1. Client Privacy Policy

Client privacy notice

Please read this privacy notice carefully as it explains how we comply with the General Data Protection Regulation (GDPR). The notice was published on 25th May 2018 and may be revised from time to time; we will let you know when this happens.

Introduction

In order that we can provide your care and support services, we need to collect and use information about you (“personal information”). Personal information is anything about you from which you can be identified, but it doesn’t include information from which your identity has been removed (i.e. anonymous data).

As a ‘controller’ of your personal information, we are legally responsible for making sure that your personal information is:

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have clearly explained to you and not used for any other purpose;
  • Relevant to the purposes we have told you about and only used for those purposes;
  • Accurate and up to date;
  • Kept only as long as we need it for the purposes we have told you about;
  • Kept securely.

In this notice, a “public body” is any organisation that delivers, commissions or reviews a public service, including local authorities, councils, unitary authorities, clinical commissioning groups, health and social care trusts, the Ombudsman and regulatory bodies.

In this notice, a “health or social care professional” is any person that provides direct services, acts as a consultant or is involved in the commissioning of your healthcare or social care services, including your GP, dentist, pharmacist, nurses and health visitors, clinical psychologists, dieticians, physiotherapists, occupational therapists, hospital staff and social workers.

‘Lawful basis for processing’ your information

The GDPR says that we must have a ‘lawful basis’ for collecting and using your personal information. We rely on the following grounds within the GDPR for this lawful basis:

  • Article 6(1)(b) – processing is necessary for the performance of our contracts to provide individuals with care and support services;
  • Article 6(1)(c) – processing is necessary for us to demonstrate compliance with our regulatory framework and the law;
  • Article 9(2)(h) – processing is necessary for the provision of social care or the management of social care systems and services.

Other lawful grounds for processing your data could apply in certain situations, such as where sharing your personal information is essential in order to protect you from harm (“vital interests”).

The information we collect about you

In order to set up and provide your service, we need to collect personal information from you or from other sources, such as your family or health and social care professionals. Without this information, we may be unable to create a suitable care plan and provide safe and effective care:

  • Your name, date of birth and contact details;
  • Details of people we may need to contact in an emergency (including their names, relationship to you and contact details);
  • Any medical or practical information that is relevant to the provision of your care (including physical or mental conditions, care needs and allergies);
  • Assessments of your care needs;
  • Your likes, dislikes and lifestyle preferences in so far as they are relevant to the delivery of your service. This may include information about your religion, racial or ethnic origin, health, sexual life or sexuality;
  • Information about your Attorney or Deputy (if applicable);
  • Financial assessments (where we need these);
  • Payment card or direct debit details (if you pay us for some or all of your services using one of these methods);
  • Photographs of you (if we need these to manage any risks to your safety, e.g. that you might go missing). In the course of delivering your service, we will also produce records of the care delivered to you.

How we use your personal information

We use your personal information to:

  • Prepare, review and update a suitable care plan, describing the care and support you have requested we supply to you;
  • Deliver your care service in a safe and effective way;
  • Communicate with you, your representatives and relevant health or social care professionals about your needs and the service we provide to you;
  • Make reasonable adjustments, when required, to meet your individual needs and to ensure we have suitable facilities to ensure your safety;
  • Invoice you for the care and support services in accordance with our terms and conditions (if you pay for your own service);
  • Carry out quality assurance procedures, review our service and improve our customer experience.

Sharing your personal information

We will not share your information with others unless we have a lawful reason for doing so.

We may share your personal information with appropriate health or social care professionals (including your GP and pharmacist) and any other individuals you nominate when we prepare your care plan. This enables us to make sure the care support we provide to you is suitable and safe.

We will also share your information with certain data processors in order to properly deliver your service. For example, our care management software is hosted by a separate company. However, by law, the data processors we use can only use your information for the purpose we have asked them to and will not share your information with anyone else or use it to do anything other than allow us to provide your service properly. They must also keep your data safe and secure.

Although we seek to avoid using agency staff to deliver our services, we may need to do so on occasion to ensure continuity of service, and this may require us to share your personal information with an agency or their staff in order that they can deliver your service safely and effectively.

We may also share information about you where not doing so could mean you come to serious harm, for example where the emergency services need information in order to save your life.

Our company is part of City and County Healthcare Group. Although the group provides its care services through a number of different companies, it shares a middle and senior management structure and back-office functions (such as finance and payroll). In order to deliver your service properly (and only for that purpose), we will share your personal information as necessary within the management and back-office structure of City and County Healthcare Group.

We may also share personal information with law enforcement or other authorities if required by law. This includes information required by public bodies to evidence our compliance with the applicable regulatory framework. We are also required to share personal information with external health or social care professionals, including public bodies and local safeguarding groups (in some circumstances) to ensure your safety.

We will not share your personal information with any other third party without first asking your permission and will never sell your personal information to anyone.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How long your personal information will be kept

We will hold the personal information we hold about you for as long as we continue to provide a service to you and for three years after your service ends, at which time we will destroy your records securely.

We are required to retain information about services provided to children for eighty years.

Your rights

Under the GDPR, you have a number of important rights. In summary, those include rights to:

  • Fair processing of information and transparency over how we use your use personal information;
  • Access to your personal information and to certain other supplementary information (which is provided in this privacy notice);
  • Require us to correct any mistakes in the information we hold about you;
  • Require the erasure (i.e. deletion) of personal information concerning you, in certain situations (although you should be aware that if you ask us to delete any of your personal information that we need in order to comply with our legal or contractual obligations, we may no longer be able to provide you with a service);
  • Receive any personal information that you have provided to us in a format that would allow you to pass it on to a third party in certain situations;
  • Object at any time to processing of personal information concerning you for direct marketing (although as we have explained, we will not use your data for that purpose);
  • Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
  • Object in certain other situations to our continued processing of your personal information;
  • Otherwise restrict our processing of your personal information in certain circumstances;
  • Claim compensation for damages caused by our breach of any data protection laws.

You will find further information on each of these rights on the Information Commissioner’s website (www.ico.org.uk).

How to contact us

If you wish to exercise any of the above rights or have any other complaints or queries about this notice and our use of your personal information, you can contact us as follows:

Email: dataprotection@candchealthcare.co.uk

Telephone: 020 7186 0500

By post: The Data Protection Officer City and County Healthcare Group, Cardinal House, Abbeyfield Court, Abbeyfield Road, Nottingham, NG7 2SZ

Note that we may ask you to provide proof of your identity before we can discuss your personal information with you.

Your right to complain

If you have a complaint about the way we process your personal information, we would ask you to contact us using the details in the previous section.

We hope that we can resolve any concern you raise, but if you want to do so, you also have the right to complain to a supervisory authority in any European Union (or EEA) state where you work or live. In the UK, the supervisory authority is the Information Commissioner, who may be contacted at www.ico.org.uk/concerns or by telephone on 0303 123 1113.

Do you need extra help?

If you would like this notice in another format (e.g. audio, large print or braille), please contact us (see ‘How to contact us’ above).

2. Job Applicant Privacy Policy

Privacy notice – for job applicants

Please read this privacy notice carefully as it explains how we comply with the General Data Protection Regulation (GDPR). The notice was published on 28th November 2019 and may be revised from time to time; we will let you know when this happens.

Introduction

In order that we can consider and process your application for employment, and then, in due course, fulfil our obligations to you under your contract of employment (as well as other legal duties), we need to collect and use information about you (what is referred to as “personal information”).

Personal information is anything about you from which you can be identified, but it doesn’t include information from which your identity has been removed (i.e. anonymous data).

As a ‘controller’ of your personal information, we are legally responsible for making sure that your personal information is:

  • Used lawfully, fairly and in a transparent way;
  • Collected only for valid purposes that we have clearly explained to you and not used for any other purpose;
  • Relevant to the purposes we have told you about and only used for those purposes;
  • Accurate and up to date;
  • Kept only as long as we need it for the purposes we have told you about;
  • Kept securely.

‘Lawful basis for processing’ your information

The GDPR says that we must have a ‘lawful basis’ for collecting and using your personal information. We may rely on the following grounds within the GDPR for this lawful basis:

  • Article 6(1)(b) – processing is necessary for entering into and then performing our contract of employment with you;
  • Article 6(1)(c) – processing is necessary for us to demonstrate compliance with our regulatory framework and the law;
  • Article 7(1) – you have given consent for us to process your personal information;
  • Article 9(2) (h) – processing is necessary for the provision of social care or the management of social care systems and services.

Other lawful grounds for processing your data could apply in certain situations, such as where sharing your personal information is essential in order to protect you from harm (“vital interests“) or where we otherwise have a legitimate interest.

The information we collect about you

We need to collect certain information about you in order to process your job application. We may get the information directly from you but also from other sources such as the Job Centre or government work programme or from the people whose names you have given us as referees:

  • Your name, sex, contact details and national insurance number;
  • Proof that you are legally entitled to work in the UK;
  • Details of your education, work history, availability and use of transport for work;
  • Details of your skills and qualifications, including any languages spoken;
  • The names and contact details of people we can contact for a reference;
  • Information about any criminal record you may have;
  • Information about your suitability for the job you are applying for, including records of any selection interviews, your answers to selection questions and assessments, and information about any disabilities or health conditions that may require us to make adjustments for you;
  • Information regarding your compliance with the COVID-19 mandatory vaccination regime;
  • Proof of your identity and details of any names you may have previously been known by;
  • Details of any addresses you have previously lived at in the past five years;
  • Photographs of your face;
  • Information about your age, sex, race or ethnicity, nationality, religion or belief, disability, marital or civil partnership status, sexual orientation and transgender status.

Once we enter into a contract of employment with you and at any time thereafter, we may need to update any of the information above, to ensure it remains accurate. We will also collect other information about you and your work that we need in order that we can both fulfil our obligations to each other. This might include records of training, assessments, meetings, supervision and appraisals as well as records of the work you do and other aspects of your employment, such as annual leave, sickness absence, accident and incident records and disciplinary or grievance processes.

During the course of your employment, we may also collect further information about you from third parties, such as the people that use our services, our clients and customers. If you have been referred to us by a Job Centre or government work programme or on an educational work placement, we may also obtain further information from the agency or establishment that referred you to us.

Similarly, we may need to obtain information about your health from your GP or another healthcare professional, but only with your consent, which we will seek at the time.

We will also need to maintain records of your pay and tax, NI and other deductions made.

How we use your personal information

Before you become employed, we will use your personal information to:

  • Decide on whether you are suitable for the position for which you have applied;
  • Communicate with you about your job application;
  • Monitor the effectiveness of our equalities policies in our recruitment processes.

If your application is successful, we will carry forward the information you have provided and use that information along with any other personal information that we obtain to:

  • Communicate with you and keep you informed on work-related matters;
  • Make sure that you are suitable for the work tasks you are asked to carry out;
  • Make sure that the services we provide are safe and effective and legally compliant;
  • Manage any risks in the workplace;
  • Provide you with appropriate supervision, training and development;
  • Monitor and appraise your performance and work attendance;
  • Inform any HR processes such as disciplinary or grievance proceedings;
  • Make sure you get paid;
  • Provide an employment reference to any future employer that may request one (where you name us as a referee).

Sharing your personal information

We will not share your information with others unless we have a lawful reason for doing so.

In order to process your job application, we may share relevant information about you, your application and about your past employment with the people whose names you have given us as referees.

Once you are employed by us, we may share information about you with the people that use our services and their families and representatives in so far as it is relevant to the provision of their service. We may also share relevant information about you with the people or organisations that commission our services in order to allow us to fulfil our contractual obligations to them.

We will also share your information with certain data processors in order to process your application and then to fulfil our obligations as an employer and a provider of care services. For example, our application processing systems are hosted by a separate company. Our care management software systems, including systems for the electronic monitoring of care assignments, are also hosted by a separate company. We may also use external training providers to equip you with the skills you need to do your job. We also use contractors for the archiving and disposal of confidential documents.

These and any other data processors we use can only use your data for the purpose we have asked them to and will not share your data with anyone else. They must also keep your data safe and secure.

In order to allow you to have the option of taking advantage of our employee engagement hub, Connect and Collect, we will also share your National Insurance number and date of birth with Reward Gateway (who operate the hub). Reward Gateway can only use this anonymised information to verify that you are who you say you are when you sign up to the hub and until you do so, they are not even able to identify who you are. If you do sign up to the hub (which we hope you will), Reward Gateway have their own privacy notices explaining to you how they will use your data.

We may share with your future employers, factual information about your employment in the form of an employment reference where you name us as a referee.

Our company is part of City and County Healthcare Group. Although the group provides its services through a number of different companies, it shares a middle and senior management structure and backoffice functions (such as finance and payroll). In order process your application and to fulfil our contractual obligations to you as your employer (and to otherwise run our business effectively), we may need to share your personal information within the management and back-office structure of City and County Healthcare Group.

We may also share your personal information with law enforcement or other authorities if required by law. This includes information required by public bodies to evidence our compliance with applicable regulatory frameworks.

We may also share relevant information about you with organisations that are empowered by law to carry out functions on behalf of government, such as maintaining workforce statistics (for example, in England, Skills for Care which maintains the Adult Social Care Workforce Dataset).

Where you undertake a formal qualification as part of your employment (e.g. an apprenticeship programme), we will provide relevant personal information to the educational establishment; note that such organisations are independently regulated and will provide you with their own information about how they will protect your privacy.

We will not share your personal information with any other third party without first asking your permission and will never sell or your personal information to anyone.

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

How long your personal information will be kept

If your application is not successful, or you withdraw it, we will retain a record of your name and national insurance number and information about the progress of your application (such as when you applied, when you were interviewed, whether you passed or failed the assessments, what evidence you provided of identity or your right to work in the UK, whether you attended training, and the reason that your application did not result in employment) for administrative and monitoring purposes only. However, any copies of your personal documents that were taken during your application will be destroyed.

If you do not enter our employment, but you would like us to retain your details so that we can contact you about future employment opportunities, we will give you the option of providing your consent for us to do this.

If your application is successful and you become employed by us, we will retain the personal information you have provided the application process and any further information obtained during your period of employment for three years after the end of your employment.

After three years, we will destroy most of your information securely, retaining only basic personal information to allow us to confirm that you were employed and the reason that you left, plus any information about you that forms part of records that we otherwise need to retain for statutory or other legitimate purposes (such as your payroll records and your involvement in safeguarding, accident or incident investigations).

If we have obtained your explicit consent to do so (see above), we may retain your details in order to contact you after your period of employment to ask you whether you are interested in future suitable vacancies.

Your rights

Under the GDPR, you have a number of important rights. In summary, those include rights to:

  • Fair processing of information and transparency over how we use your use personal information;
  • Access to your personal information and to certain other supplementary information (which is provided in this privacy notice);
  • Require us to correct any mistakes in the information we hold about you;
  • Require the erasure (i.e. deletion) of personal information concerning you, in certain situations (although you should be aware that if you ask us to delete any of your personal information that we need in order to comply with our legal or contractual obligations, we may no longer be able to employ you);
  • Receive any personal information that you have provided to us in a format that would allow you to pass it on to a third party in certain situations;
  • Object at any time to processing of personal information concerning you for direct marketing (although as we have explained, we will not use your data for that purpose);
  • Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
  • Object in certain other situations to our continued processing of your personal information;
  • Otherwise restrict our processing of your personal information in certain circumstances;
  • Claim compensation for damages caused by our breach of any data protection laws.