PRIVACY NOTICE FOR A-A QUALITY CARE LTD (‘A-A’)
As part of the services we provide, we are required to process enough personal information about our applicants, staff members, volunteers and referees so that we may keep in touch with you. The processing means collecting, recording, organising, storing, sharing or destroying information. The law allows us to collect and use this information so long as we are sure that it is A-A’s legitimate interests to do so.
In doing so, we would also like to have your agreement for us to use your information in certain other limited ways. This would include for example adding your name, contact details, date of birth, National Insurance Number, referees details and pin number into our company database which is held on approved computers, devices, hard copies and cloud storage services that are password protected and accessed only by the managers, nominated Trustees, representatives and the A-A Administrators. All the above data will be destroyed from the database once your application is declined or unless you ask to remain as one of our ongoing applicants.
If you are happy for your details to be used in one or more of these ways please indicate by ticking the appropriate boxes on our Consent Form. You can ask for your details to be removed at any time even during your application stage.
To enable us to process adequate application one of the Managers or an approved member from our team may contact you, your referees, Disclosure Bureau Services (‘DBS’) by phone, letter or email(in password protected documents) on an approved computer and cloud storage service but the password will only be known by the Manager or approved team member concerned.
Under Data Protection legislation the Company A-A is the Data Controller and one of their number acts as our nominated Data Protection Trustee.
As a staff member or volunteer, you do of course have the right to ask to see any information that we hold about you (limited to references). You also have the right to ask for information which you believe to be incorrect to be rectified and to ask for all or part of the data held concerning you erased once it is no longer necessary for us to retain that data.
1.0 Why do we have this data?
1.1 A-A is committed to protecting of the personal data and respecting the rights of our data subjects (the people whose personal data we collect and use). We value the personal information entrusted to us and we respect that trust, by complying with all relevant laws and adopting good practice.
We process personal data because:
a) we have a legal obligation under UK employment law;
b) we are required to do so in our performance of public task;
c) we have a legitimate interest in processing your data for example we provide data about your recruitment and training to Skills for Care’s National Minimum Data Set ;
d) maintain our accounts, records and payroll processing;
e) promote and manage our rota in terms of payments;
f) respond effectively to enquirers and handle any complaints
1.2 This policy has been approved by the managers, representatives & trustees who are responsible for ensuring that we comply with all our legal obligations. It sets out the legal rules that apply whenever we obtain, store or use personal data.
2.0 Why is this policy important?
2.1 We are committed to protecting personal data from being misused, getting into the wrong hands as a result of poor security, being shared carelessly, or being inaccurate. We are very aware that people can be upset or harmed if any of these things happen.
2.2 This policy sets out the measures we are committed to take as an organisation and, what each of us will do to ensure we comply with the relevant legislation.
2.3 In particular, we will make sure that all personal data is:
a) processed lawfully, fairly and in a transparent manner;
b) processed for specified, clear and legitimate purposes and never in a manner that is incompatible with those purposes;
c) adequate, relevant and limited to what is necessary for the purposes for which it is being processed;
d) accurate and, where necessary, up to date;
e) not kept longer than necessary for these purposes;
f) processed in a secure manner, by using appropriate technical and organisational methods;
g) processed in keeping with the rights of data subjects regarding their personal data.
3.0 How does this policy apply to you & what do you need to know?
3.1 If you are a staff member in particular management or nominated person – processing personal information on behalf of A-A, you are required to comply with this policy. If you think that you have accidentally breached the policy it is important that you contact our Data Protection Trustee on 01293 224284 or 07711 986847 or via our contact form immediately so that we can take quick action to try and limit the impact of the breach.
Anyone who breaches the Data Protection Policy may be subject to disciplinary action, and where it is clear that the individual has breached the policy intentionally, recklessly, or for personal or commercial benefit they may also be liable to prosecution or to regulatory action.
3.2 If one is appointed data processor/contractor – Companies who are appointed by us as a data processor are required to comply with this policy under the contract with us. Any breach of the policy will be taken seriously and could lead to us taking contract enforcement action against the company, or terminating the contract. Data processors have direct obligations under the regulations, primarily to only process data on instructions from the controller A-A and to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk involved.
3.3 We will identify a named Trustee (“The Data Protection Trustee”) from time to time if necessary – to be responsible for updating A-A and its staff members and volunteers about their legal obligations under data protection law, monitoring compliance with data protection law, dealing with data security breaches and with the development of this policy.
4.0 Training and guidance
4.1 We will at least annually update all staff and volunteers to raise awareness of their obligations and our responsibilities, as well as to outline the law.
4.2 We may also issue procedures, guidance or instructions from time to time.
5.0 What we do with personal information we process?
5.1 In the course of our normal activities i.e. recruitment, selection employment and training, we may collect and process information (personal data) about a range of applicants, employees and volunteers (data subjects) who come into contact with A-A. This includes data we receive straight from the DBS that it is about, for example, where they are an update in staff records. We may also receive information about data subjects from other sources including, for example, previous employers, safeguarding and checks.
6.0 What data do we have?
6.1 We process personal data in both electronic and paper form and all this data is protected under data protection law. The personal data we process can include information such as names, contact details, date of birth, National Insurance Number, Next of Kin, education or employment details and visual images.
6.2 In some cases, we may hold types of information that are called “special categories” of data in the regulations because they are sensitive and personal. This personal data can only be processed under strict conditions.
‘Special categories’ of data (as referred to in the GDPR) which we record are:
Your health and social care data, which might include both your physical and mental health data, we will only collect this if it is necessary to know as an employer for example – fit to work notes. We may also record information about a person’s: racial or ethnic origin; religious or similar (e.g. philosophical) beliefs or trade union membership.
6.3 We will not hold information relating to criminal proceedings or offences or allegations of offences unless there is an overarching safeguarding requirement to process this data for the protection of our client’s organisation.
6.4 Other information may also be considered ‘sensitive’ such as bank details, but will not be subject to the same legal protection as the types of data listed above.
7.0 How do we make sure processing is fair and lawful?
7.1 Processing of personal data will only be fair and lawful when the purpose of the processing has a legal basis, as listed below, and when the processing is transparent. This means we will provide applicants, staff and volunteers with an explanation of how and why we process their personal data at the point we collect data from them .(see our “Privacy Notices”).
8.0 How can we use your personal data legally?
8.1 Processing of personal data by A-A is only lawful if at least one of these legal conditions is met:
a) the processing is necessary for making a job offer with the data subject;
b) the processing is necessary for making a contract with the data subject;
c) the processing is necessary for us to comply with a legal obligation that we have;
d) the processing is necessary for us to perform a task in the public interest, and the task has a clear basis in law;
e) the processing is necessary for legitimate interests that are pursued by A-A unless these are overridden by the interests, rights and freedoms of the data subject.
f) If none of the other legal conditions applies our processing of data will only be lawful if the data subject has given their clear consent.
9.0 How can we legally use ‘special categories’ of data?
9.1 Processing of ‘special categories’ of sensitive personal data is only lawful when, in addition to the conditions above, one of these extra conditions is met. These conditions include where:
a) the processing is necessary for carrying out our obligations under Employment and Social Security, Care Quality Commission, Nursing & Midwifery Council and Social Protection Law;
b) the processing is carried out in the course of our legitimate activities and only relates to our applicants staff members and volunteers or to persons we supply our staffs to or we are in regular contact with in connection with our purposes;
c) the processing is necessary for pursuing legal claims.
d) If none of the other legal conditions applies the processing will only be lawful if the data subject has given their explicit consent.
9.2 Before deciding which condition should be relied upon, we may refer to the original text of the regulations as well as any relevant guidance, and seek legal advice as required.
9.0 What must we tell applicants, staffs and volunteers before we use their data?
9.1 If personal data is collected directly from the individual stated above, we will inform them about; our identity/contact details the reasons for processing, and the legal bases, explaining our legitimate interests, and explaining, where relevant, the consequences of not providing data needed for recruitment, selection, employment and training or statutory requirement; who we will share the data with; if we plan to send the data outside of the European Union; how long the data will be stored and the data subjects’ rights.
This information will be referred to as a ‘Privacy Notice’.
This information will be given at the time when the personal data is collected.
9.2 If data is collected from another source, rather than directly from the data subject, we will provide the data subject with the information as well as: the categories of the data concerned; and the source of the data.
This information will be provided to the individual in writing and no later than within 1 months after we receive the data unless a legal exemption under the GDPR applies. If we use the data to communicate with the data subject, we will at the latest give them this information at the time of the first communication.
9.3 If we plan to pass the data onto someone else outside A-A we will give the data subject this information before we pass on the data. This will usually be:
10.0 When do we need consent to process information?
10.1 Where none of the other legal conditions applies to the processing, and we are required to get consent from the data subject, we will clearly set out what we are asking consent for, including why we are collecting the information and how we plan to use it. Consent will be specific to each process we are requesting consent for and we will only ask for consent when the data subject has a real choice whether or not to provide us with their information. (for example – asking for reference, applying for DBS on their behalf).
10.2 Consent can, however, be withdrawn at any time and if withdrawn, the processing will stop. Data subjects will be informed of their right to withdraw consent and it will be as easy to withdraw consent as it is to give consent. (example – writing/ emailing/texting us to stop).
11.0 How do we process information for the “specified purposes”?
11.1 We will only process personal information for the specific purposes explained in our Privacy Notices or for other purposes specifically permitted by law. We will explain those other purposes to data subjects, unless there are lawful reasons for not doing so.
12.0 How do we ensure that the information will be sufficient, relevant and not unnecessary?
12.1 We will only collect and use personal information that is needed for the specific purposes described above (which will normally be explained to the data subjects in Privacy Notices). We will not collect more than is needed to achieve those purposes. We will not collect any personal data “just in case” we want to process it later.
13.0 Do we keep data accurate?
13.1 We will make sure that personal information held is precise and, where appropriate, kept up to date. The precision of personal information will be checked at the point of collection and at appropriate points later on.
14.0 How long do we keep data for?
14.1 We will not keep personal data longer than is necessary for the purposes that it was collected for. We will comply with official guidance issued to small companies about retention periods for specific records. (example – period of your application and employment or up to seven years after which time it is disposed of).
15.0 How do we ensure the security of personal information?
15.1 We will use suitable measures to keep personal information secure at all points of the processing. Keeping information secure includes protecting it from unauthorised or unlawful processing, or from accidental loss, destruction or damage.
15.2 We will implement security measures which provide a level of security which is appropriate to the risks involved in the processing.
Measures will include technical and organisational security strategies. In assessing what measures are the most appropriate we will take into account the following, and anything else that is relevant:
a) the quality of the security measure;
b) the costs of implementation;
c) the nature, scope, context and purpose of processing;
d) the risk (of varying likelihood and severity) to the rights and freedoms of data subjects;
e) the risk which could result from a data breach.
15.3 Measures may include:
a) technical systems security;
b) measures to restrict or minimise access to data;
c) measures to ensure our systems and data remain available or can be easily restored in the case of an incident;
d) physical security of information and of our office premises;
e) organisational measures, including policies, procedures, training and audits;
f) regular testing and evaluating of the effectiveness of security measures.
16.0 How do we keep records of our data processing?
16.1 To show how we comply with the law we will keep clear records of our processing activities and of the decisions we make concerning personal information (setting out our reasons for those decisions).
17.0 What are our data subjects’ rights?
17.1 We will process personal information in line with data subjects’ rights, including their right to:
a) request access to any of their personal information held by us (this is known as a Subject Access Request);
b) ask to have inaccurate personal information changed;
c) restrict processing, in certain circumstances;
d) object to processing, in certain circumstances, including preventing the use of their information for direct marketing;
e) data portability, which means to receive their information, or some of their information, in a format that can be easily used by another person (including the data subject themselves) or organisation;
f) withdraw consent when we are relying on consent to process their information.
17.2 If a staff member or volunteer receives any request from a data subject that relates or could relate to their data protection rights, this will be forwarded or reported to our Data Protection representative immediately.
17.3 We will act on all valid requests as soon as possible and at the latest within one calendar month, unless we have reason to, and can lawfully extend the timescale. This can be extended by up to two months in some circumstances.
17.4 All data subjects’ rights are provided for free.
17.5 Any information provided to data subjects will be concise and transparent, using clear and plain language.
17.6 We will always respond to your request about the way we use your information as soon possible at the latest within one month. If you are still unhappy you have the right to complain to the Information Commissioners office at: https//ico.org.uk/global/contact-us/
18.0 What about direct “marketing”?
16.1 We will comply with the rules set out in the General Data Protection Regulations (GDPR), the Privacy and Electronic Communications Regulations (PECR) and any laws which may amend or replace the regulations around direct marketing. This includes, but is not limited to, when we make contact with data subjects by post, email, text message, social media messaging, telephone (both live and recorded calls) and fax.
Direct marketing means the communication (by any means) of any advertising or marketing material which is directed, or addressed, to individuals. “Marketing” does not need to be selling anything or be advertising a commercial product. It includes contact made by organisations to individuals for the purposes of promoting the organisation’s aims.
18.2 We will not send your information to any organisation for direct marketing.
19.0 When do we share information with other organisations?
19.1 We will only share personal information with other organisations or people when we have a legal basis to do so and if we have informed the data subject about the possibility of the information being shared (in a Privacy Notice) unless legal exemptions apply to informing data subjects about the sharing. Only authorised and properly instructed management and data representative are allowed to share personal data.
19.2 We will keep records of information shared with a third party, which will include recording any exemptions which have been applied, and why they have been applied. We will follow the Information Commissioners Office (ICO) statutory Data Sharing Code of Practice (or any replacement code of practice) when sharing personal information with other data controllers. Legal advice will be required.
20.0 What about our Data Processors?
20.1 Before appointing any contractor, who will process personal information on our behalf (a data processor), we will carry out due diligence checks. The checks are to make sure the processor will use appropriate technical and organisational measures to ensure the processing will comply with data protection law, including keeping the information secure and upholding the rights of data subjects. We will only appoint data processors who can provide us with sufficient guarantees that they will do this.
20.2 We will only appoint data processors on the basis of a written contract that will require the processor to comply with all relevant legal requirements. We will continue to monitor the data processing, and compliance with the contract, throughout the duration of the contract.
21.0 When may we transfer personal data outside the European Union (EU)?
21.1 Personal data cannot be transferred (or stored) outside of the European Union unless this is permitted by the GDPR. This includes storage on a “cloud” based service where the servers are located outside the EU.
21.2 We will only transfer data outside the EU where it is permitted by one of the conditions for non-EU transfers in the GDPR or the data subject gives a consent (Example – asking for employment reference provided by the data subject)
22.0 How do we deal with data protection breaches?
22.1 Where management staff, representative or volunteers or contractors working for us, think that this policy has not been followed, or data might have been breached or lost, this will be reported immediately to the Data Protection Representative.
22.2 We will keep records of personal data breaches, even if we do not report them to the ICO.
22.3 We will report all data breaches which are likely to result in a risk to any applicant or employee, to the ICO. Reports will be made to the ICO within 72 hours from when someone in the business or staff member becomes aware of the breach.
22.4 In situations where a personal data breach causes a high risk to any person, we will (as well as reporting the breach to the ICO), inform data subjects whose information is affected, without delay.
This can include situations where, for example, DBS records are lost or an email containing sensitive information is sent to the wrong recipient. Informing data subjects can enable them to take steps to protect themselves and to exercise their rights.
23rd May 2018
Read more on Slavery and human trafficking statement.