GDPR‎ > ‎

Privacy notice


As part of the service we offer, we are required to process personal data about our staff, our service users and, in some instances, the friends or relatives of our service users and staff. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data. This privacy policy tells you what will happen to any personal data that you provide to Springwood House Residential Home as a result of using this website or contacting us. We fully understand that your privacy is important to you and that you care about how your personal data is used and shared online and we will take account of, and respect, your concerns.

This policy explains how we will use, and protect, the information that we gather, whether it be through this website, by way of telephone or personal conversations or through our normal business contacts with you. Please read this privacy policy carefully and ensure that you understand it. Details are given below of contacts should you wish to ask questions but please note that acceptance of this privacy policy and our cookie policy (see “Cookies” below) is required to make full use of our site.

 

Our details

 

Organisation’s name

Springwood House Residential Home

 

 

Address

Duffield Bank, Duffield, Derbyshire, DE56 4BG

 

 

Telephone number

01332 840757

 

 

Email address

springwoodhouse@gmail.com

 


We are registered with the Information Commissioner’s Office (ICO).

Contact details: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF www.ico.org.uk

Our Data Protection Officer (DPO) Stephen Jephson can be contacted at springwoodhouse@gmail.com


Your rights

Under the General Data Protection Regulation (GDPR), you have the right to be informed about:

  • the collection and use of your personal data
  • our purposes for processing that data
  • the retention periods for storing your data (or a guarantee that it will be kept only for as long as necessary)
  • who it will be shared with (both in this country and, if applicable, in others: in this case, we will inform you of the safeguards which are applied in that country)
  • the legal basis under which we process your data
  • the right to withdraw your consent (if consent is the legal basis for processing)
  • our “legitimate interest” in processing your data (if that interest is the legal basis for processing)
  • details of any data we collect about you from a third party (such as publicly-available information)
  • the right to lodge a complaint with the ICO
  • details of the existence of automated decision-making, including profiling (if applicable).

You also have the right to information that is concise, transparent, intelligible, easily accessible and presented to you in clear and plain language rather than in “legalese”. We would encourage you to get in touch with the contact given above if you have any questions about this policy statement or our procedures with regard to data processing. This will not in any way affect your right (mentioned above) to complain to the ICO.

Finally, we commit to informing you if, at any time, we update our privacy information and always to seek permission if we plan to use your personal data for a new purpose.

 

Service Users - The information we collect

As a registered care provider, we must collect some personal information on our service users, including financial information, which is essential to our being able to provide effective care and support. The information is contained in individual files (manual and electronic) and other record systems, all of which are subject to strict security and authorised access policies. Personal information that becomes inactive, e.g. from enquiries or prospective users who do not enter the service is also kept securely for as long as it is needed, before being safely disposed of (see “the right to be forgotten” below).

We process and store details of your:

  • name
  • chosen mode of address (Mrs, Ms, etc)
  • date of birth
  • address
  • next of kin
  • email address
  • Financial Arrangements e.g. the funding arrangements for your care

 We also record the following data which is classified as “special category”:

  • Health and social care data about you, which might include both your physical and mental health data. This could take the form of a Care Plan
  • We may also record data about your religion
We might continue to build on the information provided in enquiry and referral forms, and, for example, from needs assessments, which feed into their care and support plans.

 

Why do we need this information?

We use the information that we collect and store about you to:

  • offer and provide our services
  • manage invoices and accounts
  • invite participation in polls and surveys
  • deliver marketing and events information

The legal basis under which we collect and store data

There are six possible legal grounds under the GDPR. These are:

1. consent

2. fulfilment of a contact

3. legitimate interests

4. vital interests

5. public task

6. legal obligation.

 

We process your data because:

  • we are required to do so in our performance of a public task
  • we are required to do so in order to fulfil a contract that we have with you
  • we have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005

 

We process your special category data because:

  • it is necessary due to social security and social protection law (generally this would be in safeguarding instances)
  • it is necessary for us to provide and manage social care services
  • we are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We may also process your data with your consent.  If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

 

Where do we process your data?

Your data could be collected from or shared with:

  • you or your legal representative(s)
  • third parties.

We may do this face to face, via phone, via email, via post or via application forms Third parties are organisations we have a legal reason to share your data with. These include:

  • other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals
  • local Authorities
  • organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC
  • the police or other law enforcement agencies if we have to by law or court order.

Staff and Volunteers – The information we collect

Springwood House operates a safe recruitment policy to comply with the regulations in which all personal information obtained, including CVs and references, is, like service users’ information, securely kept, retained and disposed of in line with data protection requirements. All employees are aware of their right to access any information about them.

We process and store details of your:

  • name
  • chosen mode of address (Mrs, Ms, etc)
  • date of birth
  • address
  • next of kin
  • email address
  • National Insurance number

 

We also record the following data which is classified as “special category”:

  • Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order to claim statutory maternity pay
  • Criminal record data

Personal information is obtained directly and with consent through such means as references, testimonials and criminal records (DBS) checks. When recruiting staff, we seek applicants explicit consent to obtain all the information needed for us to decide to employ them.

 

Why do we need this information?

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data. We process your data because:

  • we have a legal obligation under UK employment laws
  • we are required to do so in our performance of a public task
  • we have a legitimate interest in processing your data – for example, we provide data about your training to CQC

Springwood House has carried out a legitimate interests assessment (LIA) which can be seen on request. In doing so, we have checked that the processing is necessary and that there is no less intrusive way to achieve the same result. We will only use your data in ways that you would reasonably expect, unless we have a very good reason. We will not use your data in ways that you would find intrusive or which could cause you harm and we have considered and introduced safeguards to reduce the impact where possible.

If we process children’s data, we take extra care to make sure we protect their interests. In using this basis for processing data, we will make sure that your interests, as protected by the GDPR, are not undermined by our legitimate interests.”

 

We process your special category data because:

  • it is necessary due to social security and social protection law - we are required to perform Disclosure and Barring Service (DBS) checks on our staff
  • it is necessary for us to process requests for sick pay or maternity pay
  • we are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

 

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

As your employer we need specific data. This is collected from or shared with:

  • you or your legal representative(s)
  • third parties.

 

We do this face to face, via phone, via email, via post or via application forms Third parties are organisations we have a legal reason to share your data with. These include:

 

  • Her Majesty’s Revenue and Customs (HMRC)
  • our pension scheme
  • our external payroll provider
  • organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC
  • the police or other law enforcement agencies if we have to by law or court order.

 

Friends and Relatives – The information we collect

All personal information obtained about others associated with the delivery of the care service, including contractors, visitors, etc will be protected in the same ways as information on service users and employees.

It might be necessary that we hold the following information about you:

  • Your basic contact details e.g. your name, address, telephone number

Why do we have this data?

By law, we need to have a lawful basis for processing your personal data. We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.

 

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

 

Where do we process your data?

This is collected from or shared with:

  • you or your legal representative(s)
  • third parties

 

We do this face to face, via phone, via email, via post or via application forms. Third parties are organisations we have a legal reason to share your data with. These may include:

  • other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals
  • local Authorities
  • the police or other law enforcement agencies if we have to by law or court order.

 

Applying the data protection principles

Springwood House is committed to applying the principles set out in the GDPR. To that end, we will always strive to ensure that:

  • personal data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  • our procedures are adequate, relevant and limited to what is necessary in relation to the purposes for which they are put in place
  • the data we collect are accurate and, where necessary, kept up to date, every reasonable step will be taken to ensure that data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
  • data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed
  • data are processed in a manner that ensures their appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

Better by design

In applying the above principles, Springwood House recognises that it has a general obligation to implement technical and organisational measures to show that it has considered and integrated data protection into all data processing activities. All of our employees are trained in the requirements of GDPR and as far as possible we aim to ensure that contracts, website designs, publicity materials and HR policies are all in line with the GDPR requirements.

 

Access to your data

On receipt of a request for access to the data which we hold about you, we will respond without delay and at the latest within one month of receipt. Information will be provided free of charge although a reasonable fee may be applied when a request requires excessive work, particularly if it is repetitive. This fee will reflect the amount of administrative work involved.

 

The right to be forgotten

Also known as data erasure, the “right to be forgotten” set out in the GDPR entitles you to ask any data controllers to erase your personal data and to cease further dissemination. You can make such a request either verbally or in writing and we will respond as quickly as possible, and at the latest within one month. We understand that there is a particular emphasis on the right to erasure if the request relates to data collected from children and such requests will always be given the highest priority.

Please note, however, that there are certain circumstances in which the right to erasure may not apply. These include where processing is necessary for one of the following reasons:

  • to comply with a legal obligation
  • to exercise the right of freedom of expression and information
  • for the performance of a task carried out in the public interest or in the exercise of official authority
  • for the establishment, exercise or defence of legal claims.

In addition, any organisation is allowed to refuse to comply with a request for erasure if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. We will, however, explain and justify any such refusal.

 

Right to be informed

Within one month of collecting your personal data, we will inform you of the purposes for processing that data, the retention periods and with whom it will be shared. Any information which is provided to you will be concise, transparent, intelligible, easily accessible and presented in clear and plain language.

 

Right to rectification

Either verbally or in writing, you may ask for inaccurate personal data to be rectified, or to be completed if it is partial. We will respond as quickly as possible and certainly within the one month time period allowed under the GDPR. In the unlikely event that there is disagreement over the accuracy of the data, we will do our best to resolve this and you will, of course, have right to take the matter to the ICO if we cannot reach agreement. If that situation arises, we are prepared to consider restricting processing of the contested data during the time it takes to resolve the issue with the ICO.

 

Children

Under the GDPR, only children aged 13 or over are able to provide their own consent. For those under this age, we will seek consent from whoever holds parental responsibility or, if we are using a different legal basis, will inform that person accordingly. We are fully aware that children have the same rights as adults over their personal data and are committed to ensuring full protection for them at all times.

Right to data portability

This organisation recognises that, under the GDPR, you must be able to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The requested information will be provided free of charge in a structured, commonly used and machine-readable form. However, it should be noted that the right to data portability only applies:

  • to personal data an individual has provided to a controller
  • where the processing is based on the individual’s consent or for the performance of a contract
  • when processing is carried out by automated means.

 

Right to object

You have the right to object to:

  • processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling)
  • direct marketing (including profiling)
  • processing for purposes of scientific/historical research and statistics.

We will stop processing personal data for direct marketing purposes as soon as an objection is received.

 

Automated decision-making and profiling

Profiling refers to the automated processing of personal data to evaluate certain things about an individual. Together with making a decision solely by automated means, it is covered by the GDPR and will require the individual’s explicit consent. We will only collect the minimum amount of data needed and will retain it only for as long as is necessary. Anyone affected by an automatic decision has the right to ask for it to be reconsidered and we have additional checks in place for profiling/automated decision-making systems to protect vulnerable groups such as children.

 

Data breaches

While we will take all appropriate measures to prevent illegal access to your data, we have to prepare for that possibility. Should there be a significant data breach affecting your data and rights, we will notify you (and the ICO) as soon as possible. To minimise any possible danger, we will use password protection and encryption where it is appropriate to do so. We will also have backup systems in place in the event that an outside organisation attempts to disrupt access to our data.

 

Our Website - Cookies

A cookie is a small text file placed on your computer or device by our site when you visit certain parts of it and/or use certain of its features. For example, we may monitor how many times you visit, which pages you go to, traffic data, location data, weblogs and other communication data whether required for billing purposes or otherwise. Where appropriate, this data will be aggregated or statistical, which means that we will not be able to identify you individually.

You can set your browser not to accept cookies and there are a number of websites which explain how to remove cookies from your browser. However, it is possible that some of our website features may not function as a result.

 

Third party websites

Please note that there are some links on our website to other sites where you may find useful information. This does not indicate a general endorsement of those sites and, as we have no control over how data is collected, stored, or used by other websites, we would advise you to check their privacy policies before providing any data to them.

 

Last updated on (06/05/2019) by Stephen Jephson (Director who can be contacted at springwoodhouse@gmail.com

 

Comments