The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a new regulation which replaces the Data Protection Directive (Directive 95/46/EC). The General Data Protection Regulation builds on previous legislation but enhances privacy rights for individuals. The GDPR will apply in the UK from 25th May 2018. Despite the UK’s intention to leave the European Union in March 2019 the GDPR will still apply in accordance with the Information Commissioner’s Office (ICO) guidance to continue a similar level of regulation post March 2019 together with a new Data Protection Act.
This policy will outline:
· The details of the Data Controller and how to contact the Data Protection Officer (DPO)
· The types of personal data we collect and how we use it
· Our purpose and legal basis for processing your data
· How and when we share data with C. & P. Limited and partners
· How and when we use your data for marketing purposes
· Your rights to request your personal data and how to do so
· How you can raise a complaint with the ICO
Who controls my personal data?
The Data Controller is C. & P. Limited
· C. & P. Limited is a UK registered company (Reg. No. 980328)
· The registered address is 40 Mickleburgh Hill, Herne Bay CT6 6DT
· The Data Controller’s representative is the Data Protection Officer (DPO)
· You can contact the DPO by email: firstname.lastname@example.org
· C. & P. Limited is registered as a Data Controller with the Information Commissioner’s Office. Certificate number ZA144353
Our purpose and legal basis for processing your data
C. & P. Limited trades as Kimberley Care and operates the Care Home to provide residential support to persons with dementia.
We collect the personal data of the following types of people:
· Our clients, partners within health and social care and our suppliers
· Our employees, Board members and business connections
What data will you give to us or will we collect from you?
· You provide us with your personal data by filling in forms on http://www.kimberley-care.com, by corresponding with us by phone, e-mail, on our website or online, or otherwise, by subscribing to our services, sharing your details at meetings with us, attending our events, participating in discussion boards or other forums and functions, by entering a survey or by reporting a problem with our site or by voluntarily providing your personal information directly to C. & P. Limited at any other time e.g. giving us your business card.
· Your personal details: name, date of birth, address, phone numbers and details about your next of kin. We also keep some financial details.
· Your GP name and practice details.
· Medical records applying to the time you have spent with us.
· Medical history.
· We keep records required by care home regulations, like risk assessments, information on resuscitation and records of accidents and incidents.
· We also keep records about likes, dislikes, support needs and life history in your care plan.
· Personal Data may also include links to professional sites such as LinkedIn, Twitter, Facebook or our website.
· We will also produce summary notes from meetings that may be circulated to attendees.
What Information do we obtain from other sources?
· We may be provided with information of the type listed above from central and local government departments (including Local Authorities), G. P. surgeries, Clinical Commissioning Groups, hospitals, other NHS services, care agencies and care homes.
What are the purposes and legal bases for our processing?
We use information held about you in the following ways:
· To carry out our obligations arising from any contracts we intend to enter or have entered between you and us and to provide you with the information, products, and services that you request from us or we think will be of interest to you because it is relevant to you or to your organisation
· To provide you with information about other goods and services we offer that are like those that you have already purchased, been provided with, or enquired about
· Our main legal basis for the processing of personal data is our legitimate business interests, described in more detail below, although we will also rely on contract, legal obligation, and consent for specific uses of data
· We will rely on contract if we are negotiating or have entered into an agreement with you or your organisation or any other contract to provide services to you or receive services from you or your organisation
· We will rely on legal obligation if we are legally required to hold information about you to fulfil our legal obligation, for example, our statutory obligation as an employer
· We will in some circumstances rely on consent for uses of your data and you will be asked for your express consent e.g. before sharing your details with a third party
Our Legitimate Business Interests
· To offer residential care, day care, and support to our clients
· To manage employee and contractor relationships
· To manage our organisational rights and obligations
· Should we want or need to rely on consent to lawfully process your data, we will request your consent, by email or by an online process for the specific activity we require consent for and record your response on our system. Where consent is the lawful basis for our processing you have the right to withdraw your consent to this processing at any time
Other uses we will make of your data
· To notify you about changes to our services
· To ensure that content from our website is presented in the most effective manner for you and for your computer
· To administer our website and for internal operations, including troubleshooting, security, data analysis, testing, research, statistical and survey purposes
· To allow you to participate in interactive features of our service, when you choose to do so
· To measure or understand the effectiveness of our advertising that we serve to you and others, and to deliver relevant advertising to you
· We do not undertake automated decision making or profiling. We do use our computer systems to search and identify personal data in accordance with parameters set by a person. A person will always be involved in the decision-making process
Who will have access to your data inside and outside of European Economic Area (EEA)?
· We do not foresee that we will share your personal information with any third parties outside of the EEA. In the unlikely event that changes, we will notify you in good time.
Will your data be used for marketing?
· We will only send you information about our products and services that are relevant to you
· We may send the communication in several ways including email and post
· When you register your details with us we will ask your preferences on receiving marketing communications, you also have the right to change your preferences at any time by phone or email
What are cookies and how do they affect your personal data?
· The cookies used by our website provider track site visitors’ basic information to better tailor the site to our visitors’ needs and improve their customer experience
· Most web browsers automatically accept cookies; however, you can disable cookies in your web browser if you wish. Please be aware that disabling cookies will affect the functionality of our website and you may disable other features on the website. We recommend you do not disable cookies, in case they are used to provide a service that you use
Where will we store and process your personal data?
· All information you provide to us is either stored in hard copy or on our computers. Any online payment transactions will be encrypted. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone
· Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to or via our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access
How long will we retain your data?
We understand our legal duty to retain accurate data that you are happy for us to retain and only retain personal data for as long as we need it for our legitimate business interests or to satisfy legal, accounting or reporting requirements. Accordingly, we run regular data routines to remove data that we no longer have a legitimate business interest in maintaining.
We do the following to try to ensure our data is accurate:
· We keep in touch with you, so you can let us know of changes to your personal data
· We may archive part or all of your personal data or retain it on our financial systems. We may pseudonymise parts of your data, particularly following a request for suppression or deletion of your data, to ensure that we do not re-enter your personal data on to our database, unless requested to do so
· For your information, pseudonymised Data is created by taking identifying fields within a database and replacing them with artificial identifiers, or pseudonyms
How safe is your data?
· Appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
· We use electronic safeguards including firewalls, anti-virus and anti-malware software to protect your data
· Only authorised staff have access to personal data and are appropriately trained and supported by policies and procedures for handling personal data
· We do not recommend or guarantee the safety of your payment details sent to us electronically via email
What are your rights to your personal data?
· You have the right to request copies of any personal data held by us.
· To receive a copy of your personal data please send your written request to the Data Controller at C. & P. Limited, 40 Mickleburgh Hill, Herne Bay, CT6 6DT
· We will provide you with a hard copy of your personal data held
· You will not be charged for your personal data request
· Your data will be returned within 40 days of receiving the request
· We will require proof of identity
· You also have the right to the following:
o The right to prevent data being processed for direct marketing
o The right to have inaccurate personal data rectified, erased, or destroyed
o You have the right to make a complaint to a supervisory body, which in the United Kingdom is the Information Commissioner’s Office. The ICO can be contacted through this link: https://ico.org.uk/concerns/
You will have the following additional rights under the GDPR:
· The right to object to processing that is likely to cause, or is causing damage or distress.
· The right to object to decisions being taken by automatic means.
· The right to have inaccurate personal data suppressed, rectified, blocked, erased, or destroyed.
· You can enforce these rights by contacting the Data Controller.