Company Secretary.
Our Information Governance Lead is our System Applications Manager.

Our promise to keep your information safe

  • We will keep your information secure and confidential.
  • You are in control of how we communicate with you - you can opt in or out or change your preferences at any time.
  • We will not sell your data to a third party.
  • We will not swap your data with a third party.
  • We will train our staff to ensure that they know how to manage your information appropriately and in line with regulations.
  • We will ensure that any external organisations we share data with; in line with the statements set out below, are subject to a data privacy impact assessment and to ensure they follow the same measures set out by the GDPR
  • Any credit or debit card transactions with us are secure and encrypted and comply with the Payment Card Industry Data Security Standard.
  • The locations and systems used to store any personal information, will be compliant with the General Data Protection Regulation.

The ability to raise this money affects the levels of care available and the future success of the hospice is dependent upon the ability to engage with you and communicate for supporter and fundraising purposes.

If the hospice were not able to process your information for this purpose it would have a detrimental effect on our ability to raise the funds that pay for hospice services in cost effective ways. It will also mean that we cannot send you the information you want to receive or tell you about how your support is helping others under our care.

We promise to respect the data you share with us and will always keep it safe.

Why do we collect information about you?

There are different reasons and purposes for collecting information about individuals and how we process that information thereafter. The information that we hold, collect or source may be used for different purposes dependant on the type of data and where it was sourced. The purposes and types of data we collect are as follows:

- Service Users
For providing one or more of our services, the effective provision of personalised care and to comply with clinical reporting requirements.
We may collect personal-sensitive information relating to ethnicity, faith, gender, family life, health and care, received for statistical and reporting purposes.

A service user could also be registered as a supporter.

- Primary Contacts
For providing information and updates regarding the service users in our care and for the opportunity to further develop relationships with primary contacts.

A primary contact is an individual identified by a service user as a key person to contact in relationship to themselves. A primary contact could also be registered as a supporter or other individual.

- Supporters and Volunteers
For developing our relationships with our supporters to engage their support in any way, but also for targeted fundraising, to raise income and providing information on hospice services, news and developments and how they can help.

A supporter is defined as any individual or organisation such as, limited companies, schools and colleges etc who have made or offered to make a financial or non-financial transaction of any sort to Saint Francis Hospice to help further the charity cause. They will also be individuals who have expressed an interest in supporting our work, through volunteering, or have requested information from our fundraising team with a view to supporting the hospice financially or physically.

- Education
For providing educational services to both staff and external bodies.
This could relate to individuals who register and/or attend educational courses, those who make room bookings as well as to manage all staff and volunteer training requirements.

- Employees
For maintaining employment records managed by Human Resources, such as salary, grading, skills, qualifications and availability. We will also occasionally retain records on prospective applicants.

Employees are individuals who are or were employed by Saint Francis Hospice. This definition includes contractors, agency staff, freelance and bank staff. It will also include individuals who have expressed an interest in working for Saint Francis Hospice but were unsuccessful or chose not to pursue their application.

What information do we collect?

Saint Francis Hospice is what is known as the 'controller' of the personal information you provide to us. We will usually collect basic personal data about you such as:

  • Name
  • Postal address
  • Telephone number
  • Email address

We will also collect more sensitive information such as:

Service users

  • Date of birth/Age
  • Gender
  • Ethnicity
  • Faith
  • Medical conditions
  • Emergency contact details of a friend/relative
  • Details of clinical interventions
  • Summaries of social work support provided
  • Medical histories
  • Personal stories and testimonials


  • Date of birth/Age
  • Gender
  • Bank Details
  • Donation Amounts
  • Ethnicity
  • Faith
  • Council tax bands
  • Wealth
  • Communication preferences
  • Key relationship
  • Gift Aid status
  • DBS Screening
  • Shopping Habits
  • Motivations for supporting the hospice
  • Personal stories and testimonials


  • Date of birth/Age
  • Gender
  • Ethnicity
  • Sexual Orientation
  • Faith
  • Salary
  • Pensions
  • Payroll Giving
  • National Insurance
  • Tax Codes
  • DBS Screening
  • Occupational Health
  • Disabilities
  • Performance information
  • Qualifications, Skills, Experience and Work History
  • Current Level of Remuneration
  • Entitlement to Work or Volunteer in the UK
  • Personal stories and testimonials

Professionals & Students

  • Job Title
  • Employer

How do we acquire your information?

Initial Data Capture
Service user information may be captured directly from you, a loved one, family member or other legal guardian through sources such as our website, telephone or written communication.

Information about you concerning your health or information required to provide you with health and social care services, may also be sourced directly or indirectly from your doctor, health professional, care providers or from the NHS through sources such as our website, telephone, NHS Email or written communication.

Information relating to primary contacts in relation to service users and other relatives that are already in the possession of Saint Francis Hospice due to health or care service provision will be used to communicate with individuals under our legitimate interest. We may communicate with you from time to time via telephone to verify this information is accurate and to ascertain contact preferences.

Supporter information may be captured directly from you or your representative when you come into contact with the Organisation.

This capture may be sourced from any of the following list which is not exhaustive:

  • Enquires
  • Requests for details
  • Fundraising activities
  • Shopping activities
  • Volunteering activities
  • Events, enquiries and participation
  • Lottery membership
  • Regular giving
  • Online donation platforms
  • General donations
  • Surveys
  • Financial and non-financial support
  • Donations made in memory
  • Response to education awareness

Information on employees is predominately sourced directly from the individuals and prospective candidates from their application form.

Information on employees and volunteers may be acquired from references, DBS checks, NHS Jobs, CV's, identifying documents and occupational therapy reports. Details may also be obtained for managerial/supervision purposes throughout the course of employment or volunteering at the hospice and kept on personnel files. This information can come from sources such as interviews, one-to-one meetings, performance management and appraisals.

Cold Data
There may be occasions where names and contact details are sourced on individuals from reputable database marketing companies for the purpose of increasing the numbers of supporters and awareness of our charitable aims. Personal data will only be purchased after due diligence and DPIA's are complete to ensure the information complies with all relevant legislation and guidelines.

Strict contractual obligations govern the use of this information including how long the information is retained and how it is to be destroyed. The individuals sourced this way will only be added to our supporter database if they respond to the written communications they receive and indicate that they wish to hear from Saint Francis Hospice in the future. At all times any information sourced in this way will receive full protection under the Data Protection Act.

What do we do with your information? - Lawful basis

Before we do anything with your data, we must ensure we use it correctly. The GDPR defines how we are to use your information by enforcing a lawful basis for processing data. There are a number of lawful processes within the GDPR, however in most cases we will only use either consent or legitimate interest.

Legitimate Interest
Legitimate interest is the most flexible of the GDPR's lawful bases for processing personal data. Theoretically, it applies whenever we use your data in a way that you would expect.

In general, the condition applies when:

  • Processing your data is not required by law, but there's a clear benefit for us to do so.
  • There is little risk of this processing infringing on your privacy.
  • You would reasonably expect your data to be used in this way.

We can use legitimate interest to process your data except where such interests are overridden by your fundamental rights and freedoms or where they conflict with the GDPR principles.

For instance, we would never use legitimate interest to process any data collected from you in relation to hospice services for the purpose of fundraising. This would be in direct violation of the purpose limitation principle.

Saint Francis Hospice is a local registered charity that believes it is in the best interests of local people to know about hospice services in their area and associated need for support.

Saint Francis Hospice believes that this is grounds for legitimate interest and a justified basis for communicating with you. Information you provide will only be used for the Legitimate Interests of Saint Francis Hospice.

Some examples of how we process data using legitimate interest would be:

  • Sending direct marketing material to supporters by post for fundraising purposes
  • Conducting research to better understand who our supporters are and better target our fundraising activity
  • To contact you by phone or post, to confirm any of your details and communications preferences
  • Sending relevant communications to a generic work email address
  • Staff recruitment and taking applications for volunteers and contacting volunteers about their role
  • The use of CCTV recording equipment in and around our premises for monitoring and security purposes
  • Promotions on social media, Google, YouTube and other online platforms
  • We would only use legitimate interest to contact you by post or a non TPS registered telephone number.

We will use consent primarily with our direct marketing and recruitment processes. We will need your consent before we can send you marketing texts, emails or faxes, make calls to a number registered with the TPS, or make any automated marketing calls under PECR (Privacy and Electronic Communications Regulations), or for storing your recruitment data for future opportunities. We will also usually need consent should your details need to be passed on to another organisation under the first data protection principle; This being to process lawfully, fairly and in a transparent manner in relation to individuals.

Consent must be knowingly and freely given, clear and specific. We will keep clear records of what you have consented to, and when and how this consent was obtained. You have the right to check or change your consent preferences at any time by contacting us by post to Information Governance, Saint Francis Hospice, The Hall, Havering Atte Bower, Romford, Essex RM4 1QH or by email to

Information will also be processed, where required, to comply with any legal obligation such as by Court Order.

Information will be processed in respect to a contract agreement such as an employment or third-party contract.

How else do we use your Information?

Records Management
We are required by law to process our supporters' information to effectively manage and account for any donations, pledges, memberships, event participation, ticket sales or sales of goods, gift aid, lottery, interactions to maintain accuracy of records and thanking you for your support.


We may also work with database marketing agencies to screen records against national deceased and gone-away, telephone preference service registers to help keep our records accurate and up to date.

Any information sourced from database marketing companies will only take place following strict due diligence procedures such as Data Privacy Impact Assessments to ensure the information that we receive is compliant with data protection laws.


Any employment information collected or requested will only be used for the purpose of recruiting, management and dismissal of employees or volunteers.
Personal and sensitive information will also be used for statistical reporting but only in anonymised form to protect and respect your right to privacy.

Dependant on the lawful basis, we may on occasions work with marketing agencies to help refine:

  • Communications we wish to send out
  • Supporter preferences that help give you communications that we think will be of interest
  • To understand market trends to manage our supporter communications, engagement and fundraising practices.

We may also from time to time to send communications of a marketing or fundraising nature that may include requests for financial support or to join our lottery membership, to support an appeal, attend an event or purchase raffle tickets or sign up to education events and/or courses.

Your data may also be used for financial analysis and trend performance, profiling and segmentation purposes to satisfy our business and strategic objectives.

This may be done by enhancing the information that we hold about you or about where you live. For example, adding information or flags from census data such as council tax bands, age or household income through to wealth screening.

Profiling information in this way keeps our information up-to-date and means that we are more efficient with our fundraising efforts through cost effective, relevant, appropriate and timely communications.


Information Sharing
Information about Service Users is kept securely on our Patient Administration System. It is recognised that there will be cross over between this system and our CRM (contact relationship management) database, with the potential for a service user or their family/loved ones or other primary contacts to also be supporters in their own right.

We may from time to time communicate with service users primary contacts, by phone or post to confirm their details given and seek their consent and preferences to add them to our CRM database with the potential for supporting the hospice and furthering our care services.

Saint Francis Hospice may share your clinical information, with other NHS Healthcare Service providers and Health Care Agencies for the holistic provision of care or for statistical reporting requirements. Your information will only be shared under strict guidelines to protect your privacy and right to confidentiality and to restrict the purpose(s) for which your information is used.

Any clinical data that we share with the Clinical Commissioning Groups and Lead Care Providers who we contract with for funding purposes would be anonymised and it will not be possible to identify you.


Any sharing of information is in compliance with data protection and privacy laws and where possible, we will minimise the amount of information shared or anonymise records so as not to identify an individual. These precautions and others such as data encryption and information labelling will be applied to protect your personal information.


Information about active employees and supporters, held on paper files or HR, CRM and EPOS (electronic point of sale) databases will only be shared externally with agencies that we rely on to carry out our communication activities. For example, name and address details of individuals that we wish to post information to must be sent to our print and mailing house to fulfill this purpose.

Some information will be shared with Occupational Health for the purposes of determining ability to work and undertake specific tasks, or with the Disclosure and Barring Service if applicable.

Information will also be shared internally with other departments such as volunteering.

Agencies that we work with will support us through email delivery platforms, data analysis and insight, direct marketing, external lottery management, and a range of online fundraising platforms.


Any information shared to support the furtherance of the work of the hospice is carried out under contract and with data sharing agreements or non-disclosures in place, with Saint Francis Hospice remaining in control of your information at all times.


Any external agencies that we may share your data with, would be subject to strict due diligence processes and approved completion of data privacy impact assessments.

For clarity purposes, information is never shared with any other organisation for their own purposes.

Profiling and Wealth Screening

Saint Francis Hospice may occasionally conduct profiling either on an anonymous or identifiable basis to better understand who our supporters are and to continually strive to make our fundraising efforts as relevant and effective as possible.

Profiling can involve a selection of different actions that may or may not include the use of individual personal data or automatic processing of such data. For example, segmenting supporter data by group or combining data relating to specific supporters with other data available from external sources to build up an individual profile of them. For example, Companies House, the Electoral Register, and social media. We believe we have a legitimate interest in profiling supporters to carry out wealth screening. By doing this, we can focus conversations we have with you in the most effective way and ensure that we provide you with an experience as a donor or potential donor which is appropriate and relevant to you.

Building a Profile
For us to create a profile for you, we or our trusted service providers may use the information which you give us, and which we collect from external resources, such as Experian or Companies House etc, including information that is available in the public domain. We may also combine your information with data already held internally by Saint Francis Hospice, such as our CRM database or recommendations by our volunteers. 

What profiling information do we process?
We may build a profile based on some or all of the following information:

- Information you may have already given to us, including:
o Name
o Address
o Age
o Gender
o Donation History
o Event History
o Communications
- Information from external sources, including:
o Employment
o Position
o Average Earnings 
o Property Prices
o Estimated total wealth


For example, if you are one of our existing supporters then we may match your postcode using Experian's MOSAIC tool to get information about you and which market segment you come under This includes categories such as household income band, household composition and other demographic information.


How do we use profiled data?
We will use the information from our own CRM database and what has been collected externally for analysis to help us segment our supporter database and to put you into categories with other supporters that are similar to yourself.

This may be based on:
- Minimum one-off donation amounts of £1000.00.
- Donation value over time
- Repetition of donations
- Trends in donations


We may engage independent companies to use, software tools and predictive analytics to help us establish who is most likely to donate to us and to target our engagement more accurately with you. These tools will only use the data we already hold about you, but may also obtain data from external sources, as listed above.

Once a profile has been created, we will write to you or if you are an associate to one of our Patrons or other hospice stakeholders. then we may make contact by phone to ask the following:
- Asking our existing high value donors to give again
- Inviting potential high value donors to attend our supporter events as a way of engaging with them.
- Asking our donors and influencers to open up their networks to us


When should we tell you we are profiling data?
We will always respect our donors and ensure we have carried out due diligence prior to contacting you in order to protect our reputation and integrity. This may include delivering our privacy notice to you in a layered approach, so you are aware at all times as to how your information is being handled and to provide you with excellent stewardship.

Under article 14 of the GDPR we must inform you within one month of starting any processing that we are profiling your information.

Your right to be excluded
We will flag any potential high value donors on our CRM database, however if you no longer wish to have your personal data used in connection with any of the following profiling activities you are free to let us know us at any time by contacting our Supporter Data team on or calling 01708 753319.

Please note that any profiling does not affect any legal duties that we owe to individuals in respect of the collection, holding and processing of their personal data under the Data Protection Act 1998 (DPA) (and also under the EU General Data Protection Regulation from May 2018 (GDPR)). Please note that we continue to respect your privacy rights at all times in accordance with the DPA, GDPR and other applicable law and as set out in our Privacy Policy.

Retention of data

Various criteria is taken into account when determining the appropriate retention period for personal data that include the following:

  • the purposes for which personal data is handled and how long we need to keep the information to achieve these purposes
  • for how long personal data might be needed to support any possible future legal obligations
  • any relevant legal, accounting, reporting or regulatory requirements which stipulate how long certain information must be kept

We will also use NHS Records Management Code of Practice 2020 to determine the minimum retention in conjunction with the above points.

Integrity and confidentiality

Saint Francis Hospice takes information governance and information security seriously. We have robust technical and organisational systems and measures in place to manage and protect your personal information. These measures include data encryption, up to date security measures to ensure confidentiality and to guard against unauthorised access, unlawful processing, accidental loss, damage or destruction. Staff are only allowed access to information on a need-to-know basis and access is strictly controlled. Staff access permissions are removed when access is no longer required.

Around the organisation other measures include secure door access, CCTV, confidentiality and data protection policies and procedures that address our lawful obligation to protect your fundamental rights.


Where possible, all of our data is held within the UK, however in some circumstances some of our suppliers may hold information outside the United Kingdom, including within the European Economic Area (EEA). This includes countries which do not have the same data protection laws as the UK. On these occasions, we would ensure that they only hold information in alignment with UK data protection law and relevant expectations, confirming that appropriate safeguards are in place.

What are your rights?

Under UK data protection law, you have rights over personal information that we hold about you. These are typically defined as the following:


The right to be informed
Individuals have the right to be informed about the collection and use of their personal data.
We must provide you with information including: your purposes for processing personal data, retention periods for that personal data, and who it will be shared with. This is the premise of this privacy policy.

Right to access your personal information
You have a right to request access to the personal data that we hold about you. You also have the right to request a copy of the information we hold about you, and we will provide you with this unless legal exceptions apply.

Right to have your inaccurate personal information corrected
You have the right to have any information that we hold about you that may be inaccurate or incomplete corrected. If you believe this to be the case and would like your data amended, please provide us with details and we will look to correct the information for you.

Right to restrict use of your personal information
You have a right to ask us to restrict the processing of some or all of your personal information. This would be relevant in the following situations:

  • if some information we hold on you is not right
  • we are not lawfully allowed to use it
  • you need us to retain your information in order for you to establish, exercise or defend a legal claim
  • you believe your privacy rights outweigh our legitimate interests to use your information for a particular purpose, and you have objected to us doing so

Right to erasure of your personal information
You may ask us to delete some or all of your personal information and in certain cases, and subject to certain exceptions, you have the right for this to be done. If we are unable to delete your information, we will explain why this is the case.

Right for your personal information to be portable
The right to data portability allows you to obtain and reuse your personal data for your own purposes across different services.

You may ask us to provide your data to you or another service provider in a machine-readable format.

Right to object to the use of your personal information
If we are processing your personal information for direct marketing purposes, and you wish to object, we will stop processing your information for these purposes as soon as reasonably possible.

If you want to exercise any of the above rights, please contact us at Information Governance, Saint Francis Hospice, The Hall, Havering Atte Bower, Romford, Essex RM4 1QH or by email to


We may be required to ask for further information and/or evidence of identity and will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.

Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances.

For more details we recommend you consult the guidance published by the UK's Information Commissioner's Office (link is external).

How to complain

You also have the right to complain to the Information Commissioner about any of our processing activities. The Information Commissioner is the regulator that governs and controls the use of personal information and enforces your right to privacy and confidentiality. Click here to view the Information Commissioner's details.

How to contact us

You can contact Saint Francis Hospice by writing to us at: Saint Francis Hospice, The Hall, Broxhill Road, Havering-atte-Bower, Romford, RM4 1QH.


Reception Enquiries 01708 753319
Clinical Enquiries 01708 758643
Supporter and Fundraising Enquiries 01708 723593
Retail Head Office Enquiries 01708 376269

Contact our Caldicott Guardian:

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly.

Our Caldicott Guardian is Tes Smith, Director of Quality, Care and Support Services. She can be contacted via email on

Sometimes we may use a shortened version of this statement where space is more restricted.

We may change this Privacy Policy from time to time. If we make any significant changes in the way, we treat your personal information we will make this clear on the Saint Francis Hospice Website or by contacting you directly.