Aim of this policy
Personal information is defined in GDPR as “any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.2 The Regulations cover both written and computerised information and the individual’s right to see such records. It is important to note that the Regulations also cover records relating to people who access/use our services, staff and volunteers.
1.3 The General Data Protection Regulation requires our Service as a controller of data subject’s personal information, to register with the Information Commissioners Office.
2.1 Care1 Professional Services LTD (CPSL) is committed to the Principles of Article 5 of the GDPR which requires that personal data shall be:
- a) Processed lawfully, fairly and in a transparent manner in relation to individuals.
- b) Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- d) Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that where personal data are inaccurate, (having regard to the purposes for which they are processed) are erased or rectified without delay.
- e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- f) Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
2.2 The data controller shall be responsible for, and be able to demonstrate, compliance to the GDPR principles.
3.0 The information that we collect and use
3.1 We process data from the information that is provided to us directly by the individual or through a third party. This information can be through mail, online inquiries, telephone contact, email and face to face contact. The details of the collected information vary dependent on the nature of the service e.g. for employment purposes or receiving a care service.
3.3 Information processed may also include technical data such as the Internet protocol (IP) address used to connect the data subject’s computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform. We may also collect information about the data subject’s visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products they viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.
4.0 How long we store information for
4.1 Information processed for the purposes of an enquiry about our services will be kept for the duration of the enquiry and necessary follow up.
4.2 Information processed for the purposes of care provision or employment is kept for up to six years after the service has been terminated.
4.3 The duration that the information is stored might be longer if there is an investigation or legal procedure requiring such information to be stored.
5.0 Disclosure of personal data to third parties
5.1 CPSL may disclose data subjects’ personal data to some third party organisations that we use in service delivery. In these instances, sharing of data will be kept to only the necessary and relevant information. We ensure that we use third party data processors who operate under contractual restrictions regarding confidentiality and security, in addition to their obligations under Data Protection Laws.
5.2 We may disclose subjects’ personal data to third parties in situations where this is a legal requirement. This may include disclosure to Regulatory Boardies such as the Nursing and Midwifery Council, The Care Inspectorate, Care Quality Commission, Scottish Social Services Council, Disclosure and Barring Service, Disclosure Scotland and other relevant authorities.
5.3 Personal data may be disclosed to companies that provide IT systems; for the purposes of storage of information and/ or confidential destruction.
5.4 In cases where we use subcontractors and business partners to facilitate the performance of a contract entered with the data subject; we may share information with these organisations.
5.5 Other circumstance that may involve our sharing of data with third party organisations include: debt collectors, delivery companies and marketing companies for the purpose of sending marketing emails, (provided is a lawful justification for doing so).
6.0 Implementation of the General Data Protection Regulations
6.1 CPSL shall take the necessary action to establish that there is a lawful basis for all processing of personal data (unless an exemption or derogation applies). The following will be taken into consideration when processing information:
- The data subject has given consent.
- Processing is necessary for the performance of a contract.
- Processing is necessary for compliance with a legal obligation.
- Processing is necessary in order to protect the vital interests of the data subject.
- Processing is necessary for the performance of a task carried out in the public interest.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller.
6.2 We will record and process fairly and lawfully information in a language that is appropriate to the needs of our Service Users, staff and volunteers.
6.3 Clients, Service Users, staff and volunteers are made aware of the personal information we hold on them.
6.4 There will always be a specific reason or purpose for collecting data on those who use our Service/ provide services for us, volunteers or those employed by us.
6.5 We will ensure that all data is specifically collected for the sole purpose it is intended.
6.6 We will collect just the right amount of information from those who use our Service or provide a service, and only for the specific purpose intended.
6.7 The Service will ensure that all personal data collected, processed, and held is kept accurate and up to date. This includes, but is not limited to, the rectification of personal data at the request of a data subject.
6.8 The accuracy of personal data shall be checked when it is collected and at regular intervals or insert interval. If any personal data is found to be inaccurate or out of date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
6.9 The Service shall not keep personal data for any longer than is necessary considering the purpose or purposes for which that personal data was originally collected, held, and processed.
6.10 When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it.
6.11 We must protect the rights of data subjects where third parties might attempt to exercise a data subject’s rights without proper authorisation to do so. Due diligence must be taken to in asking data subjects to provide proof of their identity before giving effect to their rights.
6.12 Data subjects will be provided with information concerning the purposes for which their personal data will be processed.
6.13 Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:
- If the personal data is used to communicate with the data subject, when the first communication is made; or
- If the personal data is to be transferred to another party, before that transfer is made; or
- As soon as reasonably possible and in any event not more than one month after the personal data is obtained.
6.14 Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), CPSL shall give the data subject details of that transfer, including but not limited to the relevant safeguards in place.
6.15 In order to allow data subjects to enforce their data protection rights, we will enable data subjects to access their personal data.
6.16 Data subjects may make Subject Access Requests (“SARs”) at any time to find out more about the personal data which the service holds on them.
6.17 Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
6.18 All SARs received shall be handled by the person with responsibility for data protection.
6.19 We will not charge a fee for the handling of normal SARs. The Service reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
7.0 Data subjects’ rights
7.1 Data subjects are entitled to:
- Confirmation of whether, and where, the controller is processing their personal data.
- Information about the purposes of the processing.
- Information about the categories of data being processed.
- Information about the categories of recipients with whom the data may be shared.
- Information about the period for which the data will be stored (or the criteria used to determine that period).
- Information about the existence of the rights to erasure, to rectification, to restriction of processing and to object to processing.
- Information about the existence of the right to complain to the ICO.
- Where the data was not collected from the data subject, information as to the source of the data.
- Information about the existence of, and an explanation of the logic involved in, any automated processing that has a significant effect on data subjects.
- Information on how they can request a copy of the personal data being processed.
7.2 Data subjects are entitled to request a controller to delete their personal data if the continued processing of those data is not justified.
7.2 Data subjects have the right to erasure of personal data (the “right to be forgotten”) if:
- The data are no longer needed for their original purpose (and no new lawful purpose exists).
- The lawful basis for the processing is the data subject’s consent, the data subject withdraws that consent, and no other lawful ground exists.
- The data subject exercises the right to object, and the controller has no overriding grounds for continuing the processing.
- The data have been processed unlawfully; or
- Erasure is necessary for compliance with EU law or the national law of the relevant Member State.
- In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
7.3 Where employee data subjects have given their consent to the Service to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Service and the employee data subject, employee data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).
7.4 Where technically feasible, if requested by an employee data subject, personal data shall be sent directly to the required data controller.
7.5 CPSL will inform data subjects of their rights to object to the processing of their personal data. This must be communicated to the data subject no later than the time of the first communication with the data subject. This information should be provided clearly and separately from any other information provided to the data subject.
7.6 Where a data subject objects to the Services processing their personal data based on its legitimate interests, the Service shall cease such processing immediately, unless it can be demonstrated that the Services legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
8.0 Rectification of Personal Information
8.1 a) Data subjects have the right to require the Service to rectify any of their personal data that is inaccurate or incomplete.
b) The Service shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Service of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
c) In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.
9.0 Restriction of Personal Data Processing
9.1 Data subjects may request that the Service ceases processing the personal data it holds about them. If a data subject makes such a request, the Service shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.
9.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
10.0 Disposal of Personal Data
10.1 When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
11.0 Information Risks
11.1 The management will ensure that risk assessments are carried out on the protection and back up storage of data subject’s personal information. In particular what measures will be put in place to protect data subjects from loss of their information.
12.0 Data Protection by Design and Data Protection Impact Assessments
12.1 The manager will carry out Data Protection Impact Assessments for any and all new projects, and/or new uses of personal data which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR.
12.2 Data Protection Impact Assessments should be overseen by the person responsible for data protection or Data Protection Officer and shall address the following:
- The type(s) of personal data that will be collected, held, and processed.
- The purpose(s) for which personal data is to be used.
- The Service’s objectives.
- How personal data is to be used.
- The parties (internal and/or external) who are to be consulted.
- The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed.
- Risks posed to data subjects.
- Risks posed both within and to the Service; and
- Proposed measures to minimise and handle identified risks.
13.0 Employment Contracts
13.1 The management must ensure that employees entering into contract of employment with the organisation are informed how their personal data will be used, and obtain their agreement to the collection, processing, and holding of their personal data for such use.
14.0 Secure processing
14.1 The Service shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
15.0 Accountability and Record Keeping
15.1 The management will ensure that the Service complies with the legal requirements of General Data Protection Regulation. The Service will carry out regular monitoring and auditing of our data protection policies and regularly review the effectiveness of data handling and security controls. The contents of this document may therefore be reviewed without prior notice.
Care1 Professional Services LTD, Cornwallis Business Centre, Howard, Chase, Basildon, Essex, SS14 3BB