In accordance with the UK General Data Protection Regulation (UK GDPR), R.E.A.C.H have implemented this privacy notice to inform you, our employees, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
As an organisation we also gather and collect data about the people we support in services and in some instances the friends, relatives of our residents and staff.
Processing means collecting, recording, organizing, storing, sharing or destroying data.
REACH is committed to being transparent about why we need personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.
This notice applies to current and former employees and workers, residents and the relatives, friends of both residents and staff within our residential services.
Data protection principles
Under UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
Types of data held
We keep several categories of personal data on our employees in order to carry out effective and efficient processes. We keep this data in a personnel file relating to each employee and we also hold the data within our computer systems, for example, our HR database.
Specifically, we hold the following types of data, as appropriate to your status:
To enable R.E.A.C.H’s residential services to be effective and efficient and maintain a high standard of care and support we keep several categories of personal data about the people we support, these include
This policy aims to meet the guidance of the Caldicot Guardian Principles
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement or in order to effectively manage the employment contract we have with you, including ensuring you are paid correctly.
In order to protect the personal data of relevant individuals, those within our business who must process data as part of their role have been made aware of our policies on data protection.
We have also appointed employees with responsibility for reviewing and auditing our data protection systems.
Your data protection rights
Under data protection law, you have rights including:
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you if you wish to make a request
Please contact us at
REACH House
Churchfield Road
Chalfont St Peter
Bucks
SL9 9EN
01753 888688
office@reach-disabilitycare.co.uk
Or you can contact our Data protection compliance Officer
Our Data Protection Officer is:
Mr. Michael Potter
Resident’s data
So that we can provide safe and professional service, we need to keep certain records about our residents. We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing residents’ personal data.
We process your data because: you may not use all these lawful bases or may use different ones, change as appropriate.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
Common Law Duty of Confidentiality
You need to satisfy the common law duty of confidentiality when using health and care information.
In our use of health and care information, we satisfy the common law duty of confidentiality because:
Where do we process your data?
So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:
We do this face to face, via phone, via email, via our website, via post, via application forms, via apps delete or insert as appropriate all of the methods you use to communicate with your service users.
Third parties are organisations we might lawfully share your data with. These include:
Staff
So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:
We also record the following data which is classified as “special category”:
As part of your application, you are required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We do not keep this data once we’ve seen it.
Why do we have this data?
We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.
We process your data because:
We process your special category data because
If we request your criminal records data it is because we have a legal obligation to do this due to the type of work you do. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any). We do record that we have checked this.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Where do we process your data?
As your employer we need specific data. This is collected from or shared with:
We do this face to face, via phone, via email, via our website, via post, via application forms
Third parties are organisations we have a legal reason to share your data with. These include:
Friends / relatives
What data do we have?
As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:
Why do we have this data?
By law, we need to have a lawful basis for processing your personal data.
We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Where do we process your data?
So that we can provide high quality care and support we need specific data. This is collected from or shared with:
Third parties are organisations we have a legal reason to share your data with. These may include:
Collecting your data
As an employee you provide several pieces of data to us directly during the recruitment period and subsequently upon the start of your employment.
In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.
Personal data is kept in files or within the Company’s HR and IT systems.
The information below categorises the types of data processing, appropriate to your status, we undertake and the lawful basis we rely on.
Activity requiring your data | Lawful basis |
Carry out the employment contract that we have entered into with you e.g. using your name, contact details, education history, information on any disciplinary, grievance procedures involving you | Performance of the contract |
Ensuring you are paid | Performance of the contract |
Ensuring tax and National Insurance is paid | Legal obligation |
Carrying out checks in relation to your right to work in the UK | Legal obligation |
Making reasonable adjustments for disabled employees | Legal obligation |
Carrying out a DBS check prior to your employment offer to establish your suitability to work with vulnerable people | Legal obligation |
Making recruitment decisions in relation to both initial and subsequent employment e.g. promotion | Our legitimate interests |
Making decisions about salary and other benefits | Our legitimate interests |
Ensuring efficient administration of contractual benefits to you | Our legitimate interests |
Effectively monitoring both your conduct, including timekeeping and attendance, and your performance and to undertake procedures where necessary | Our legitimate interests |
Maintaining comprehensive up to date personnel records about you to ensure, amongst other things, effective correspondence can be achieved and appropriate contact points in the event of an emergency are maintained | Our legitimate interests |
Implementing grievance procedures | Our legitimate interests |
Assessing training needs | Our legitimate interests |
Implementing an effective sickness absence management system including monitoring the amount of leave and subsequent actions to be taken including the making of reasonable adjustments | Our legitimate interests |
Gaining expert medical opinion when making decisions about your fitness for work | Our legitimate interests |
Managing statutory leave and pay systems such as maternity leave and pay etc | Our legitimate interests |
Business planning and restructuring exercises | Our legitimate interests |
Dealing with legal claims made against us | Our legitimate interests |
Preventing fraud | Our legitimate interests |
Ensuring our administrative and IT systems are secure and robust against unauthorised access | Our legitimate interests |
Providing employment references to prospective employers, when our name has been put forward by the employee/ex-employee, to assist with their effective recruitment decisions | Legitimate interest of the prospective employer |
Special categories of data
Special categories of data are data relating to your:
We carry out processing activities using special category data:
Most commonly, we will process special categories of data when the following applies:
Failure to provide data
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract of employment with you. This could include being unable to offer you employment, or administer contractual benefits.
Criminal conviction data
We will only collect criminal conviction data where it is appropriate given the nature of your role and where the law permits us. This data will usually be collected at the recruitment stage, however, may also be collected during your employment. We use criminal conviction data to determine your suitability, or your continued suitability for the role. We rely on the legal basis that it is our legal obligation to process this data.
Who we share your data with
Employees within our company who have responsibility for recruitment, administration of payment and contractual benefits and the carrying out performance related procedures will have access to your data which is relevant to their function. All employees with such responsibility have been trained in ensuring data is processing in line with GDPR.
Data is shared with third parties for the following reasons:
We share data with third parties for the purposes of administering employee contracts and benefits, statutory obligations, establishing the company’s legal rights and obligations and providing training.
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data
We do not share your data with bodies outside of the European Economic Area.
Resident data may be shared with family, outside professionals, the organisations website and other stakeholders involved a person’s care. This sharing of data will only take place in an individual’s best interest and following an assessment of their capacity.
A copy of this document will be available both at Head office and with the individual’s Care Health Action Plan
Protecting your data
We are aware of the requirement to ensure that a person’s data is protected against accidental loss or disclosure, destruction and abuse. We have implemented processes to guard against such.
Retention periods
We only keep data for as long as we need it for, which will be at least for the duration of your employment with us though in some cases we will keep your data for a period after your employment has ended. Some data retention periods are set by the law. Our retention periods are: Retention periods can vary depending on why we need your data, as set out below:
All financial and employment records are stored of period of 7 years
All accident records are stored for a period of 30 years
All medical records in relation to the people we support are stored for a period of 30 years.
Automated decision making
Automated decision making means making decision about you using no human involvement e.g. using computerised filtering equipment. No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you.
Employee/resident rights
You have the following rights in relation to the personal data we hold on you:
More information can be found on each of these rights in our separate policy on employee rights under GDPR.
Consent
Where you have provided consent to our use of your data, you also have the right to withdraw that consent at any time. This means that we will stop processing your data.
Making a complaint
If you think your data rights have been breached, you are able to raise a complaint with the Information Commissioner (ICO). You can contact the ICO at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or by telephone on 0303 123 1113 (local rate) or 01625 545 745.
Data protection compliance
Our Data Protection Officer is:
Mr. Michael Potter
mpotter@reach-disabilitycare.co.uk
if you would like to complain about how we have dealt with a request, please contact
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF https://ico.org.uk/global/contact-us/
Subject Access requests – Making a request
In accordance with the UK Data Protection Regulation (UK GDPR), R.E.A.C.H you have rights under the UK General Data Protection Regulation, to access the personal data we hold on you. To do so, you should make a subject access request, and this policy sets out how you should make a request, and our actions upon receiving the request.
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.
Requests that are made directly by you should be accompanied by evidence of your identity. If this is not provided, we may contact you to ask that such evidence be forwarded before we comply with the request.
Requests made in relation to your data from a third party should be accompanied by evidence that the third party is able to act on your behalf. If this is not provided, we may contact the third party to ask that such evidence be forwarded before we comply with the request.
Timescales
Usually, we will comply with your request within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
Fee
We will normally comply with your request at no cost. However, if the request is manifestly unfounded or excessive, or if it is repetitive, we may contact you requesting a fee. This fee must be paid in order for us to comply with the request. The fee will be determined at the relevant time and will be set at a level which is reasonable in the circumstances.
In addition, we may also charge a reasonable fee if you request further copies of the same information.
Information you will receive
When you make a subject access request, you will be informed of:
Circumstances in which your request may be refused
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with and an explanation of the reason will be provided.
Feel free to contact us with any queries you may have and we will be sure someone gets back to you
Contact Us