Healthwatch Worcestershire

Privacy Statement

  1. About Healthwatch Worcestershire

Healthwatch Worcestershire (HWW) provides an independent voice for people who use publicly funded health and social care services. Our role is to ensure that people’s views are listened to and fed back to service providers and commissioners to improve services. We use personal data to do this.

[In our Privacy Statement, wherever you see the words ‘we’, ‘us’, ‘our’, we are  referring to Healthwatch Worcestershire]

We are a ‘Public Body’ for the purposes of the General Data Protection Regulations [GDPR] and this Privacy Statement sets out our data processing practices.

We retain and use personal data to help us carry out our role. We are registered with the Information Commissioners Office [Registration Number ZA025996] and have appointed a Data Protection Officer who reports to our Board of Directors.

If you have any questions in relation to our Privacy Statement, or how we use your personal data they should be sent to dpo@healthwatchworcestershire.co.uk, or addressed to the Data Protection Officer, Healthwatch Worcestershire, Civic Centre, Queen Elizabeth Drive, Pershore, Worcestershire, WR10 1PT.

  1. Personal data we collect and how we use it

We’ll only use your personal data on relevant lawful grounds as permitted by the EU General Data Protection Regulation (from 25 May 2018)/UK Data Protection Act and Privacy of Electronic Communication Regulation.

Personal data provided to us will be used for the purpose or purposes outlined in this Privacy Statement in a transparent manner at the time of collection, in accordance with any preferences you express. If asked by the police, or any other regulatory or government authority investigating suspected illegal activities, we may need to provide your personal data.

‘Your privacy is important to us, so we’ll always keep your details secure’.

Your personal data [any information which identifies you, or which can be identified as relating to you personally, Eg. your name, address, phone number, or email address] will be collected and used by us.

 ‘We will only collect the personal data that we need to carry out our role’. 

We collect personal data in connection with our Advice and Information service, in gathering patient service user or carer experience of health and social care services, and to manage Healthwatch Worcestershire [Volunteering, Reference & Engagement Group, Company Membership Scheme, Recruitment and Employment]

The ways you can give us your personal data include filling in forms on our website, or by corresponding with us [by phone, email, face to face, letter or by joining as a volunteer], or other social media functions on our website.

  • Personal data provided by you

The personal data you give us may include your name, title, address, date of birth, age, gender, employment status, demographic information, email address, telephone numbers, personal description, photographs, and experiences of health and social care services.

We will never share your personal data without your explicit consent [except in circumstances where the law may require us to do so e.g. your ‘vital interests’ or the suspected commission of crime]’

We may automatically collect technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform. If you access our website via your mobile device, we will collect your unique phone identifier.

  • Special Category Data

‘Special Category Data’ is personal data which the GDPR says is more sensitive, and so needs more protection. It includes data about your health and wellbeing. Therefore, when providing advice and information or gathering patient, service user or carer experience of health and social care we may collect special category data. We will not process special category data without your consent.

2.1         Advice and Information Service

In providing Advice and Information to you there may be occasions when we will need to record your personal information. For example, if you call us for advice or information and we cannot deal with your enquiry at the first point of contact, we will record your personal information and only hold the details for the duration of the enquiry.

We will always act upon your choice of how you want to receive communications [for example, by email, post or phone].

We would like to use your details to keep in touch through our newsletter about health and social care issues and events that may matter to you. We will only send our newsletter to you if you agree to receive it.

‘We will never share your information with other businesses for inclusion in their marketing’

If you agree to receive our newsletter from us, you can change your mind later. However, if you tell us you do not want to receive our newsletter then you may not hear about health and social care issues or events that may be important to you.

We may sometimes use third parties to capture some of our data on our behalf. We will only do this where we are confident that the third party will treat your data securely, in accordance with our terms and in line with the requirements set out in the GDPR.

2.2         Gathering Experiences of Health and Social Care Services

Any personal data we collect in gathering experiences of health and social care services will be entered into our data base which has been designed to record those experiences.  We need to use that data to work on your behalf to improve health and social care services in Worcestershire and across England.

‘We will always anonymise the personal data you share with us unless you give us explicit consent to identify you’.

We may share anonymised data with commissioners, providers and Healthwatch England to improve health and social care services. We will only share your identifiable information with those organisations when we have your express consent to do so.

2.3         Volunteering

We call people who volunteer with us ‘Ambassadors’. If you are an Ambassador we need to use your personal data to manage your volunteering, from the moment you enquire to the time you decide to stop volunteering with us. This could include: contacting you about an event your involved in or we think you might be interested in, expense claims you’ve made, engagements you’ve booked, DBS checks and to recognise your contribution.

Therefore, we may collect extra information about you [e.g. references, details of emergency contacts, medical conditions, expense payments etc].

This information will be retained for legal or contractual reasons, to protect us [including in the event of an insurance or legal claim].

2.4     Reference and Engagement Group

Our Reference & Engagement Group has been established as a network of Community and Voluntary Sector Organisations and ‘Experts by Experience’ to support us in our work.

If you are a member of our Reference & Engagement Group we will collect the information we need to contact you [E.g. Organisation’s details, address, telephone number and email address]. This may include personal data [E.g. name, contact details].

2.5     Company Membership Scheme

HWW is a ‘Not for Profit’ organisation and is constituted as private company limited by guarantee. In accordance with the company’s Articles of Association we have a Company Membership Scheme. If you are a member of the Scheme we will collect the information about you which we need to administer the scheme. This will include your personal data {E.g. name and contact details].

2.6         Recruitment and Employment 

To comply with our contractual, statutory, and management obligations and responsibilities, we process personal data, including ‘sensitive’ personal data, from job applicants and employees. Such data can include, but is not limited to, information relating to health, racial or ethnic origin, and criminal convictions. In certain circumstances, we may process personal data or sensitive personal data, without explicit consent. Further information on what data is collected and why it’s processed is given below:

  • Contractual responsibilities

Our contractual responsibilities include those arising from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay; leave, maternity pay, pension and emergency contacts.

  • Statutory responsibilities

Our statutory responsibilities are those imposed through law on the organisation as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.

  • Management responsibilities

Our management responsibilities are those necessary for the organisational functioning of the organisation. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, e-mail address and telephone number.

  • Sensitive Personal Data

‘Sensitive personal data’ is defined as information about racial or ethnic origin, political opinions, religious beliefs or other similar beliefs, trade union membership, physical or mental health, sexual life, and criminal allegations, proceedings or convictions.  

In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee. For example:

  • We will process data about an employee’s health where it is necessary, for example, to record absence from work due to sickness, to pay statutory sick pay, to make appropriate referrals to the Occupational Health Service, and to make any necessary arrangements or adjustments to the workplace in the case of disability. This processing will not normally happen without the employee’s knowledge and, where necessary, consent.
  • We will process data about, but not limited to, an employee’s racial and ethnic origin, their sexual orientation or their religious beliefs only where they have volunteered such data and only for monitoring and upholding our equal opportunities policies and related provisions.
  • Data about an employee’s criminal convictions will be held as necessary.

Disclosure of employees’ personal data to other bodies

We may share an employee’s data with other bodies in the following circumstances:

  • To carry out our contractual and management responsibilities, we may, from time to time, need to share an employee’s personal data with one or more third party supplier.
  • To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs.
  • To fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
  1. Disclosing and Sharing Information

We may share anonymised data that we have gathered in providing our Advice and Information/gathering patient, service user or carer experience services with commissioners, providers and Healthwatch England to improve health and social care services. We will only share your identifiable information with those organisations when we have your express consent to do so.

When we allow third parties acting on behalf of the Healthwatch Worcestershire to access to your information, we will always have complete control of what they see, how long they see it for and what they are allowed to do with it. We do not sell or share your personal information for other organisations to use.

Personal data collected and processed by us may be shared with the following groups where necessary:

  • Healthwatch Worcestershire employees and Directors
  • Third party cloud hosting and IT infrastructure providers who host the website and provide IT support;

Also, under strictly controlled conditions:

  • Contractors
  • Service Providers providing services to us
  • Advisors

We may also disclose your personal information to third parties if we are under a duty to disclose or share your personal data to comply with any legal obligation, to protect the vital interests or to enforce or apply our terms of use or cookie policy and other agreements; or to protect the rights, property, or safety of Healthwatch Worcestershire, our Directors and Ambassadors.

  1. Your Data Protection Rights

Individuals have rights over their personal data, we as a controller of your personal data, are responsible for fulfilling these rights.

4.1         Withdrawal of Consent

Where Healthwatch Worcestershire is using your personal data based on your consent, you have the right to withdraw that consent at any time. You also have the right to ask Healthwatch Worcestershire to stop using your personal data for direct marketing purposes.

If you want to withdraw your consent or ask us to stop using your personal data tell us by contacting dpo@healthwatchworcestershire.co.uk

4.2             Subject Access Request

You have the right to access personal data held by us. This right may be exercised by writing to or emailing our Data Protection Officer.

You will be asked to provide the following details:

  • The personal information you want to access;
  • The date range of the information you wish to access

We will also need you to provide information that will help us confirm your identity.  Healthwatch Worcestershire will accept two from three following forms of ID when information on your personal data is requested:

  • driving license, passport,
  • birth certificate
  • utility bill not older than three months.

Once we have all the information necessary to respond to your request we’ll provide your information to you within 30 days.

4.3    Right to amendment of personal data

We want you to remain in control of your personal data. If, at any time, you want

to update or amend your personal data or marketing preferences please contact

us in one of the following ways:

  • Email: dpo@healthwatchworcestershire.co.uk
  • Call: 01386 550264
  • Write to:

Healthwatch Worcestershire
Civic Centre,
Queen Elizabeth Drive,
Pershore, WR10 1PT

Updates will take place within 30 days of request.

4.3     Other data subject rights

As an individual you have further rights regarding your personal data, such as the right to erasure (right to be forgotten), the right to restrict or object and the right to data portability. There may be other legal reasons why we need to process your personal data but let us know if you don’t think we should be using it.  If you would like to exercise any of these rights, please contact our Data Protection Officer.

  1. Keeping your Information Safe

Information system and data security is imperative to us to ensure that we are keeping our customers, members, volunteers, employees and contractors safe.

We operate a robust and thorough process for assessing, managing and protecting new and existing systems which ensures that they are up to date and secure against the ever-changing threat landscape. In addition to this, we follow a defence in depth security model, which means that your data is protected by multiple layers of security.

Healthwatch Worcestershire takes cyber security seriously and has achieved the Cyber Essentials accreditation, and is registered in the national database which can be found here.

Our staff complete mandatory information security and data protection training on employment and annually thereafter to reinforce responsibilities and requirements set out in our information security policies.

When you trust us with your data we will always keep your information secure to maintain your confidentiality. By utilizing strong encryption when your information is stored or in transit we minimize the risk of unauthorized access or disclosure; when entering information on our website, you can check this by right clicking on the padlock icon in the address bar.

Where possible all data is stored in the UK, and due diligence is carried out to make sure any services have the correct information security in place such as ISO 27001 and at least Cyber Essentials.

We may transfer your personal information outside of the European Economic Area.  Where we do so we ensure appropriate safeguards are in place.

We use ‘Mailchimp’ to carryout email marketing, your data is transferred to Data Centres located in the USA.  Under GDPR regulations any business operating in USA must have Privacy Shield in place to comply with GDPR.  ‘Mailchimp’ has obtained Privacy shield which can be found at Mailchimp Privacy Shield

We will only use and store your information for as long as it is required for the purposes it was collected for. How long it will be stored for depends on the information in question, what it is being used for and, sometimes, statutory legal requirements. More information is available in our ‘Retention and Disposal’ policy which is available on our website [ www.healthwatchworcestershire.co.uk ] or from our office [email: dpo@healthwatchworcestershire.co.uk or telephone 01386 550264].

  1. Cookies

Cookies are small text files stored on your computer when you visit certain websites. We use first party cookies (cookies that we have set, that can only be read by our website) to personalise your online experience.  You can control the use of cookies via your browser.

Most web browsers allow some control of cookies through the browser settings. To find out more about cookies, including how to see what have been set and how to manage and delete them, visit www.allaboutcookies.org.

  1. Links to other websites

Our website may, from time to time, contain links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we don’t accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. This privacy policy applies solely to the personal data collected by the Healthwatch Worcestershire.

  1. What to do if you’re not happy

In the first instance, please talk to us directly so we can resolve any problem or query. You also have the right to contact the Information Commissioner’s Office (ICO) if you have any questions about Data Protection. You can contact them using their help line 0303 123 113 or at www.ico.org.uk.

9. Changes to this privacy policy

We’ll amend this privacy policy from time to time to ensure it remains up to date and reflects how and why we use your personal data and new legal requirements. Please visit our website to keep up to date with any changes. The current version will always be posted on our website.

  1. Our Data Protection Officer

Our Data Protection Officer can be contacted in the following ways:

Write to:

Healthwatch Worcestershire
Civic Centre,
Queen Elizabeth Drive,
Pershore, WR10 1PT

Or email: DPO@healthwatchworcestershire.co.uk