Privacy policy – Casualty records

St Andrew’s First Aid Privacy policy – Casualty Records

This privacy policy sets out how St Andrew’s First Aid (“we”, “us” or “our”) uses and protects personal information that you give to us or is recorded when you are treated as a casualty by St Andrew’s First Aid at an event.

We are a data controller of any personal data that you provide us or we record about you. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy policy.

In this policy “Data Protection Legislation” means all applicable legislation which relates to the protection of individuals with regards processing personal data, including the General Data Protection Regulation (EU) 2016 and the Data Protection Act 2018.

How we collect information from you

We collect your information directly from you (or from certain third parties) where we provide you with first aid treatment at an event at which we are providing first aid.

Generally, we collect information about you by completing a Casualty Record Sheet.

What information we collect

To enable us to provide you with the proper treatment and care, we collect certain information about you (usually through completing a Casualty Record Sheet), including the following information:

  • details of the incident; and
  • your personal details including your name, address, contact details, date of birth and gender.

We may also collect, store and use the more sensitive types of personal information, including:

  • details of your injury;
  • details of any treatment administered; and
  • any other relevant information about your health, including information about;
    • any medical condition you have;
    • any allergies you have;
    • any medication(s) that you are taking; and
    • your medical history within the last 12 months.

Why we need this information about you

We use the information we collect about you:

  • to allow us to provide you with the treatment you require in accordance with our charitable vision, mission and values which can be found on our website; and
  • to record and maintain casualty records for events that we cover (e.g. RIDDOR requirements) in accordance with our legal obligations to do so.

We also use an anonymised form of your data for statistical analysis and reporting to identify trends in injuries, resuscitation attempts to ensure that we deploy the correct number of suitably trained volunteers and equipment at events. This is to ensure that we continue to provide the best possible first aid service as possible to our event organisers and to the individuals themselves that attend these events.

We will only process your personal data when we have legal grounds to do so. Most commonly, we will rely on one or more of the following legal bases:

  • Consent: the casualty has given clear consent for St Andrew’s First Aid to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract you have with the client/event organiser.
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
  • Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason for us to protect your personal data which overrides those legitimate interests.

We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Please contact us if you need details about the specific legal ground we are relying on to process your personal data.

Data Security

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect.

Disclosure of Personal Data

The information you provide to us will be treated as confidential. However, we may disclose your information to other third parties for the purposes below or for any additional purposes approved by you:

  • Emergency services – if you require further medical treatment;
  • RIDDOR – if the incident is reportable under Health & Safety legislation;
  • Event organisers – if contractually obliged to (we provide your information in anonymised reports where possible); and
  • Other parties – where we are required to disclose your information to meet our legal obligations.

We require all third parties to respect the security of your personal data and to treat it in accordance with Data Protection Legislation.

Transfers outside the EEA

We do not transfer your personal data outside the European Economic Area (EEA). However, if we ever did, we will put in place appropriate safeguards as required by Data Protection Legislation.

How long to we keep your information

Our retention policy is to retain casualty records for a period of seven years unless we are contractually or legally obliged to retain them for longer.

Your Rights

Under Data Protection Legislation, you have the following rights in connection with your personal data which can be exercised in certain circumstances:

  • Right of access – you can request a copy of the personal information we hold about you and check we are processing it lawfully.
  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party).
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used machine readable format.

Changes to our Privacy Policy

St Andrew’s First Aid may change this policy from time to time and any future updates will be posted on our website. This policy is effective from 25 July 2018.

Contact Us

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact:

  • James Lloyd
    Data Protection Officer
    St Andrew’s First Aid
    St. Andrew’s House
    48 Milton Street
    Glasgow
    G4 0HR
  • Tel: 0141 332 4031
  • Email: events@firstaid.org.uk

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues relating to our use of your information.