Privacy Policy


We, St Gemma’s Hospice and St Gemma’s Hospice Services Ltd (St Gemma’s), pride ourselves on being open and transparent with our patients, their families, our supporters, staff and anyone else who comes into contact with the Hospice, about how their personal data is stored and used. This includes the processes we adopt when we ask for donations to keep our organisation running.


Purpose of this policy

This Privacy Policy explains what personal data we may collect about you, how we use it, and the steps we take to ensure that it is kept secure.

This includes, when you use this website at www.st-gemma.co.uk, or when you otherwise get in touch, for example by telephone, email or through face to face interactions. We also explain your privacy rights and how the law protects you, including how we comply with the General Data Protection Regulation (“GDPR”), and all other related privacy laws and any codes of practice issued by the Fundraising Regulator or the Information Commissioner.

Additional information may be provided on particular pages of this website for example, on any specific pages where we collect personal data and you should also refer to those.

It is important that you read this privacy policy together with any statements or fair processing notices we may provide on specific occasions when we collect or process personal data so that you are fully aware of how and why we are using your data. This privacy policy supplements those other notices and is not intended to override them.



Personal data means any information about an individual from which that person can be identified. It does not include data which has been anonymised such that a person’s identity has been removed.

We collect personal data in a number of ways, and for a number of reasons. For example, we may collect and hold information from donors and supporters in order to make better decisions about how we raise and spend funds. As a registered charity, our Hospice relies on the people living in its local community for support – both financially and in kind. By gathering information about our community we can fundraise more efficiently and get the right information to the right people based on what they want to see. Ultimately this means our hospice is able to continue to provide excellent care to those who are dying and to support their families and friends.


Your data may come to us:

  • through face to face interactions, through this website, by email, over the phone, or on paper (such as from any form you complete)
  • directly from you such as when you make a donation; when you sign up to an event or activity; when you join our lottery; when you sign up as a Gift Aid donor in one of our shops or when you sign up as a volunteer.
  • from another organisation for example, where you use fundraising sites such as Just Giving, Much Loved and Enthuse to fundraise for St Gemma’s Hospice. These organisations may share your personal data with us if you allow them to do so.
  • from social media sites or apps. If your settings and preferences allow, we may obtain information (including personal data) from social media services such as Facebook and Twitter.
  • automatically in the case of technical data, for example as you interact with our website including via the use of cookies and similar technologies.


Information about other people

If you provide personal data to us relating to any person other than yourself, you must ensure before you do so that they understand how their personal data will be used and that you are authorised to disclose it to us, and to consent to its use on their behalf. You should bring this privacy policy to their attention.


The personal data we collect

We will only use your personal data when the law allows us to, and in accordance with this privacy policy. We ensure that we comply with our obligations as a charity.  We may process your personal data for more than one lawful basis, depending on the specific purpose for which we are using your data.

The type and quantity of personal data we collect and how we use it depends on why you are providing it. Occasionally we may ask for your date of birth, for example, if there is an age restriction on an event or activity you have chosen to take part in (e.g. lottery players must be over 16).

The following table explains the main types of personal data which we may collect, use, store and transfer. It also explains the purposes for which we use different categories of personal data, and the lawful basis or bases which we believe applies to those uses:


Purpose Types of personal data used Lawful basis for processing
To manage our relationship with you as a patient or service user, for example to communicate with you and to provide you with the correct care and treatment. Identity and Contact Data such as your name, home address and date of birth.

Child Data where relevant, for example, if you are accessing the Young People’s Service

Necessary for performance of our contract with you, compliance with our legal obligations, and for our legitimate interests in providing you with our proper ongoing care and treatment.
To provide you with information where necessary, as the next of kin of one of our patients. For example, to contact you in the case of an emergency or to facilitate any elements of patient care. Identity and Contact Data such as your name, home address, date of birth Necessary for our compliance with our legal obligations and for our legitimate interests in providing you with necessary information about the patient, as part of our provision of proper care for that patient.
To manage our relationship with you as a volunteer or an employee, for example to contact you, or to carry out any necessary administration. Identity and Contact Data Necessary for our legitimate interests in managing our volunteer network to support our organisation.
To process your application for a job or volunteer role with us, including if you are between the ages of 14-16 and apply to volunteer in our retail network or at our fundraising events, to volunteer as part of a formal work experience arrangement with your school, or as part of the Duke of Edinburgh Scheme. Identity and Contact Data

Career and Interests Data including any CV, career history information or references.

Child Data including name, home address, date of birth and information about their education.

Necessary for our legitimate interests in the operation of our organisation in order to be able to respond to you and to consider you for a role within our organisation.

Where we collect and process Child Data in the context of an application for volunteering, we do so on the basis that it is in our legitimate interests to be able to consider and respond to you.

To provide any products or services you request to you, including taking payments and contacting you where necessary in relation to the same and to communicate with you in the event that any products or services requested are unavailable or if there is a query or problem with your request. Also to detect and reduce fraud and credit risk. Identity and Contact Data

Financial Data including bank account numbers and details


Necessary for the performance of the contract that you have entered into with us, and for our legitimate interests in the operation of our organisation in order to be able to collect and process payments.
To administer this website, including troubleshooting, data analysis, testing, system maintenance and support Identity and Contact Data

Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug in types and versions, operating system and platform and other technology on the devices you use to access this website. This may also include information about how you use our website and our services.

Profile Data such as username and password details, demographic postcode preferences and interests, and information such as feedback and survey responses.

Necessary for our legitimate interests in providing and improving our website and customer service to you, to improving the services we offer you and to ensuring our website operates properly and for network security.
To ensure our third-party service providers can perform their obligations to us. Identity and Contact Data

Technical Data

Profile Data


Necessary for our legitimate interests in ensuring that our third party providers such as external consultants and contractors are able to provide support services to us.
To deal with new enquiries Identity and Contact Data, including any data you provide when completing the ‘Contact Us’ form on this website.

Child Data

Necessary for our legitimate interests in the operation of our organisation in order to be able to respond to and deal with new enquiries.

Where we collect and process Child Data in the context of a new enquiry, we do so for our legitimate interests in the operation of our organisation in order to be able to respond to and deal with new enquiries.

To facilitate your account if you join our lottery, including undertaking any necessary age restriction checks and fraud prevention measures. Identity and Contact Data

Financial Data


Necessary for the performance of the contract that will be in place between us.
To administer a donation you make to us, or to administer you as a gift aid donor. Including complying with Gift Aid requirements and communicating with you in the event of a query. Also detect and reduce fraud and credit risk. Identity and Contact Data

Financial Data

Necessary for the performance of the contract that will be in place between us, and for our legitimate interests in the operation of our organisation in order to be able to collect and process donations.
To sign you up for, and communicate with you in relation to an event or activity you wish to take part in. Identity and Contact Data

Financial Data

Child Data

Necessary for the performance of the contract that will be in place between us and for our legitimate interests in the operation of our organisation in arranging and facilitating fundraising and awareness events and activities.

Where we collect and process Child Data in the context of an event, we do so for our legitimate interests in the operation of our organisation in arranging and facilitating fundraising awareness events and activities.

To communicate with you once you have decided to leave the hospice as a volunteer, so that we can send you information about new events or activities you may wish to take part in in the future, or to send you any other information we think you may find interesting.  

Identity and Contact Data

Necessary for our legitimate interests in developing, marketing and promoting our organisation.
To undertake market research in order to improve the products and services we offer. Identity and Contact Data

Profile Data

Necessary for our legitimate interests to ensure that the goods and services we provide and the work we do are appropriate.
To create a profile about you to understand your preferences, including analysing demographic and geographic information so that we can enhance your experience and relationship with us, understand and respect your preferences and to provide information and details of relevant offers and opportunities where you have agreed to receive them. We may undertake in-house research and engage third party organisations such as fundraising agencies to help us identify people who may be able to support us with a larger gift or in other ways, using publicly available records. We may also collect information on your interests, for example board memberships, hobbies, or articles about you in the media. We use this information to tailor our communication with you and invite potential supporters to meetings, groups and events which may be of interest to you. Identity and Contact Data

Profile Data

Necessary for our legitimate interests to ensure that our fundraising work is effective and to improve our ability to meet our aims.

Where it is appropriate we may also ask for:

  • information relating to your health (for example if you are taking part in a high risk event such as one of our treks or skydives)
  • how you heard about the event/activity/Hospice
  • why you have decided to donate to us. We understand that you may have private reasons and we only want to know the answer if you are comfortable telling us
  • your bank or credit card details (these are used for the single transaction only and are destroyed after use)

Consent and lawful processing of personal data

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.  Please see the table above for further information.

Where we refer to legitimate interest above we have carried out a legitimate interest assessment (LIA) which we keep under review and are confident that the individual’s interests do not override those legitimate interests.

IP addresses

In order to understand how users use this website and our services, we may collect your Internet Protocol addresses (also known as IP addresses). Your IP address is a unique address that computer devices (such as PCs, tablets and smartphones) use to identify themselves and in order to communicate with other devices in the network.



We use cookies on the St Gemma’s websites to make your browsing experience more efficient and enjoyable.

Cookies are small text (.txt) files containing basic information about a particular website and user. We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs.

If you would like to disable cookies, you can change your browser settings to reject cookies. However, this may negatively affect how some of our content is displayed and how our website functions.

For more information about cookies, visit www.aboutcookies.org.


Links to other websites

Please note this website may contain links to other websites that are not controlled by us. These links are provided for your convenience. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We are only responsible for our privacy practices and our security. We recommend that you check the privacy and security policies and procedures of each and every other website that you visit and each organisation that holds your personal data.


Disclosing your personal data

We do not sell personal data.

In order to provide our products and services, we may, occasionally, appoint other organisations to carry out some of the processing activities on our behalf. These may include, for example, technology hosts, event administration, printing companies and mailing houses. In these circumstances, we will ensure that your personal data is properly protected and that it is only used in accordance with this Privacy Policy and our instructions.

We use third party electronic payment providers such as World Pay to administer some transactions. They have their own privacy policies and we encourage you to read them.

On very rare occasion, we may be required to disclose your details to the police, regulatory bodies or legal advisors or to comply with a court order or a legal obligation. In these circumstances we would be careful to only provide information that we are required to provide.


Special categories of data

By the nature of what we do, we may need to process ‘special categories’ of data for clinical purposes. A special category of data would include details about your race or ethnicity, sex life, sexual orientation, and information about your health and genetic data.

St Gemma’s is a local, independent charity and we are not part of the NHS, but we do work very closely with all NHS services in Leeds. Clinical information is part of the NHS records system. This allows us to share information securely with your GP and other care professionals.

If you are a patient or service user, we may contact you with important information regarding your care or support available to you, in the way that you have requested.

If you are the next of kin of a patient, we may contact you in the event of the death of a patient with further information on our services, for example, to offer bereavement support.

If you have agreed to take part in a clinical research study, the information about your health and care may be provided to researchers running other research studies in this organisation and in other organisations. These organisations may be universities, NHS organisations or companies involved in health and care research in this country or abroad. Your information will only be used by organisations and researchers to conduct research in accordance with the UK Policy Framework for Health and Social Care Research.

In accordance with NHS guidance, the Hospice has an appointed Caldicott Guardian; a senior member of staff responsible for protecting patient confidentiality and enabling appropriate sharing. The sharing of sensitive personal information is strictly controlled by law. We will consult you before information about you is shared to ensure we act with your consent. If you are unable to consent for any reason, we will only share information where it is in your best interests to do so.

If you are unable to consent to the processing of your personal data for any reason, for example if you are physically or legally incapable of giving your consent we will only share your information on the basis that it is necessary in order to protect your vital interests, and it is also necessary in our legitimate interests in providing our proper care to you.

We may also process special categories of data about you if we need to assess your health needs such as to administer medicine to you or for the purposes of medical diagnosis. We would process your data in this way on the basis that it is necessary for the purposes of preventative or occupational medicine, or for medical diagnosis, as well as it being in our legitimate interests in providing our proper care to you.

We may need to contact you for various reasons in a number of ways. If you have given consent to receive direct marketing via email or text message or there is legitimate interest to contact you via telephone or post, we may use your data, including identity and contact data, technical data and marketing and communications data, to contact you with further information about St Gemma’s, our work, fundraising requests and any news or upcoming events. We need to do so in order to support Hospice needs. Where relying upon legitimate interests as the legal basis for doing so, we carry out and keep under review a legitimate interests assessment to ensure that your rights are not outweighed by those interests. We will not send you such communications if we know that you are a child.

Email communications may contain tracking beacons/tracked clickable links or similar server technologies in order to track subscriber activity within email marketing messages. Where used, such marketing messages may record a range of subscriber data relating to engagement, geographic, demographics and already stored subscriber data.

We will usually try to tailor the communications we send to you so that they are relevant and in line with the preference options you have chosen which form part of the personal profile we will create for you.

Preferences / Subscribe / Unsubscribe

You and any other person whose personal data you have provided to us can change your/their mind about whether you wish to receive information.

You can change your preferences at any time by using any of the methods shown below (see the section ‘Updating and correcting personal data’) or by following the instructions with each communication you/they receive.

Please note it may take up to one month for your changes to be implemented and for communications to start or cease.

We take the security of personal data seriously. We employ security technology, including firewalls, and encryption to safeguard personal data and have procedures in place to ensure that our paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.

Personal data in our databases is only accessible by appropriately trained staff and volunteers who need to access your personal data as an essential part of their role. All access is tracked through individual login credentials.

We only use third party service providers where we are satisfied that the security they provide for your personal data is at least as stringent as we use ourselves. They will only process your personal data on our instructions, for specified purposes, and are subject to a duty of confidentiality.

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

To determine the appropriate retention period for personal data, we consider the requirements of our organisation and the services provided along with the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and the applicable legal requirements.

In some circumstances, we may anonymise personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further policy to you.

Everyone who has supported the Hospice in some way will hear from us at least once a year. Please see below explanations on how and if you will receive direct marketing from us.

Emails and Text messages

Under the Data Protection Act 2018 (“DPA”) and the Privacy and Electronic Communications Regulations (EC Directive) Regulations 2003 (“PECR”), we cannot send direct marketing information to you via text or email without your specific consent to use these channels, even if you’ve supplied your email address or mobile number to us in the past. Therefore, we will obtain your express consent before proceeding to send you direct marketing information.

Post and telephone marketing

It is not a legal requirement that we obtain explicit consent to contact you with direct marketing information via traditional mail or over the telephone if you have supplied us with your contact details. We will only contact you about something which is relevant to how you’ve contacted us or supported us in the past.

We will always provide details in our communications of how you can opt out.

If we ever need to transfer your personal data to other territories outside of the United Kingdom or the European Economic Area, we will take proper steps to ensure that it is protected in accordance with this Privacy Policy and applicable privacy laws.

St Gemma’s Hospice operates a Closed-Circuit Television (CCTV) surveillance system at the Hospice and our retail outlets, with images being monitored and recorded centrally. The system is owned, operated and managed by St Gemma’s Hospice. Images obtained from the system which include recognisable individuals constitute personal data and are covered by the GDPR and Data Protection Act 2018. As an organisation, St Gemma’s Hospice takes appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction of or damage to personal data from its collection or creation, including how it is stored, all actions performed with and on the data and its disposal. St Gemma’s Hospice therefore only holds information which is necessary for legitimate business interests and restricted access where deemed necessary.

The primary purpose for use of CCTV by St Gemma’s Hospice is defined as:

St Gemma’s Hospice CCTV is used for maintaining public and patient safety, the security of property and premises and for the detection, prevention and investigating of crime. The information processed may include visual images, including personal appearance and behaviour of those displayed and recorded on the system.

The use of CCTV is regulated to provide consistency and compliance with the following relevant legislation.
• Requirements for processing personal data as set out in the GDPR and Data Protection Act 2018
• The Protection of Freedoms Act 2012
• Right to privacy as set out in Article 8 of the Human Rights Act 1998
• Regulation of Investigatory Powers Act 2000 (RIPA)
• The Crime and Disorder Act 1998 (regarding disclosure to investigators)

Images captured by the system are recorded continuously and may occasionally be monitored real time/live by St Gemma’s Hospice. No images displayed on monitors are visible from outside the premises and access to operate the system is strictly limited. No images, recordings or information gathered by the system shall be stored any longer than is required for the stated purpose. Relevant images or recordings or information will be deleted once their purpose has been discharged. If there is no legitimate reason to keep the recording, the data will be erased – in normal use images are overwritten and deleted automatically approximately every 50 days. All staff with access to the CCTV system are trained and made aware of the sensitivity of handling CCTV images and recordings.

Privacy laws and practice are constantly developing and we aim to meet high standards. Our policies and procedures are, therefore, under continual review. We may, from time to time, update our security and privacy policies.

We will ensure our website has our most up to date policy and suggest that you check this page periodically to review our latest version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

In order to save the Hospice money, we use data cleansing services to update us on people who have moved home or who have died. If you have registered a change of address with the Post Office’s National Change of Address database, we will update your details through this mechanism. Similarly, for relevant activity, if you use the Fundraising Preference Service to withdraw consent to receiving direct marketing from us, we will amend our records accordingly.

You may update or correct your personal data by visiting www.st-gemma.co.uk/mydata or by contacting us at the address below, asking us to update your details. Please include your name, address and/or email address when you contact us as this helps us to ensure that we accept amendments only from the correct person.

If you are providing updates or corrections about another person, we may require you to provide us with proof that you are authorised to provide that information to us. You must also ensure that you have that person’s consent to pass on their details and make them aware of this privacy policy.

You have a number of legal rights in respect of your personal data. Depending on the circumstances, these may include:


  • access. The right to receive a copy of the personal data that we hold about you. The same right applies to any other person whose personal data you provide to us. We will require proof of identity and proof of authority if the request comes from someone other than the person whose data we are asked to provide. This will ensure we only provide information to the correct person. We normally expect to respond to requests within one month of receiving them.
  • withdraw consent to direct marketing. You can exercise this right at any time and can ask us to do update your preferences. See section ‘Updating and correcting your personal data’ above for details.
  • withdraw consent to other processing. Where the only legal basis for our processing your personal data is that we have your consent to do so, you may withdraw your consent to that processing at any time and we will have to stop processing your personal data. Please note, this will only affect a new activity and does not mean that processing carried out before you withdrew your consent is unlawful.
  • rectification. If you consider any of your personal data is inaccurate, you can correct it yourself or ask us to do it for you (see section ‘Updating and correcting your personal data’ above for details).
  • restriction. In limited circumstances you may be able to require us to restrict our processing of your personal data. For example, if you consider what we hold is inaccurate and we disagree, the processing may be restricted until the accuracy has been verified.
  • erasure. Where we have no lawful basis for holding onto your personal data you may ask us to delete it.
  • portability. In limited circumstances you may be entitled to have the personal data you have provided to us sent electronically to you for you to provide to another organisation.
  • to complain to the Information Commissioner’s Office. This is the UK supervisory authority for data protection issues. You can find information on how to make a complaint at www.ico.org.uk. We would however, like the opportunity to assist with any concerns before you approach the ICO, so please contact us in the first instance using the details above.

Exercising your rights

Please contact us if you wish to exercise any of your rights.

You will not have to pay a fee to access your personal data (or to exercise any other rights). However, we may charge a reasonable fee if your request is considered unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure personal data is not disclosed to a person who has no right to receive it. We may also contact you to ask you to clarify your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests, in which case we will keep you updated.

This privacy policy is issued on behalf of St Gemma’s Hospice and St Gemma’s Hospice Services Ltd (“we” / “our”/ “St Gemma’s”) and we are the data controller in respect of all personal data collected by us on this website or otherwise.

If you have any questions about this policy including any requests to exercise your data privacy rights, please contact our Information Manager, Tony Deighton.


Website: www.st-gemma.co.uk

Email: Tony.Deighton@st-gemma.co.uk

Phone: 0113 218 5500

Mail: Tony Deighton
St Gemma’s Hospice
329 Harrogate Road
LS17 6QD

St Gemma’s Hospice Privacy Policy V6, last updated July 2022