HOW CAN YOU CONTACT US?
Data Protection Officer
Doctors of the World
1 Canada Square
Telephone Number: 02071675789
HOW DO WE COLLECT YOUR INFORMATION?
Doctors of the World may collect your personal information in the following circumstances:
- When you give it to us Directly
You may give us your personal data directly when you contact Doctors of the World regarding our activities, volunteering enquires, signing up to newsletters, register for an event, attend one of our clinics, send or receive information, engage with our social media or make a donation to us, you may provide us with your personal information.
- When you give it to us Indirectly
You may give us your information indirectly when you interact with third parties with whom we work. For example, where you’ve made a donation to Just Giving or Virgin Money Giving. These independent third parties will pass your data to Doctors of the World where you have indicated that you wish to support Doctors of the World and have given your consent, or it is a necessary part of completing a contract with you.
- When the information is publicly available
We might also obtain personal data about individuals who may be interested in giving major gifts to charities or organisations like Doctors of the World. In this scenario, Doctors of the World may seek to find out more about these individuals, their interests and motivations for giving through publicly available information. This information may include newspaper or other media coverage, open postings on social media sites such as LinkedIn, and data from Companies House. Doctors of the World will not retain publicly available data relating to major donors without their consent, which will be sought at the earliest practical opportunity.
WHAT INFORMATION DO WE COLLECT?
The information we collect from you directly or from third parties with whom we work, may include:
- email address,
- telephone number,
- contact preferences,
- bank account details for setting up a regular direct debit,
- credit card details for processing credit card payments,
- employer details for processing a payroll gift,
- taxpayer status for claiming Gift Aid, and
- date of birth, age, and/or gender, where appropriate (e.g., where registering for an event, such as a race).
- Patient information disclosed to us during consultations
We may also collect and process information about your interactions with us, including details about our contacts with you through email, SMS, post, on the phone or in person (i.e., the date, time, and method of contact), details about donations you make to us, events or activities that you register for or attend and any other support you provide to us.
Sensitive Personal Data
We do not usually collect “sensitive personal information” about you unless there is a clear reason for doing so, such as participation in an event (for example a marathon) where we need this information to ensure we provide appropriate facilities for you. We may collect health information if you tell us about your experiences (for example, if you act as a case study for us); however, we will make it clear to you when collecting this information as to what we are collecting and why.
HOW DO WE USE YOUR INFORMATION?
We may collect your personal information for a number of reasons, including:
- to process any donations we may receive from you;
- to provide you with services, information or products you have requested;
- to provide you with information about our work or activities, that you have asked to receive;
- to send you items you have purchased through our shop;
- to invite you to participate in voluntary surveys, campaigns or research;
- for administrative purposes e.g. we may contact you about a donation you have made to us or an event you have registered or expressed interest for;
- for internal record keeping, such as the management of donations, feedback or complaints;
- to analyse and improve content and operation of our online platforms;
- to analyse the personal information we collect about you, to give a greater understanding of your interests, preferences and scale of potential donations. This is to ensure that we contact you in the most appropriate way and to ensure we do not sent you unwanted communications;
- We will use your information to comply with the law or in the good faith belief that such action is necessary to conform to the requirements of law or comply with legal process served on us, protect and defend our rights or act in urgent circumstances to protect the personal safety of others;
- We will use the personal information to protect against potential fraud. We may verify with third parties the information collected in the course of processing a gift, event registration or other donation. If you use a credit or debit card on the website, we may use card authorisation and fraud screening services to verify that your card information and address matches the information that you supplied to us and that the card being used has not been reported lost or stolen.
We may contact you for fundraising or marketing purposes by email or SMS if you have given us your consent for us to contact you in this manner. If you have provided us with your postal address or telephone number, we may send you information about our work, activities or other communications outlined above by direct mail or by telephone unless you have told us that you would prefer not to hear from us in this way. You can change your communications preferences at any time by contacting us via email: email@example.com or by telephone: 02071675789.
Credit and debit card payment information
If you use your credit or debit card to donate to us, purchase a shop item, donate online or over the phone, we will ensure that this is done securely and in accordance with the Payment Card Industry Data Security Standards. We do not store your credit or debit card details, following the completion of your transaction. All card details and validation codes are destroyed once the donation has been processed.
Disclosure of your information to third parties
Doctors of the World will not sell, share or distribute customer details with any 3rd parties“Personal Information” is information that identifies you personally, such as your name, address, telephone number, and email address.
Where we need to use a third party to process personal data on our behalf e.g. a mailing house, we will ensure a contract is in place to properly protect your data and is treated in accordance with General Data Protection Regulation
What data Protection rights do you have?
You have the rights to:
- Make a complaint or raise a concern about how we process your personal data;
- Request a copy of the information we hold about you;
- Update the information we hold about you if it is wrong;
- Change your communication preferences at any time;
- Request that we remove your personal information from our records;
If you wish to find out more about these rights, change communication preference or obtain a copy of the information we hold about you, please contact us at:
Doctors of the World
1 Canada Square
If you have indicated that you do not wish to be contacted for marketing purposes, we will maintain your details on a suppression list to help ensure that we do not continue to contact you for marketing purposes. However, we may still need to contact you for administrative purposes, including (but not limited to):
- Processing a donation you have made and any related Gift Aid;
- Providing you with the information you need in order to participate in an activity or event for which you have registered;
- Explaining and apologising where we have made a mistake.
- Remembering if you are logged in so you can move around the website without having to log in again.
- Monitors how many people are using each page of the website and for how long so that we can try improve the quality of our website
What are cookies?
Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies do not reveal the identity of the individual user; they only identify the computer utilised by that user.
GDPR and DOTW’s service users
Doctors of the World believe its service users are at the heart of everything we do. The importance of compliance with GDPR in relation to our service users is
DOTW may share data with other agencies where consent to do so has been granted by the service. The Service User will be made aware in most circumstances how and with whom their information will be shared.
There are circumstances where the law allows DOTW to disclose data (including sensitive data) without the data subject’s consent.
- Carrying out a legal duty or as authorised by the Secretary of State
- Protecting vital interests of an Individual/Service User or other person
- The Individual/Service User has already made the information public
- Conducting any legal proceedings, obtaining legal advice or defending any legal rights
- Monitoring for equal opportunities purposes – i.e. race, disability or religion
- Providing a confidential service where the Individual’s consent cannot be obtained or where it is reasonable to proceed without consent: e.g. where we would wish to avoid forcing stressed or ill Individuals/Service Users to provide consent signatures.
DOTW will, through appropriate management and strict application of criteria and controls:
- Ensure that all staff who have access to patient records as part of their role will have confidentiality clauses in their employment contracts.
- When we work with other organisations in any kind of partnership that could result in sharing of patient data, ensure that an MoU is in place that highlights each organization’s responsibilities under GDPR;
Data collection and consent
Informed consent is when
- An Individual clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data
- And then gives their consent.
- We will always seek to record this consent in writing. To ensure that the consent form is understood, we will endeavor to have it translated into our most commonly used languages. When we see a service user who does not speak one of those languages, we will go through the consent form with them using a telephone interpreter.
- We will produce separate consent forms for children and for young people, that can be signed by their legal guardian.
Legitimate Interest is when
- An Individual has shown an explicit interest being supported by DOTW, by attending the DOTW clinic or by calling our helpline for advice.
Provision of direct care
Explicit consent under the GDPR is distinct from implied consent for sharing for direct care purposes under the common law duty of confidentiality. The GDPR creates a lawful basis for processing special category health data when it is for the provision of direct care that does not require explicit consent. GP data controllers must establish both a lawful basis for processing and a special category condition for processing.
- The lawful basis for processing special category health data for direct care is that processing is:
‘necessary… in the exercise of official authority vested in the controller’ (Article 6(1)(e)).
- It is also possible for NHS GP practices to rely on ‘processing is necessary for compliance with a legal obligation to which the controller is subject’ (Article 6(1)(c).
The special category condition for processing for direct care is that processing is:
‘necessary for the purposes of preventative or occupational medicine for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…’ (Article 9(2)(h)).
When relying on Articles 6(1)(e) and 9(2)(h) to share data for the provision of direct care, consent under GDPR is not needed. However, in addition to the GDPR, data controllers must also satisfy the common law duty of confidentiality. In order to satisfy the common law data controllers can continue to rely on implied consent to share confidential health data for the provision of direct care. The most common example of when consent can be implied is when a patient agrees to a referral from one healthcare professional to another. In these circumstances, when the patient agrees to the referral this implies their consent for sharing relevant information to support the referral (unless the patient objects). The referral information can then be disclosed under GDPR using articles 6(1)(e) and 9(2) (h) as above.
DOTW will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, online or by completing a form.
When collecting data, DOTW will ensure that the Individual:
- Clearly understands why the information is needed
- Understands what it will be used for and what the consequences are should the Individual decide not to give consent to processing
- As far as reasonably possible, grants explicit consent, either written or verbal for data to be processed
- Is, as far as reasonably practicable, competent enough to give consent and has given so freely without any duress
- Has received sufficient information on why their data is needed and how it will be used
Handling service user data
DOTW may collect your data as a service user in order to provide you with a service. This may include confidential medical information.
We will ensure your data is handled securely by
- Ensuring our database is secure:
The CRM is hosted upon Amazon’s AWS platform which meets a variety of security requirements: http://aws.amazon.com/security/. Additionally the AWS platform will maintain backups – if there are specific requirements in this regard they can be modified via the AWS admin tools. The platform meets Information Security Standard ISO 27001. The AWS firewall configuration is to only allow public (Internet) access to the server running the CRM on ports 80 and 443. Port 80 is the unsecured http port and will only ever respond with a redirect to the secured https port 443 ensuring all communication with the CRM is encrypted. Note that the use of the word ‘public’ in the above does not mean it is possible to access the CRM without authenticating. A username and password combination is used to control access rights. The data for the CRM is held in a MySQL database hosted in and backed up by Amazon’s Relational Database Service (RDS).
- Sharing information using secure means of communication
Only sharing your data (with appropriate consent) using secure or encrypted means of communication. We will use Egress Switch to send encrypted emails; we will post information; we will share information on the telephone. If using fax services (as commonly used in hospitals) we will seek your express consent first.
- Storing your data for the appropriate length of time.
We will follow BMA guidance on storage of patient records, which states that
- People accessing service user records
Staff or volunteers with access to service user records will have confidentiality clauses inserted into their contracts/volunteer agreements.
Storing service user data
We will follow BMA guidance that states:
‘Electronic patient records (EPRs) must not be destroyed, or deleted, for the foreseeable future.’
Retention of paper files will follow BMA guidance that can be found here:
Service users and their:
- Right to be informed
We will ensure that service users are informed about the collection and use of their personal data. We will do this by having each service user read, tick and sign a consent form
- Right of access
We will ensure that service users have the right to access their personal data and supplementary information free of charge. This will be provided within one month of receipt having used reasonable means to verify the identity of the person.
- Right to rectification
We will ensure that service users have the right to to have inaccurate personal data rectified, or completed if it is incomplete
the Data Protection Bill states that personal data is inaccurate if it is incorrect or misleading as to any matter of fact. Determining whether personal data is inaccurate can be more complex if the data refers to a mistake that has subsequently been resolved. It may be possible to argue that the record of the mistake is, in itself, accurate and should be kept. In such circumstances the fact that a mistake was made and the correct information should also be included in the individuals data
- Right to erasure
The GDPR introduces a right for individuals to have personal data erased, with exceptions as explained here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
- Right to restrict processing
An individual can limit the way that DOTW uses their data. This is an alternative to requesting the erasure of their data.
- Right to data portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. In practical terms this will often be in the form of a supporting letter written for service users
- Right to object
Individuals must have an objection on “grounds relating to his or her particular situation”.
You must stop processing the personal data unless:
- you can demonstrate compelling legitimate grounds for the processing, which override the interests, rights and freedoms of the individual; or
the processing is for the establishment, exercise or defence of legal claims.
See the BMA: GPs as data controllers under the General Data Protection Regulation https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/gps-as-data-controllers
Doctors of the World’s Refund Policy
At Doctors of the World, our supporters are really important to us and we work hard to ensure you are happy when making a donation. However, we realise that sometimes errors can happen.
Charity law and regulation guides us and all registered charities as to when we are and are not permitted to refund donations. We abide strictly by those laws and regulations. We are only able to refund a donation in certain prescribed circumstances. The Charities Act 2011 can be found here.
If you believe that a donation you have made should be refunded or you wish to speak to our donations team, please do not hesitate to contact us.
Email us at firstname.lastname@example.org or give us a call on 020 7167 5789.
If you become aware that your card has been used fraudulently, please contact your card provider.