Privacy Policy and Data Protection - Shetland Hyperbaric Centre

Overview

This policy explains how Shetland Hyperbaric Centre collects, uses, stores and protects personal information. We follow the requirements of the UK GDPR, the Data Protection Act 2018 and the duties placed on Scottish charities by the Charities and Trustee Investment (Scotland) Act 2005 and the Charities (Regulation and Administration) (Scotland) Act 2023. These laws require charities to keep accurate records, keep personal information secure and handle data in a lawful and transparent way.

We collect personal data to provide safe hyperbaric services, support volunteers and operate the Centre responsibly. We take great care to protect the privacy and dignity of everyone who uses or supports our service.

Scope and responsibility

This policy applies to trustees, committee members, volunteers, staff and anyone acting on behalf of the Centre. Everyone who handles personal information must follow this policy and only use information for the purpose for which it was collected.

The Centre has not appointed a Data Protection Officer because it is not required to do so. Trustees have overall responsibility for data protection. A named Data Protection Lead may be appointed to support day to day compliance, respond to data requests and act as the main privacy contact. This role is a practical contact role and is not the same as a statutory Data Protection Officer.

What information we collect

We collect only the information we need. This may include:

  • Name, address, phone number and email
  • Emergency contact details
  • Hyperbaric therapy information, health questionnaires, consent forms and session notes
  • Information about medical conditions, medication, allergies, mobility needs or other safety matters relevant to treatment
  • GP, clinician or other health professional details, where relevant
  • Volunteer and staff records, including contact details, training, safer recruitment checks and PVG status where required
  • Trustee information, which must be held as part of charity law requirements in Scotland
  • Website enquiry form information and any messages sent to the Centre

Health information is special category data and receives higher protection. We will only ask for health information where it is needed to assess suitability, provide safe sessions or meet safety and record keeping requirements.

Why we collect personal data

We collect information to:

  • Assess suitability for hyperbaric therapy
  • Provide safe sessions and keep necessary therapy and safety records
  • Contact individuals about appointments, enquiries, safety information or changes to services
  • Recruit, support and train volunteers
  • Meet OSCR record keeping duties for Scottish charities
  • Keep the Centre operating safely, including meeting requirements for training, safer recruitment, PVG procedures and health and safety duties
  • Respond to questions, complaints, incidents or regulatory enquiries

Lawful bases for using data

We use personal data only when we have a lawful reason. Our main lawful bases are:

  • Consent, for things like optional communications or where we ask someone to agree to a specific use of their information
  • Legal obligation, including charity law, health and safety, employment, safeguarding and record keeping duties
  • Legitimate interests, such as managing volunteers, responding to enquiries, keeping records and running the Centre safely and responsibly
  • Vital interests, if information is needed to protect someone in an emergency

Where we use special category health information, we will also identify a suitable condition for using that information. This may include explicit consent, provision of health or care-related services where appropriate, or other legal and safety reasons that apply to the Centre. We will not use health information for unrelated purposes.

Website forms and digital systems

When someone contacts us through a website form or by email, we use the information provided to respond to the enquiry and manage any follow-up. We will not ask for more information than we need on website forms, and we will avoid collecting detailed health information online unless it is necessary and handled securely.

If the Centre uses website platforms, email services, cloud storage, booking systems, accounting systems or other digital services, those providers may process personal data on our behalf. We will use reputable providers, limit access to authorised users and take reasonable steps to check that personal information is handled securely.

If the website uses cookies or similar technologies beyond those needed for the site to work, the Centre will provide clear cookie information and obtain consent where required.

How we store and protect information

We take appropriate steps to keep personal data safe. This includes secure locked storage for paper files, password protection for digital systems and limiting access to those who need the information to carry out their role. These steps reflect the expectation that Scottish charities safeguard sensitive information and maintain safe working practices.

Health and therapy records will be handled with particular care. Access will be limited to people who need the information to provide safe services, manage records, respond to incidents or meet legal duties.

Volunteers and staff must not share personal information casually, leave records where they can be seen by others, or use personal data for their own purposes. Any concerns about loss, misuse or accidental disclosure must be reported promptly to the Data Protection Lead or trustees.

How long we keep information

Records are kept no longer than necessary. The Centre will keep different types of information for different periods depending on the reason it was collected, legal requirements, insurance needs, safety requirements and good practice.

Clinical, therapy and safety records may need to be held for extended periods. Governance, financial, volunteer and trustee records are kept in line with charity law, accounting requirements and good practice. When information is no longer needed, it will be securely deleted or destroyed.

The Centre should maintain a simple retention schedule setting out the main types of records held and how long each type is normally kept.

Sharing information

We only share information when necessary and appropriate. This may include:

  • NHS Scotland clinicians, GPs or other health professionals involved in care or safety decisions, where appropriate
  • Emergency services if needed
  • OSCR during regulatory enquiries
  • Health and safety regulators or local authorities where required by law or needed for safety concerns
  • Insurers, professional advisers or legal advisers where this is necessary to manage claims, incidents or governance duties
  • Service providers who process information on our behalf, such as website, email, accounting or secure storage providers

We do not share information for marketing or commercial reasons.

Your rights

Anyone whose information we hold has the right to:

  • See the information we hold about them
  • Ask for corrections to inaccurate details
  • Ask for deletion, where this is appropriate
  • Ask us to limit how their information is used
  • Object to certain kinds of processing
  • Withdraw consent where we rely on consent
  • Complain to the Information Commissioner’s Office

Requests will be responded to within one month. Some rights may be limited where the Centre has a legal duty or safety reason to keep information.

Data breaches

If something happens that puts personal data at risk, we will:

  • Act quickly to contain the problem
  • Assess the risk
  • Notify the ICO within 72 hours if the breach is likely to result in a risk to people’s rights and freedoms
  • Inform the individuals affected when required
  • Keep a written record of all breaches, including what happened, what action was taken and any lessons learned

ICO registration and records

The Centre will complete the ICO data protection fee self-assessment and, where required, register with the ICO and pay the annual data protection fee. The trustees or Data Protection Lead will check this at least once a year.

The Centre will keep a simple record of the main types of personal data it holds, why it holds the information, who has access, where it is stored, who it may be shared with and how long it is kept.

Review of this policy

This policy will be reviewed at least once every year, or sooner if there is a change in services, systems, law, guidance or the way the Centre uses personal information. 

 

Privacy Policy

©Copyright. All rights reserved.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.