We take your privacy seriously and are committed to protecting your personal information. This Privacy Notice sets out the way in which your personal information will be used by us if you are a patient or loved one accessing Day One Trauma Support services. This Notice also provides information on how we process the personal data of other categories of individuals with who we interact for the purposes of delivery our services, for example, NHS staff and partnering organisations.
This Privacy Notice explains:
- Why this policy may be updated
- Who we are
- When we collect information
- What information we collect
- Special Category Data
- What your information is used for
- Sharing of your information
- Lawful basis to process your data
- Storage and security of your data
- How long we keep your data for
- Your rights
- Changes to this policy
- How to contact us to change your preferences or make a complaint
Recent updates
We have updated our Notice in line with UK data protection law which includes but not be limited to the UK Data Protection Act 2018, the Data protection, the UK General Data Protection Regulation (UK GDPR) and the Privacy and Electronic Communications Regulation (PECR). This Notice is intended to inform you about our processing activities in accordance with the requirements of the UK GDPR. Our full Data Protection Policy is available upon request. We have made it easy for you to let us know if you would like to change the way we process, store and use your data and the details can be found in the ‘contact us’ section of this document.
This Notice was last reviewed on 16 January 2024. You should make sure you revisit this Notice in the future to understand any amendments to the way we process your data.
Who are we?
Day One Trauma Support is a charity registered in England and Wales under sections 67 and 69 of the Charities Act 2011 (registration number 1194227) and a company limited by guarantee (company number 13155922). Our registered address is: Day One Trauma Support, ROOM LGI 12/0B017, Brotherton Wing B Floor, Leeds General Infirmary, Leeds, LS1 3EX
Day One Trauma Support exists to provide practical and emotional support to people affected by major trauma so that they can make the best possible recovery.
“we,” “our,” “us” are references to Day One Trauma Support.
For the purposes of UK data protection law, we are the data controller in respect of the personal information which we hold about you.
When do we collect information?
When we collect data directly from you.
For example:
- As a patient and you speak with our volunteers or case workers, or when you complete our Day One referral forms or emergency funding application
- If you are a family member or otherwise connected to a patient and you speak to our volunteers or case workers or when you complete our Day One referral forms or emergency funding applications.
- When you are NHS staff speaking with volunteers or case workers or completing Day One referral forms or emergency funding applications on behalf of patients or family members.
- As an NHS staff member, if you complete a Grant Fund Application Form seeking funding for (e.g.) training, education of research in the field of major trauma care when you are referred to us
We might gather personal information about you from third parties. For example, we will most likely receive your details via a referral from NHS Trust in the first instance. The Trust may also assist you in completing application forms for emergency grant funding, accommodation or taxis, and they may provide information to us on your condition to assist us in assessing the support you and your family requires. We may also receive your information in this way if you are a family member or otherwise associated with the patient. For a list of the NHS Trusts we work with please see the ‘Do we share your personal information?’ section below.
- The patient may provide the details of their family members or others they are associated with when they apply for services on your behalf.
- Any third party authorised to act on your behalf (whether you are the patient or family member).
- Our volunteers or case workers may provide us with your details if you are a member of NHS Staff who is acting as a point of referral for a particular patient or family member.
- When you interact with our digital platforms, we do not automatically capture or store personal data from our visitors, but we may automatically capture other information about your visit. This is to help us better understand how supporters use our digital platforms to enable us to create better content and more relevant communications:
- how you have reached our digital platform and the internet protocol (IP) address you have used
- your browser type, versions and plug-ins, and your operating system
- your journey through our digital platform, including which links you click on and any searches you made, how long you stayed on a page, and other page interaction information
- which videos you have watched and for how long
- what content you like or share
- which adverts you saw and responded to
- which pop up or push messages you might have seen and responded to
- demographic information such as geographical location and gender if available
- information collected in any forms you complete
- we may also analyse which marketing activity led to your taking specific action on our digital platforms (e.g. following our Twitter page).
Cookies
The Day One Trauma Support website in common with many other website operators, uses standard technology called 'cookies' to make your site visit an effective experience.. Cookies are small pieces of information that are stored by your browser on your computer's hard drive, and they are used to record how you navigate this website on each visit. When we use non-essential cookies, we will ask for your consent.
Third party links
Please note that our website and other digital platforms may contain links to third party websites/digital platforms which are provided for your convenience.
Day One Trauma Support is only responsible for the privacy practices of our own websites and digital platforms. We recommend that you refer to the Privacy Policy of each website/digital platform you visit.
What information do we collect?
We may collect, store and use the following types of information about you depending on the level and type of interaction that you have with us:
- Your name, address, phone number, mobile number, email address and your communication preferences
- Your date of birth
- Details of your stay in hospital (date of admission, name of consultant, cause of injury, ward or location)
- Where we use your story of how we helped you and your loved ones we will collect images, records and any details of your experience which may be used to demonstrate the effectiveness of our services
- Relationships between you and your family/the patient
- Reasons why the emergency funding, accommodation or travel is required
- Details of the referral (date, person making referral)
- Bank account details
- Employment details
- Information automatically gathered when you access our website (see ‘When you visit this website’ above)
Do we collect Special Category Data?
This is personal data which the UK GDPR states as being more sensitive and therefore requires more protection. Examples of special category data are information about your health condition, religious beliefs, race, ethnicity, sexual orientation, and political opinions.
We do collect special category data when we are required to do so, for example:
- We will collect details of your major trauma injuries in order to assess whether we can be of assistance and to discuss the services we can offer you (with your prior approval).
- We will collect details of relationships of family members or others you may be connected with which may require collecting details of your sexual orientation, for which we will ask for your explicit consent. In certain circumstances such as where we may need to safeguard you in your best interests, we may rely upon schedules 1 and 2 of the data protection act 2018.
What do we use your information for?
We process and use your personal information for a number of activities:
- To contact you and to provide you with the services you have requested from us
- To assess whether we can assist you during your recovery journey
- To assess applications for funding and to verify that you are entitled to funding
- Keeping you informed about our work, products and services
- Managing your communications preferences and consents where relevant
- Informing you of ways you can help including asking for financial and non-financial support such as fundraising, research projects and evaluation of our services
- Offering you additional support opportunities
- Sending you materials about fundraising, campaigning and events
- Understanding your relationship with us.
- Analysis to understand how we can improve our services, products or information as well as sending you tailored communications and displaying relevant adverts.
- Analysis to ensure communications are appropriate to the recipients to ensure maximum cost effectiveness
- In some circumstances we may analyse the information we collect about you to create a profile of your likely interests and ability to support us, including potential giving level, influence or legacy you may be able to leave. This may be collected from publicly available sources. Where necessary, this will be done with your consent.
- Prevent fraud, misuse of services or money laundering and perform due diligence where required.
- Financial management and audit of our accounts.
- When you are a major trauma patient.
- When you are the family member of a major trauma patient.
- When you are NHS Staff involved in the referral and/or delivery of services.
- When you apply for grants on behalf of third parties.
- When you are a contact of one of our partnering organisations.
Do we share your personal information?
We will not sell, trade or lease your personal information to others.
NHS Trusts
We will most likely receive your details via a referral from an NHS Trust in the first instance. We work with the West Yorkshire Major Trauma Network made up of following NHS Trusts: Leeds Teaching Hospitals NHS Trust, Airedale NHS Foundation Trust, Bradford Teaching Hospital NHS Foundation Trust, Harrogate and District NHS Foundation Trust, Calderdale and Huddersfield NHS Foundation Trust, and the Mid Yorkshire Hospitals NHS Trust.
We might need to share information with the relevant NHS Trust to organise services on your behalf (e.g. accommodation at Leeds General Infirmary within the Major Trauma Centre).
We have data sharing agreements in place with the NHS Trusts that we share data with.
The NHS Trusts are acting as controllers in their own right, and you should check their privacy notices for information on how they use your personal data.
Partners of Day One
We partner with a number of organisations for the purposes of the Day One services, including:
- If you are a family member of a patient, we might assist you with arranging accommodation. Where this is the case, we may pass your name and contact details to a hotel.
- If we arrange taxi travel on your behalf, we will pass your name and contact details to the taxi company with whom we maintain an account.
- Free welfare benefits advice clinic on the ward.
- Peer support from ex-patients and family members who have travelled the trauma journey.
- Initial legal advice on injuries suffered. We partner with a number of solicitor’s firms who we can refer you to. You are not required to select a firm that we have appointed as a legal panellist.
- Counselling.
When any of our partners receive your personal data to provide a service to you, they are acting as controllers in their own right and you should check their Privacy Notices for information on how they use your personal data.
Our Service Providers
We contract third party service providers and suppliers to deliver certain services. Our third party service providers are required to take appropriate security measures to protect your personal information in line with our policies.
Our service providers change from time-to-time and we will inform you of this by updating this privacy notice.
We may share your details with our third party IT providers, who assist us in providing our systems and databases. Our current IT provider is Eitex, Whistler Drive, Castleford, West Yorkshire, WF10 5HW.
Others we may share your data with
- We may provide your personal information to third parties in connection with any sale, merger, acquisition, disposal, reorganisation or similar change in our organisational structure
- Any other person who is authorised to act on your behalf;
- We will also provide your personal information to third parties where there is a legal obligation to do so, for example to regulators, government departments, law enforcement authorities, tax authorities and any relevant dispute resolution body or the courts;
- Any relevant dispute resolution body or the courts;
- We may need to disclose your details, if required, to the police, regulatory bodies or legal advisors, to comply with our legal obligations.
- We may share your details with our service providers who assist us with fundraising appeals on our behalf.
We may share your details with our third-party IT providers, who assist us in providing our systems and databases.
Sharing data outside of the EEA countries and the UK
With the exceptions shown directly below all other data that we collect from you will be stored in the UK or the European Economic Area (EEA) or any other adequate country. We will not transfer your personal data outside the EEA or the UK or where there is adequacy without ensuring there are sufficient safeguards in place equivalent to those offered by UK data protection law. The exceptions to this are:
- use of a bulk email provider called Mailchimp. This company is based in the US and by using their services we do pass your data to them. We will only pass data relevant to sending you any bulk emails such as our newsletter. We do not use Mailchimp for any one-to-one email communications you have with us.
- an event management platform called Eventbrite to administer event registrations. They are based in the USA and if you sign-up for an event using this platform, your data will be captured there.
Our lawful basis for processing your data
The UK GDPR states that organisations must have a lawful basis in order to process personal data. There are 6 lawful basis for processing available within the UK GDPR. They include but are not limited to;
Specific consent and explicit consent
We generally ask for explicit consent to process your data as our services mean that we need to have an understanding of your trauma injury, which is information related to your health. Due to the nature of our services, we are not always able to obtain explicit consent directly from the patient as the patient may be unable to explicitly consent due to their condition or age. Therefore, where appropriate, we may obtain explicit consent from an authorised third-party representative of the patient instead such as in the case of a child, a parent or guardian. In the case of an adult such consent might only be valid if the individual granting the consent had power of attorney. Therefore, where we cannot obtain explicit consent directly form the patient and third party consent may not be valid, we will process the personal data including special category data in the legitimate interest of Day One with a suitable exemption to such grounds for processing. This may include use of a UK GDPR article 9 clause. You have the right to withdraw your consent or explicit consent for any purpose at any time. However, withdrawing your consent or explicit consent may affect our ability to support you.
Legal obligation
We may process your data wherever we have a legal or regulatory obligation, such as reporting to the Charity Commission, Fundraising Regulator, Information Commissioner or Gambling Commission, or process Gift Aid.
Legitimate interests
This enables us to process your data where it is in our interest to do so, providing such interests are not overridden by your interests or fundamental rights and freedoms. Our legitimate interest will frequently also be the interests of the individual identified by the data we process.
We consider our legitimate interest to include delivering our support services, administering the charity, communicating with you by phone and post and analysing data to better understand you and others who provide support through time, money and/or voice.
In order to meet our charitable aims we need to undertake processing activities, this will enable us to deliver against our mission, govern our charity and support operational administration. These activities may include but are not limited to
- Recording your communication preferences and consent, including keeping limited data to ensure we don’t contact you if you have asked us not to.
- Using the data we have collected to analyse and profile those who use the Day One Services to enable us to manage the services, and to recognise and implement improvements. We do this as long as it does not override your rights and freedoms, in which case we will ask for your consent.
- Keeping records up to date and accurate through the use of third-party registers (such as National Change of Address from Royal Mail)
- Use of personal information when we are monitoring use of our website for technical information and ability to improve.
- For NHS Staff involved in the referral or provision of the scheme, our legal basis for collecting appropriate employment details is in our legitimate interest.
- To contact you by post or phone (live calling only, no automated messages) to let you know about ways you can support the charity
How do we secure your data?
We ensure we employ appropriate technical measures to keep your data safe. For example, we encrypt our online forms and the network is routinely monitored we use industry standard SSL certificates and are PCI compliant.
The majority of our information technology is provided and serviced by Eitex, Whistler Drive, Castleford, WF10 5HW
When we use other external companies to collect or process your data on our behalf, we undertake due diligence before we agree to engage with them and our contracts will include appropriate data security controls.
How long do we keep your data for?
Generally, we will not hold your personal information for any longer than is necessary for the uses outlined above, unless we are required to keep your personal data longer to comply with the law and any regulatory requirements. We maintain a record of processing activities (RoPAs) where we record the period we will retain each type of personal data we process.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements
What are your rights?
You have certain rights under the UK Data Protection Law which can be exercised by contacting us at:
Day One Trauma Support, ROOM LGI 12/0B017, Brotherton Wing B Floor, Leeds General Infirmary, Leeds, LS1 3EX
dataprotection@dayonetrauma.org
Your rights include:
- Request access to your personal data (commonly known as a "data subject access request SARs"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. We handle SARs in accordance with the ICO’s guidance and maintain a policy on such requests.
- Rectification of inaccuracies of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- Request the transfer (right of portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent or your explicit consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Further details about your rights can be found on the ICO’s website at www.ico.org.uk There are some exemptions to the above rights that are permitted under the data protection legislation. If you have any queries as to what these are then please get in touch.
Please note that if you choose to exercise your rights to have personal data restricted or deleted, then we may not be able to provide you with a full service.
We will need you to provide identification in order to comply with your request to exercise your rights. Once we have received your information request, and your identification, we will respond within the required timescales unless a permitted exemption applies.
You have the right to make a complaint at any time to the ICO (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance (using the contact details noted below).
Changes to this Privacy Notice
We may change this Privacy Notice at any time, so please check this page regularly to ensure that you are happy with any changes that may have been made. Any significant changes will be notified to you.
Contact Us
If you have any questions regarding this Privacy Notice or you are unhappy with how we handle your personal information you can contact us at:
Day One Trauma Support, ROOM LGI 12/0B017, Brotherton Wing B Floor, Leeds General Infirmary, Leeds, LS1 3EX
dataprotection@dayonetrauma.org
Alternatively, you can notify the Information Commissioner’s Office (ICO) by calling their helpline on: 0303 123 1113 or by writing to them at: Information Commissioner's Office, Wycliffe House Water Lane, Wilmslow, Cheshire, SK9 5AF For further details about how to complain about our handling of your personal data please visit the regulator’s website;