Privacy Policy

 

 

 

1. INTRODUCTION & PURPOSE

 

In accordance with the UK General Data Protection Regulation (UK GDPR), R.E.A.C.H have implemented this privacy notice to inform you, our employees, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.

 

As an organisation we also gather and collect data about the people we support in services and in some instances the friends, relatives of our residents and staff.

 

Processing means collecting, recording, organizing, storing, sharing or destroying data.

 

REACH is committed to being transparent about why we need personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

 

2. OBJECTIVE & SCOPE

 

This notice applies to current and former employees and workers, residents and the relatives, friends of both residents and staff within our residential services.

 

Data protection principles

Under UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:

 

• processing is fair, lawful and transparent
• data is collected for specific, explicit, and legitimate purposes
• data collected is adequate, relevant and limited to what is necessary for the purposes of processing
• Data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
• data is not kept for longer than is necessary for its given purpose
• data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
• we comply with the relevant GDPR procedures for international transferring of personal data

 

Types of data held

We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems, for example, our HR database.

 

Specifically, we hold the following types of data, as appropriate to your status:

 

1. personal details such as name, address, phone numbers
2. name and contact details of your next of kin
3. Your photograph
4. your gender, marital status, information of any disability you have or other medical information
5. right to work documentation
6. information on your race and religion for equality monitoring purposes
7. information gathered via the recruitment process such as that entered into a CV or included in a CV cover letter
8. references from former employers
9. details on your education and employment history etc
10. National Insurance numbers
11. bank account details
12. tax codes
13. driving license
14. criminal convictions
15. information relating to your employment with us, including:
16. job title and job descriptions
17. your salary

• your wider terms and conditions of employment

1. details of formal and informal proceedings involving you such as letters of concern, disciplinary and grievance proceedings, your annual leave records, appraisal and performance information
2. internal and external training modules undertaken
3. information on time off from work including sickness absence, family related leave etc
4. IT equipment use including telephones and internet access.

 

To enable R.E.A.C.H’s residential services to be effective and efficient and maintain a high standard of care and support we keep several categories of personal data about the people we support, these include

1. personal details such as name, address, phone numbers
2. name and contact details of your next of kin
3. Your photograph
4. Your gender, marital status, information of any disability you have or other medical information, including GP name and contact details.
5. Information about how an individual likes to be supported in all areas of their support.
6. Financial information, including bank account details and NI numbers
7. Medical histories
8. Legal status
9. Religion
10. NHS number

 

This policy aims to meet the guidance of the Caldicot Guardian Principles

                                                             

3. RESPONSIBILITY & GOVERNENCE

 

The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement or in order to effectively manage the employment contract we have with you, including ensuring you are paid correctly.

 

In order to protect the personal data of relevant individuals, those within our business who must process data as part of their role have been made aware of our policies on data protection.

 

We have also appointed employees with responsibility for reviewing and auditing our data protection systems.

 

Your data protection rights

 

Under data protection law, you have rights including:

 

• Your right of access – You have the right to ask us for copies of your personal information.
• Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

 

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you if you wish to make a request

 

Please contact us at

REACH House

Churchfield Road

Chalfont St Peter

Bucks

SL9 9EN

01753 888688

office@reach-disabilitycare.co.uk

 

Or you can contact our Data protection compliance Officer

Our Data Protection Officer is:

 

Mr. Michael Potter

M4potter@hotmail.com

 

Resident’s data

 

So that we can provide safe and professional service, we need to keep certain records about our residents. We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing residents’ personal data.

 

We process your data because: you may not use all these lawful bases or may use different ones, change as appropriate.

 

• We have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.
• We process your special category data because
• It is necessary due to social security and social protection law (generally this would be in safeguarding instances);
• It is necessary for us to provide and manage social care services.
• We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

 

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

 

Common Law Duty of Confidentiality

 

You need to satisfy the common law duty of confidentiality when using health and care information.

In our use of health and care information, we satisfy the common law duty of confidentiality because:

• You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses)
• We have a legal requirement to collect, share and use the data
• The public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).

 

Where do we process your data?

 

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

 

1. You or your legal representative(s);
2. Third parties.

 

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps delete or insert as appropriate all of the methods you use to communicate with your service users.

 

Third parties are organisations we might lawfully share your data with. These include:

 

• Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
• The Local Authority.
• Your family or friends – with your permission.
• Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC.
• The police or other law enforcement agencies if we have to by law or court order.
• National Data Opt Out

 

Staff

 

So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:

 

• Your basic details and contact information e.g. your name, address, date of birth, National Insurance number and next of kin;
• Your financial details e.g. details so that we can pay you, insurance, pension and tax details;
• Your training records.

 

We also record the following data which is classified as “special category”:

 

• Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/paternity pay;
• We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion.

As part of your application, you are required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We do not keep this data once we’ve seen it.

Why do we have this data?

 

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.

 

We process your data because:

 

• We have a legal obligation under UK employment law;
• We are required to do so in our performance of a public task;
• We have a legitimate interest in processing your data – for example, we provide data about your training to Skills for Care’s Adult Workforce Data Set, this allows Skills for Care to produce reports about workforce planning.
• We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

 

We process your special category data because

 

• It is necessary for us to process requests for sick pay or maternity pay.

If we request your criminal records data it is because we have a legal obligation to do this due to the type of work you do. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any). We do record that we have checked this.

 

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

 

As your employer we need specific data. This is collected from or shared with:

 

• You or your legal representative(s);
• Third parties.

 

We do this face to face, via phone, via email, via our website, via post, via application forms

 

Third parties are organisations we have a legal reason to share your data with. These include:

 

• Her Majesty’s Revenue and Customs (HMRC);
• Our pension scheme
• Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
• The police or other law enforcement agencies if we have to by law or court order.
• The DBS Service – Buckinghamshire Council

 

Friends / relatives

What data do we have?

 

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

 

• Your basic details and contact information e.g. your name and address.

Why do we have this data?

 

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.

 

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

 

So that we can provide high quality care and support we need specific data. This is collected from or shared with:

 

• You or your legal representative(s);
• Third parties.
• We do this face to face, via phone, via email, via post

 

Third parties are organisations we have a legal reason to share your data with. These may include:

 

• Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals.
• The Local Authority.
• The police or other law enforcement agencies if we have to by law or court order.

 

4. PROCEDURE

 

Collecting your data

As an employee you provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment.

 

In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.

 

Personal data is kept in files or within the Company’s HR and IT systems.

 

The information below categorises the types of data processing, appropriate to your status, we undertake and the lawful basis we rely on.

 

Activity requiring your data	Lawful basis
Carry out the employment contract that we have entered into with you e.g. using your name, contact details, education history, information on any disciplinary, grievance procedures involving you	Performance of the contract
Ensuring you are paid	Performance of the contract
Ensuring tax and National Insurance is paid	Legal obligation
Carrying out checks in relation to your right to work in the UK	Legal obligation
Making reasonable adjustments for disabled employees	Legal obligation
Carrying out a DBS check prior to your employment offer to establish your suitability to work with vulnerable people	Legal obligation
Making recruitment decisions in relation to both initial and subsequent employment e.g. promotion	Our legitimate interests
Making decisions about salary and other benefits	Our legitimate interests
Ensuring efficient administration of contractual benefits to you	Our legitimate interests
Effectively monitoring both your conduct, including timekeeping and attendance, and your performance and to undertake procedures where necessary	Our legitimate interests
Maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained	Our legitimate interests
Implementing grievance procedures	Our legitimate interests
Assessing training needs	Our legitimate interests
Implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments	Our legitimate interests
Gaining expert medical opinion when making decisions about your fitness for work	Our legitimate interests
Managing statutory leave and pay systems such as maternity leave and pay etc	Our legitimate interests
Business planning and restructuring exercises	Our legitimate interests
Dealing with legal claims made against us	Our legitimate interests
Preventing fraud	Our legitimate interests
Ensuring our administrative and IT systems are secure and robust against unauthorised access	Our legitimate interests
Providing employment references to prospective employers, when our name has been put forward by the employee/ex-employee, to assist with their effective recruitment decisions	Legitimate interest of the prospective employer

 

Special categories of data

Special categories of data are data relating to your:

 

1. health
2. sex life
3. sexual orientation
4. race
5. ethnic origin
6. political opinion
7. religion
8. trade union membership
9. genetic and biometric data.

 

We carry out processing activities using special category data:

 

1. for the purposes of equal opportunities monitoring
2. in our sickness absence management procedures
3. to determine reasonable adjustments

 

Most commonly, we will process special categories of data when the following applies:

 

1. you have given explicit consent to the processing
2. we must process the data in order to carry out our legal obligations
3. we must process data for reasons of substantial public interest
4. you have already made the data public.

 

Failure to provide data

Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract of employment with you. This could include being unable to offer you employment, or administer contractual benefits.

 

Criminal conviction data

We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability, or your continued suitability for the role. We rely on the legal basis that it is our legal obligation to process this data.

 

Who we share your data with

Employees within our company who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR.

 

Data is shared with third parties for the following reasons:

 

We share data with third parties for the purposes of administering employee contracts and benefits, statutory obligations, establishing the company’s legal rights and obligations and providing training.

 

We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data

 

We do not share your data with bodies outside of the European Economic Area.

 

Resident data may be shared with family, outside professionals, the organisations website and other stakeholders involved a person’s care. This sharing of data will only take place in an individual’s best interest and following an assessment of their capacity.

 

A copy of this document will be available both at Head office and with the individual’s Care Health Action Plan

 

Protecting your data

We are aware of the requirement to ensure that a person’s data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.

 

Retention periods

We only keep data for as long as we need it for, which will be at least for the duration of your employment with us though in some cases we will keep your data for a period after your employment has ended. Some data retention periods are set by the law. Our retention periods are: Retention periods can vary depending on why we need your data, as set out below:

 

All financial and employment records are stored of period of 7 years

All accident records are stored for a period of 30 years

All medical records in relation to the people we support are stored for a period of 30 years.

 

Automated decision making

Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.

 

Employee/resident rights

You have the following rights in relation to the personal data we hold on you:

 

1. the right to be informed about the data we hold on you and what we do with it;
2. the right of access to the data we hold on you. More information on this can be found in our separate policy on Subject Access Requests;
3. the right for any inaccuracies in the data we hold on you, however they come to light, to be corrected. This is also known as ‘rectification’;
4. the right to have data deleted in certain circumstances. This is also known as ‘erasure’;
5. the right to restrict the processing of the data;
6. the right to transfer the data we hold on you to another party. This is also known as ‘portability’;
7. the right to object to the inclusion of any information;
8. the right to regulate any automated decision-making and profiling of personal data.

 

More information can be found on each of these rights in our separate policy on employee rights under GDPR.

 

Consent

Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.

 

Making a complaint

If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.

 

Data protection compliance

Our Data Protection Officer is:

 

Mr. Michael Potter

mpotter@reach-disabilitycare.co.uk

 

if you would like to complain about how we have dealt with a request, please contact

 

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF https://ico.org.uk/global/contact-us/

 

 

Subject Access requests – Making a request

In accordance with the UK Data Protection Regulation (UK GDPR), R.E.A.C.H you have rights under the UK General Data Protection Regulation, to access the personal data we hold on you. To do so, you should make a subject access request, and this policy sets out how you should make a request, and our actions upon receiving the request.

 

Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.

 

Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.

 

Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.

 

Timescales

Usually, we will comply with your request within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.

 

Fee

We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.

 

In addition, we may also charge a reasonable fee if you request further copies of the same information.

 

Information you will receive

 

When you make a subject access request, you will be informed of:

 

1. whether or not your data is processed and the reasons for the processing of your data;
2. the categories of personal data concerning you;
3. where your data has been collected from if it was not collected from you;
4. anyone who your personal data has been disclosed to or will be disclosed to, including anyone outside of the EEA and the safeguards utilised to ensure data security;
5. how long your data is kept for (or how that period is decided);
6. your rights in relation to data rectification, erasure, restriction of and objection to processing;
7. your right to complain to the Information Commissioner if you are of the opinion that your rights have been infringed;
8. the reasoning behind any automated decisions taken about you.

 

Circumstances in which your request may be refused

We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.

 

We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.