Privacy Policy - Keech Hospice

Privacy Policy - Keech Hospice
Keech Hospice is committed to respecting your privacy and protecting your personal information. This privacy policy explains:
what information we collect and why
how we use and share it
how we keep it secure
your rights under data protection law
We do this not only because the law requires it, but because it aligns with our value to be “trusted with your information and your care and respected for our professionalism.”
Version 7 – Last updated 25/03/26
Who we are
Keech Hospice provides free, specialist care for adults in Luton and Bedfordshire, and children from Bedfordshire, Hertfordshire and Milton Keynes, who have a life-limiting condition. We aim to help people live as well as possible, manage symptoms, stay out of hospital, and make the most of their time.
We raise funds through generous donations from our local community and supporters, income from the sale of donated goods in our charity shops and a contribution from the NHS.
Keech Hospice is registered as:
A Charity in England & Wales: Registered number 1035089
A Company limited by guarantee: Registered number 02904446
Keech Hospice is registered with the Information Commissioners Office (ICO): registration number is Z5812604.
We have two wholly owned trading subsidiaries:
Keech Hospice (Trading) Limited – Company 06941924, ICO ZA881998
Pasque Charity (Trading) Limited – Company 02362985, ICO ZA882009
Within the context of this policy, ‘we’ means both the charity and its subsidiaries. Each of these organisations is a data controller under data protection law.
Contact details (Data Protection Officer): Paula Welsh
Email:
info@keech.org.uk
Address: Keech Hospice, Great Bramingham Lane, Luton, LU3 3NT
What information do we collect?
The type and amount of information we collect depends on your relationship with us. It may include:
name, address, email, phone, date of birth
communication preferences
payment/donation and transaction history
records of contact with you
employment or volunteering information
technical identifiers (e.g., IP address, cookie IDs)
photographs or case studies (only with your consent)
Special category data
(handled with extra care) may include health information, ethnicity, religious beliefs, or sexual orientation.
We
do not
currently collect political opinions, trade union membership, genetic data, biometric data used for identification, or sexuality. We would only collect information by exception or when it is legally necessary and lawful to do so.
Our lawful bases for using your information
The amount and type of information we collect and use about you will vary depending on your relationship with us. We only process your information when a lawful basis applies, these are:
Patients and service users
If you access our care services, we collect information about your health and wellbeing to plan and deliver safe, effective care. This can include diagnoses, medical history, medications, test results and assessments, and information from other care providers involved in your care. We will check information with you when your care begins to ensure it is accurate, and we ask your permission to continue sharing your health information with other care providers into the future, so that everyone involved in your holistic care has accurate details about you.
Sharing for care: We share information with others involved in your care—GPs, hospitals, community teams, counsellors/therapists, social workers/care coordinators. We may also need to share information with local health and social care partners, such as Integrated Care Systems and Local Authorities to support planning of local health and social care services and funding, we anonymise or pseudonymise this data where possible. We only share via secure channels and only what is necessary.
Relatives receiving support: If you are a relative accessing support, we collect information from you directly. This may include details about your emotional wellbeing, mental health, family circumstances and welfare entitlements. Using this information enables us to deliver the best possible care to you and your loved ones and improve our services going forward. You have the right to object to us collecting and using this information; however, it may not be possible to continue providing care and support services to you and your family without it. We will not share it without your consent unless we are legally required to.
We recognise your health information is sensitive, and we take great care to keep it secure. Only those who need to use your information to deliver effective and high-quality care are allowed access to it. This will include clinicians such as nurses, doctors, therapists and officers, but also non-clinicians such as administrators, auditors and data analysts. When sharing your information with other care providers, we make sure the recipient needs that information for care purposes before doing so and only send it using secure channels.
Research
If we take part in a research project that uses personal data, we will always obtain your informed consent first. You will not be identified in reports unless you have explicitly agreed.
National Data Opt-Outs
We comply with the national data opt-out, which allows patients to choose not to have their confidential patient information used for research and planning. Learn more or set your preference
here
Donors, supporters and customers
If you donate, fundraise, shop with us or engage with our communications, we may collect the following information about you:
contact details
donation amounts and payment history (we use card details only to process the immediate payment and do not retain them)
Gift Aid declarations (shared only with HMRC)
event participation and communication history
images/case studies you provide (only with consent)
This information is always given to us by you, either directly or indirectly (with your permission) via online giving services (such as
JustGiving
or
Enthuse
).
We may use publicly available sources (e.g., Companies House, Electoral Register, reputable news, Royal Mail change of address update and social platforms) to keep data accurate, understand supporter demographics, conduct due diligence in line with our Gift Acceptance Policy, and meet anti money laundering obligations.
To help build a snapshot of the type of people who support us currently or may support us in the future and to help us with our planning and fundraising, we undertake in-house research and occasionally engage specialist agencies to gather information about you or your company from publicly available sources.
From time-to-time we may also carry out wealth screening of our supporters. Wealth screening involves checking our list of supporters against a database prepared by a recognised wealth intelligence agency to identify which of our supporters may have a high net worth or hold highly influential positions. We may also carry out research using publicly available information to identify individuals who may have an affinity to our cause but with whom we are not already in touch. This may include people connected to our current major supporters, trustees, or other lead volunteers. We also use publicly available sources to carry out due diligence on donors in line with the charity’s Gift Acceptance Policy and to meet money laundering regulations.
This research helps us to understand more about you as an individual so we can focus conversations we have with you about fundraising and volunteering in the most effective way and ensure that we provide you with an experience as a supporter, donor or potential donor which is appropriate for you.
If you would prefer us not to use your information in this way, please contact us at letmehelp@keech.org.uk or 01582 707960.
We process your information under our legitimate interest, which helps us to maintain meaningful relationships with our supporters and the wider community.
You have the right to object to this processing or to ask us to restrict how we use your information. Please note that if you choose to do so, it may limit the types of support or engagement we are able to offer you.
We will never sell your information.
Marketing
We may send you marketing communications:
where you have given your consent to be contacted by email/SMS or
under the “soft opt in” for email/SMS where you have previously supported or engaged with us and we gave you a clear opportunity to optout at the time of data collection and in every other message you receive from us. This is in line with the Privacy and Electronic Communication Preferences (PECR) and the Data Use and Access Act 2025 (DUAA). This applies only to contacts collected after the commencement of DUAA and does not apply to telephone marketing.
we may also contact you by post with updates about our work, fundraising appeals, events, and ways you can support us. We do this on the basis of our legitimate interest. We always balance this against your rights and expectations, and we only send material that we believe is relevant and appropriate.
You can change your marketing preferences at any time by contacting:
letmehelp@keech.org.uk
or
01582 707940
, or via the
Fundraising Preference Service.
Photos/video/case studies:
Used only use these with your explicit consent. We will not use them for longer than two years unless you renew consent. You can withdraw your consent at any time:
comms@keech.org.uk
Third parties acting for us:
We may share limited information with service providers (e.g., mailing houses) acting on our behalf under contract. They must follow our instructions and keep your data secure.
Information about business associates
If your company has a business relationship with us, we collect administrative information about your representatives, as well as payment details and transaction history. This may include names, job titles, contact information, communication records, and bank details. This information is typically provided directly by you or your organisation.
We use this information to manage our business relationship with you, including processing payments, fulfilling contractual obligations, and maintaining accurate financial records. For example, we may share relevant payment information with our external financial auditors as part of routine regulatory audits.
We process this data on the basis of our contractual obligations with your organisation. This means we require this information to deliver or receive goods and services as agreed. Because this processing is necessary to fulfil our contract, you generally do not have the right to object to it or restrict how it is used.
Information about website visitors
We use cookies to make your experience on our website better. Cookies are clever bits of code that help us improve how our website works and how we support our community.
Under the Data Use and Access Act (DUAA) 2025, some cookies that are considered low-risk—such as those used to improve website performance or remember your preferences—may be set without your explicit consent. However, we’ll always let you know what cookies we’re using and give you a simple way to opt out if you wish.
There are six broad types of cookies we may use
Necessary:
These cookies are essential for the website to function properly. They enable basic features like page navigation and access to secure areas. These are set automatically and do not contain any personal information.
Functional:
These cookies help the website remember your preferences (like language or region) and enable enhanced features such as social media sharing or feedback tools. These may be set without consent if they are low risk, but you can opt out at any time.
Performance:
These cookies help us understand how visitors use our site so we can improve it. They collect anonymous data such as page visits and navigation patterns. Under DUAA, these may be set without consent if used solely for statistical purposes.
Analytics:
These cookies provide insights into how users interact with our website, including session duration, bounce rates, and traffic sources. They do not collect identifiable information and may be set without consent if used for aggregate reporting only.
Advertisement:
These cookies are used to deliver relevant ads and track the effectiveness of marketing campaigns. They may also be used to build a profile of your interests. These cookies require your explicit consent before being set.
Other cookies:
These are uncategorised cookies that are still being reviewed and classified.
You can learn more about cookies by visiting
allaboutcookies.org
Consent and Cookie Preferences
When you visit our website for the first time, we’ll ask for your preferences. You can choose to accept or decline non-essential cookies. If you decline, only strictly necessary cookies will be set. If you accept, your browser will begin setting cookies as you navigate our site.
We collect cookie data based on your consent (where required). You can change your preferences at any time via our cookie settings. Cookies typically expire after 30 days, so we may ask for your consent again if you return after that period.
Third-Party Services
Some pages may include content from third-party services like Facebook or YouTube. These services may set their own cookies. For details on how they use cookies, please refer to their privacy notices.
Google Analytics
We also use
Google Analytics
to help us understand how our website is used. This tool uses cookies to collect anonymous data about page visits and user behaviour. This data is only shared with Google if you accept analytics cookies.
Staff and Volunteers
If you work or volunteer with us, we collect personal information during your recruitment and throughout your time with us. This may include your contact details, next-of-kin information, bank details (for paying salaries or reimbursing expenses), references, background checks, sickness and occupational health records, pension details, and any disciplinary records. Most of this information is provided directly by you, although some may come from your manager or previous employer.
We only share your work-related information when necessary—for example, to fulfil your employment contract or provide agreed benefits and support. For instance, if you are a staff member, your bank details will be shared with our payroll provider to ensure your salary is paid accurately and on time. To comply with pension auto-enrolment legislation, we also share employee details with our pension provider so they can assess eligibility.
We process staff data on the basis of contractual obligation, which means you generally cannot object to us collecting or using this information, as doing so would breach your employment contract. In rare cases where you do have the right to object, we will let you know and offer you a choice.
We process volunteer data on the basis of legitimate interest, which helps us build a positive relationship and support your volunteering experience. You have the right to object to this processing, although doing so may affect your ability to volunteer with us.
During recruitment, we may ask for sensitive personal information (known as special category data), such as your ethnicity, religious beliefs, or sexual orientation. This is used only for equality monitoring to help us build an inclusive and diverse workforce. Access to this data is strictly limited, and it is anonymised whenever used. You are not required to provide this information and choosing not to will not affect your application.
Automated Decision-Making
We do not use automated decision-making.
Keeping your information secure
We are committed to protecting your personal information and maintaining your trust. Our approach to information security is designed to meet the highest standards of confidentiality, integrity, and accountability, in line with the UK GDPR, Data Protection Act 2018, and the Data Use and Access Act (DUAA) 2025.
All staff and volunteers who handle personal data complete mandatory annual training in information security and data protection. We also carry out regular audits and inspections to ensure our security controls remain effective and up to date.
Access to personal information is strictly controlled. Only individuals with a clear business need can access it, and only for the purpose it was collected. If information needs to be taken off-site, we apply additional safeguards to protect it.
When personal information is no longer needed, it is either securely archived or destroyed, in accordance with legal and regulatory requirements.
For payment card data, only staff trained in the Payment Card Industry Data Security Standard (PCI DSS) are authorised to handle it. Card details are used immediately for processing and then securely destroyed.
We have clearly defined roles and responsibilities for information governance:
Our Data Protection Officer, Paula Welsh oversees compliance with data protection laws.
Our Caldicott Guardian, Elaine Tolliday (Clinical Director), ensures confidentiality is protected in line with NHS information sharing principles.
Our Senior Information Risk Owner (SIRO), Rob Davies (Executive Director of Finance and Corporate Services), promotes awareness of information governance risks.
Our Information Governance Lead, Liz Searle (Chief Executive Officer), fosters a culture of data protection and security across the organisation.
We believe in transparency and continuous improvement. If we identify a risk that your personal information may have been misused, we will:
Investigate the incident promptly
Inform you of the outcome
Support you throughout the process
In serious cases, we will also notify the Information Commissioner’s Office (ICO) or other relevant regulators, as required by law. As a regulated healthcare provider, we uphold the Duty of Candour, meaning we will inform you of any mistakes, apologise, and take steps to put things right.
Sharing your information
Where we have indicated above that information may be shared, we always ensure the people receiving your information uphold the same information security standards of privacy, confidentiality, and security as we do. This is usually formalised through a contract or information sharing agreement, which sets out clear responsibilities and safeguards.
All staff, volunteers and agents of Keech Hospice are bound by strict duties of confidentiality and receive regular training to ensure they understand their obligations under data protection law.
In exceptional circumstances, we may be required to share your information without prior notice. This could happen if:
We believe you may be at risk of serious harm (e.g. safeguarding a child or vulnerable adult)
We are legally required to do so under specific regulations (e.g. RIDDOR, which requires us to report certain work-related incidents to the Health & Safety Executive).
Preventing or detecting a crime
Fulfilling a public interest task or legal obligation
In rare and exceptional circumstances, such as a public health emergency or major incident, we may share personal information with emergency services or public authorities. While we are not a designated responder under the Civil Contingencies Act 2004, we may support emergency efforts where necessary to protect life or health. Any such sharing will be lawful, proportionate, and reviewed by our Caldicott Guardian.
Keeping your information
We only keep your personal information for as long as it is needed for the purpose it was collected. The length of time we retain your data depends on the nature of the information and the reason it was provided.
In some cases, your information may be used and securely disposed of shortly after collection. In other cases, we may need to retain it for several years to meet legal, regulatory, archiving, or insurance requirements.
We follow recognised retention schedules and regularly review the data we hold to ensure it is not kept longer than necessary. When information is no longer required, it is securely deleted or archived in line with data protection legislation, including the
Data Use and Access Act (DUAA) 2025
, the
UK GDPR
, and the
Data Protection Act 2018
If you would like more detail about how long we keep specific types of information, please contact our Data Protection Officer.
Your individual rights
Under data protection regulations, you have rights over how your personal information is used by others.
Right to access:
You have the right to request access to the personal information we hold about you. We will respond within one month, based on a reasonable and proportionate search. We may ask for clarification or proof of identity before providing the information. Requests that are
vexatious or excessive
may be refused.
Right to rectification:
If the information we hold about you is inaccurate or incomplete, you can ask us to correct it. We aim to keep our records up to date, but please let us know if you spot any errors.
Right to erasure:
You can ask us to delete your personal information if you believe it is no longer needed. We will comply where possible, unless we are required to retain certain details for legal or contractual reasons. If we cannot erase your data, we will explain why.
Right to restriction:
You can ask us to limit how we use your personal information if you believe it is being used inappropriately. As with erasure, we will consider your request and explain any legal reasons that may prevent restriction.
Right to portability:
You have the right to receive certain personal data in a structured, commonly used, and machine-readable format. This applies when the data was provided by you and is processed based on consent or contract.
Right to objection:
You can object to us using your personal information for
legitimate interests
direct marketing
, or
research purposes
. We will consider your objection unless there is a lawful exemption, such as safeguarding or public interest.
Right to complain:
If you are unhappy with how we handle your personal data, you have the right to raise a complaint with us first. We will acknowledge your complaint within 30 days and keep you informed of progress. If you are not satisfied with our response, you can escalate your complaint to the Information Commissioner’s Office (ICO).
Protecting children and vulnerable adults
As an organisation who cares for children and adults with life-limiting and terminal illnesses, we are acutely aware of the risks faced by children and vulnerable adults. All our staff are trained to understand the signs of vulnerability in children and adults and respond appropriately if there are concerns. Our fundraising staff work to the guidance issued by the Institute of Fundraising on treating donors fairly.
We follow the DUAA 2025 enhanced protections for children’s data, including age-appropriate design and privacy notices. We ensure that children understand what they are consenting to or seek parental consent where appropriate.
We take extra care to make the information we give to children easy to understand. When a child gives their consent for us to use their information, we double-check they have understood what they are consenting to, or we seek consent from those who hold parental responsibility for the child. Marketing will never be sent to people under the age of 16 unless they have expressly requested it and we have made certain they understand the implications.
When we collect and use information about children who have limited capabilities to understand, such as those who are very young or have a condition affecting their development, we will ensure their parents understand and give the parents choices about how we use their child’s information. Unless we have reasons to believe otherwise, we presume that anyone over the age of 16 has the capability to understand and make their own decisions about how we use their information.
The recruitment of all volunteers under 18 years of age is subject to risk assessment and adequate support. The recruitment of all volunteers under 16 years of age requires parental permission in addition. Information about risks and support arrangements will only be used by Volunteering staff and the child’s supervisor. In the event of a child participating in a scheme such as work experience, VInspired or Duke of Edinburgh, information may be required by the organiser of the scheme in relation to hours and tasks carried out and risk assessment processes. We do not employ anyone under the age of 16.
We are committed to making our privacy policy accessible. An easy-read version of this policy is available upon request, and we offer formats such as large print, braille, and audio recording.
If you, or someone you know, wish to receive this privacy notice in a different format or translated into a different language, please contact us by telephone on 01582 492339, by email at
info@keech.org.uk
, or by post at: Keech Hospice, Great Bramingham Lane, Luton, LU3 3NT.
Changes to this notice
From time to time, we may need to change this notice in response to different ways of working, or new regulations. The version number and revision date at the bottom of this notice will tell you when it was last reviewed. As a matter of course, we will review the notice no less than once per year.
We will notify you if there are any significant changes to this notice that could affect your information rights.
Stay in touch
Sign up to discover more about our work and how we can support you