Privacy Policy -

Privacy Policy

Our website address is: https://www.constantiacare.co.uk (This Website), is owned and operated by Constantia Care Ltd, a limited company register in England (Company number: 08515434) whose registered office is Building 3 North London Business Park, Oakleigh Road South, London, N11 1GN, United Kingdom. The site is externally edited and maintained., however no access to any private information is shared.

In the attached privacy policy, references to we, us or our mean Constantia Care Ltd. Constantia Care Ltd for the purposes of Data Protection Legislation (as defined below) is the data controller. References to ‘you’, ‘your’ etc are references to any person exluding our employees but including any users of our services, or users next of kin and any person using this website.

In the course of our dealings with you, we will collect and process personal information about you. Personal information includes any information allowing us to identify you as an individual, for example, your name, your email address or your telephone number.

We are committed to protecting your privacy. We will use your personal information in accordance with all applicable laws and regulations that relate to data protection and privacy, including the EU General Data Protection Regulation (GDPR)

Policy Statement

On the 25th May 2018 the new Data Protection Act 2018, which is based on the General Data Protection Regulations (GDPR) replaces the Data Protection Act 1998 in its entirety. It replaces the existing Data Protection Laws to make them fit for the digital age in which ever increasing personal data is being processed. The Act sets new standards for protecting personal data. Gives people more control over the use of their data and assists in the preparation for a future outside of the EU.
There are 4 main matters provided for, these are:

General Data Processing
Law Enforcement Data processing
Data Processing for National Security Purposes
Enforcement

All of the above need to be set in the context of international, national and local data processing systems which are increasingly dependent upon internet usage for exchange and transit of data. The UK must lock into international data protection arrangements, systems and processes and this Act updates and reinforces the mechanism to enable this to take place.
Given the size of the legislation and some of the media hype surrounding its introduction this policy is written in 2 Sections.
Section 1 Overview of the Act.
Section 2 The Policy and templates

Section 1 Overview of the Act

The Act is structured in 7 parts, each of which covers specific areas. These are:

Part 1: Preliminary

This sets out the parameters of the Act, gives an overview, explains that most processing of personal data is subject to the Act and gives the terms relating to the processing of personal data.

Part 2: General Processing

This supplements the GDPR and sets out a broadly equivalent regime to certain types of processing to which the GDPR does not apply.

Part 3: Law Enforcement Processing

This covers;

“competent authority”
meaning of “controller” and “processor”
data protection principles
safeguards in regard to archiving and sensitive processing
rights and access of the data subject, including erasure
implements the law enforcement directive
controller and processor duties and obligations
records
co-operation with the ICO commissioner
personal data breaches
the remedy of such breaches
position of the data protection officer and their tasks
transfer of data internationally to particular recipients
national security considerations
special processing restrictions and reporting of infringements.

Part 4: Intelligence Services Processing

This covers only data handled by the above e.g. MI5 and MI6 and includes rights of access, automated decisions, rectification and erasure, obligations relating to security and data breaches.

Part 5: The Information Commissioner

This covers

general functions including publication of Codes of Practice and guidance
their International role
their responsibilities in relation to specific Codes of Practice
consensual audits
information to be provided to the Commissioner
confidentiality and privileged communication
fees for services
charges payable to the commission
publications
Notices from the Commissioner
reporting to parliament.

Part 6: Enforcement

This covers the new enforcement regime in relation to all forms of Notice issued by the Commissioner.

powers of entry and inspection
penalty amounts
appeals
complaints
remedies in the court
offences
special purpose proceedings.

Part 7: Supplementary and Final Provision.

This covers legal changes which the new Act alters in relation to other legal matters, e.g. Tribunal Procedure rules, definitions, changes to the Data Protection Convention etc. and List of Schedule(s). As you can see, this Act is a huge piece of legislation, the majority of which is outside the remit of service providers working within the Adult Health and Social Care Sector. The I.C.O. confirms that many concepts and principles are much the same and businesses already complying with the current law are likely to be already meeting many of the key requirements of the GDPR and the new Act.

The Information Commissioner says the new Act represents a “step change” from previous laws. “It means a change of culture of the organisation. That is not an easy thing to do, and its certainly true that accountability cannot be bolted on: it needs to be a part of the organisations overall systems approach to how it manages and processes personal data”. It’s a change of mindset in regard to data handling, collection and retention. We need to stop taking personal data for granted, it’s not a commodity we own: its only ever on loan. Individuals have been given control and we have been given fiduciary duty of care over it!
As an organisation handling personal data on a day to day basis, this policy sets out the requirements of the new Act and how we, as an organisation will meet our legal obligations. Staff awareness and understanding of their responsibilities in regard to the handling, collection and retention of data will be core to the successful embedding of this policy.

Preparation: (The 12 Steps)

In order to comply with the requirements of the Act preparation should include the completion of the 12 steps

Awareness
Information we hold
Communicating privacy information
Individuals rights
Subject access requests
Lawful bases for processing
Consent
Children
Data Breaches
Data Protection by Design and Data Protection Impact Assessments
Data Protection Officers
International Data

Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

The ICO has issued this guidance as the start of the preparation. They have also made clear that they are aware that for small companies in particular time can be a factor in this preparation, but it is important to remember that you must start the 12 steps in order that you can show compliance.

As an organisation we are preparing for this new Act by completing these 12 steps.

Definitions

The GDPR applies to “Controllers”, “Processors” and “Data Protection Officer” and to certain types of information, specifically, “Personal Data” and “Sensitive Personal Data” referred to in the Act as Special Categories of Personal Data”.

“Controllers”

This role determines, on behalf of the organisation, the purposes and means of processing personal data.

“Processors”

This role is responsible for processing personal data on behalf of a controller. The Act places specific legal obligations on you, e.g. you are required to keep and maintain records of personal data and processing activities. This role has legal liabilities if they are responsible for any breach.

Data Protection Officer.

This role is a must only in certain circumstances if you are:

A public authority (except for courts)
Carry out large scale systematic monitoring of individuals e.g. online
behaviour tracking, or
Carry out large scale processing of special categories of data, or data relating
to criminal convictions and offences e.g. Police, DBS Bodies, Prison Service
etc.

“Personal Data”

This means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. So, this would include name, reference or identification number, location data or online identifier. This reflects changes in technology which incorporates a wide range of different identifiers. Personal Data applies to both automated and manual filing systems. It can also apply to pseudonymised e.g. key-coded can fall within the GDPR dependent on how difficult it is to attribute the pseudonym to a particular individual. Race, ethnic origin, politics, religion, trade union membership, sex life or sexual orientation.

“Special Categories of personal Data”

This category of data is more sensitive and much more protected. Sensitive personal data specifically includes genetic data, biometric data, health, race, ethnic origin, politics, religion, trade union membership, sexual orientation Safeguards apply to other type of data e.g. criminal convictions and offences; intelligence data etc.

Data Protection Principles

The GDPR sets out the following principles for which organisations are responsibleand must meet. These require that personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

b) Be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

d) Accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

e) Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals; and

f) Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss. Destruction or damage, using appropriate technical or organisational measures.

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDPR

“Lawful bases” for processing

There are 6 lawful bases for processing data. These are:

Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital Interests: the processing is necessary to protect someone’s life.
Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).

Consent

The GDPR sets a high standard here. Consent means offering individuals real choice and control. Consent practices and existing paperwork will need to be refreshed and meet specific requirements. These are:

Positive opt-in, no pre-ticked boxes or other method of “default” consent
A clear and specific statement of consent
Vague or blanket consent is not enough
Keep consent requests separate from other terms and conditions
Keep evidence of consent – who, when, how, and what you told people
Keep consent under review
Avoid making consent to processing pre-condition to any service
Employers need to take extra care to evidence that consent is freely given, and should avoid over reliance on consent

Consent is one lawful basis to consider but organisations in a position of power over individuals should consider alternative “lawful bases”. If we would still process their personal data without consent, then asking for consent is misleading and inherently unfair. Consent within this policy relates only to data processing not Health or Support in a Social Care context. Constantia Care will use consent as defined within the Mental Capacity Act 2005 to deliver services

Legal Obligation

Put simply, the processing is necessary for us as an organisation to comply with the law, e.g. the Health and Social Care Act 2008 (Regulations 2014), which requires us as providers to collect, handle and process data in a prescribed manner.

Legitimate Interests

This is the most flexible lawful basis for processing

It is likely to be appropriate where we process in ways that people would reasonably expect us to, with a minimal privacy impact, or where there is a compelling justification for the processing
There are 3 elements to consider when using this lawful base. We need to:
Identify a legitimate interest
Show that the processing is necessary to achieve it: and balance it against the individual’s interests, rights and freedoms
Legitimate interests can mean ours, interest of third parties, commercial interests, individual or social benefits
The processing must be necessary
A balance must be struck between our interests, the individual’s and would it be reasonable to expect the processing, or would it cause unnecessary harm, then their interests are likely to override our legitimate interests
Keep a record of your legitimate interest’s assessment (LIA) to help you demonstrate compliance

The above are the 3 most pertinent bases for Health and Social Care data processing activity.

Contract, Vital Interests or Public Task apply within specific work settings and would be difficult to meet because service providers are subject to specific legislative and regulatory requirements in order to work within a “Regulated Activity”.

“Lawful bases” must be determined by the organisation before processing of any personal data and it is vital that thorough consideration is given to this decision. Service users, office staff, suppliers and contractors must be aware of the lawful base used by this organisation to process their personal data

Individual Rights

The GDPR provides the following rights for individuals:

Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling

All relevant guidance to individual rights is not yet complete, Working Party (WP)29 will continue to work and produce such guidance as is thought appropriate. Any individual request which falls into the above categories this organisation will follow the relevant guidance currently available on the following website https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulationgdpr/whats-new

Privacy notices, transparency and control

To start off a privacy notice, you need to tell people, as a minimum

who you are
what you are going to do with their information
who it will be shared with.

Being transparent, and providing accessible information, is core to compliance and the GDPR. Privacy notices is the most common way to meet the GDPR requirements. Transparency, in a governance or business context, is honesty and openness and the more transparent we can be the more easily understood and accessible our services become to the people who use them. In the context of data processing is simply that “it should be transparent to natural persons that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of their personal data be easily accessible and easy to understand, and that clear and plain language be used. That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processor and further information to ensure fair and transparent processing in respect of the confirmation and communication of personal data concerning them which is being processed.”

Information Commissioner: Role and Function.

With regard to the changes within the new GDPR, National Supervising Authorities in all EU member states have had their powers of enforcement enhanced. Our I.C.O. in the UK’s supervising authority. Within the Enforcement Toolbox, the Information Commissioners Office known as the I.C.O., can now issue substantial fines of up to 20 million, or, 4% of an organisation’s global turnover for certain data protection infringements. Fines, when appropriate, will be of the discretion of the I.C.O. with considerable variations expected to be levied. There are no fixed penalties or minimum fines, though there are different maximum fines for different breaches. The GDPR also empowers the I.C.O. to create tailor made solutions to deal with infringements brought to their attention. This does not mean that organisations can relax about compliance, but diligent small and medium sized organisations can take comfort in the fact that they are unlikely to face the sort of punitive fines that rogue tech giants could in order to bring them to head. Remember: the highest imposed fine limit was £500,000 under the old Act (1998) but the highest fine ever imposed was £400,000 to TalkTalk for failings in connection with a cyber-attack in 2016. The Information Commissioner herself is playing down the “scaremongering because of misconceptions”. £20 million fines could put businesses out of business and that is not the intention of the GDPR, though there is a seismic shift in the number of fines that could be imposed. The role and scope of the I.C.O. has not fundamentally changed, but rather has been expanded and enhanced via the new GDPR.

Codes of Conduct and Certification Mechanisms.

Although the use of any of the above is encouraged by the GDPR it is not obligatory. If an approved code of conduct or certification scheme becomes available that covers our processing activity, consideration will be given to working towards such a scheme as a way of demonstrating our compliance. The I.C.O. will develop its own code of conduct as it has already worked with the Direct Marketing Commissions Code of Conduct: DMA Code.

Derogations and Exceptions.

The Act provides that member states of the EU can provide their own national rules in respect of specific processing activities. All Data Controllers must be familiar with Schedules 1-18 of the GDPR as these are the lawful exemptions pertinent to many other legal frameworks and Acts. These Schedules cover things such as Parliamentary Privilege, Health and Social Work, Criminal Convictions (Additional Safeguards), Research, Statistics and Archiving, Education Child Abuse, and include specific provisions for data processing within the Schedule(s). For example: Schedule 15: Powers of Entry and Inspection. This Schedule sets out clearly the powers of the Information Commissioner’s Office in relation to warrant(s) issued by the courts which allow the I.C.O. to enter premises and inspect data field there, including the seizure of documents. Schedule 18 is where all the legislative changes, in all pertinent primary legislation is found, including the repeal of the Data Protection Act 1998. As the Act is embedded in to the organisation, Data controllers, their role and responsibilities, will need to be reviewed and revised to ensure compliance.

Codes of Practice.

The Act enhances the role of the Information Commission’s Office (I.C.O.) in the compilation of such Codes and these will be available in due course. It is important that we are regularly checking the I.C.O. website in order to keep up with current guidance.

Section 2 The Policy

This organisation believes that all data, required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained and stored in accordance to the requirements of the Data Protection Act 2018. The General Data Protection Regulations (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 1 and the Related Guidance links.

PLEASE NOTE All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29 known as WP29 is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all of the complexities of the Act have been clarified and amended into law.

Lawful Bases

After due consideration this organisation has determined that the following Lawful Bases are used in the collection of data

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Data Protection Principles

The Act sets out 8 Principles which must be adhered to when processing data. Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:

a) Processed lawfully, fairly and in a transparent manner in relation to individuals;

c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

“The controller shall be responsible for, and be able to demonstrate, compliance with the principles” Article 5 (2) GDP

Individual Rights

There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link

The GDPR provides the following rights for individuals:

Right to be informed
Right of access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Rights in relation to automated decision making and profiling

Each of the above rights has its own Best Practice Process which you will find here https://ico.org.uk/media/for-organisations/guide-to-the-general-dataprotection-regulation-gdpr-1-0.pdf

Privacy Notices

This is a new requirement for data processing, it is an accessible information declaration which should set out clearly how we will gather, use handle, store and process personal data. The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations able personal data are changing, particularly through the use of social media, the use of mobile apps and the willingness of the public to share personal information via these platforms. However, as an organisation we are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency and control become a given for users. Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:

What information is being collected?
Who is collecting it?
How is it collected?
Why is it being collected?
How will it be used?
Who will it be shared with?
What will be the effect of this on individuals concerned?
Is the intended use likely to cause individuals to object or complain?

The Privacy notice must be easily understood by users of the service and include all of the above, it must also be easily visible so in this organisation it will be displayed on our website.

Privacy and Electronic Communications Regulations (PECR)

This guide issued by the ICO covers specifically electronic marketing messages i.e. phone, fax, email or text, and includes the use of cookies. It introduces specific roles on the above keeping such communication services secure and user’s privacy in regard to traffic and location data, itemised billing, line identification and directory listings.

The Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications and please be mindful of electronic schedule systems which will also come under PECR.

Data Protection By Design

This organisation has a general obligation to implement appropriate technical and organisational measures to demonstrate that we have considered the principles of data protection in our processing activities.
Any new systems of work or changes to our operational processes will involve consideration of how by default we as an organisation will have the necessary safeguards in place to prevent personal data from being made available without the consent of the person involved.

Reporting Breaches: GDPR or DPA 2018 personal data breach

A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. If you experience a personal data breach you need to consider whether this poses a risk to people. You need to consider the likelihood and severity of the risk to people’s rights and freedoms, following the breach. When you’ve made this assessment, if it’s likely there will be a risk then you must notify the ICO; if it’s unlikely then you don’t have to report. You do not need to report every breach to the ICO. To help you assess the severity of a breach we have selected examples taken from various breaches reported to the ICO. These also include helpful advice about next steps to take or things to think about.
Data Breach examples and ICO advice can be found on the link below:
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breach-examples/
The ICO also provide a self-assessment tool in order to aid those seeking advice regarding breaches to safely and effectively analyse the breach and identify their obligations:
https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach-assessment/

File Retention

The GDPR sets out Guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt. As a provider of services, file and retention guidelines are in place from our Regulator which includes CQC and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements. A periodic check of the Regulator’s Guidance should be part of the review of this policy.

Compliance

In order to meet the requirements of the Act a thorough knowledge of the Guidance should be the priority for the Data Controller. It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) (Regulations 2014) and all other lawful requirements such as Regulation 18 Staffing to name but one. In recognition of the complexities of the Act, the ICO has set up an advice service for small organisations. https://ico.org.uk/global/contact-us/advice-service-for-small-organisations

Changes to Our Policy

This policy has been updated to include the changes being implemented by the General Data Protection Regulations (GDPR) which are in place on 25/5/2018. This policy will be reviewed tri-annually and updated when required.

Related Polices

Adult Safeguarding
Accessible Information and Communication
Access to Records
CCTV
Confidentiality
Consent
Cyber Security
Duty of Candour
Record Keeping

Training Statement

All staff, during induction are made aware of Constantia Cares policies and procedures, all of which are used for training updates. All policies and procedures are reviewed and amended where necessary and staff are made aware of any changes. Observations are undertaken to check skills and competencies. Various methods of training are used including one to one, on-line, workbook, group meetings, individual supervisions and external courses are sourced as required.

Contacting Us and Complaints

If you have any questions about this privacy policy you may contact by email at info@constantiacare.co.uk

If you have any concerns about our use of your information, you also have the right to make a compliant to the Information Commissioners Office, which regulates and supervises the use of personal data in the UK, via their helpline on 0303 123 1113

04/04/2022

Appendix 1 - Privacy Notice

PRIVACY NOTICE

Introduction

This is Constantia Care Ltd.’s Privacy Notice.
As part of the services we offer, we are required to process personal data about our staff, our clients and, in some instances, the friends or relatives of our clients and staff. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.
We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.
If you have any concerns or questions please contact us on 0207 624 9966 or via email to info@constantiacare.co.uk

Clients

What data do we have?
So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:
• Your basic details and contact information e.g. your name, address, date of birth and next of kin;
• Your financial details e.g. details of how you pay us for your care or your funding arrangements.
We also record the following data which is classified as “special category”:
• Health and social care data about you, which might include both your physical and mental health data.
• We may also record data about your race, ethnic origin, sexual orientation or religion.
Why do we have this data?
We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.
We process your data because:
• We have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.
We process your special category data because:
• It is necessary due to social security and social protection law (generally this would be in safeguarding instances);
• It is necessary for us to provide and manage social care services;
• We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
Where do we process your data?
So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:
1. You or your legal representative(s);
2. Third parties.
We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.
Third parties are organisations we might lawfully share your data with. These include:
• Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals;
• The Local Authority;
• Your family or friends – with your permission;
• Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
• The police or other law enforcement agencies if we have to by law or court order.

Office Staff & Freelance Carers

What data do we have?
So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:
• Your basic details and contact information e.g. your name, address, date of birth, National Insurance number and next of kin;
• Your financial details e.g. details so that we can pay you, insurance, pension and tax details;
• Your training records.
• A record of whether we have checked your vaccination status or your exemption status.
We also record the following data which is classified as “special category”:
• Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/paternity pay;
• We may also, with your permission gained at assessment, record data about your race, ethnic origin, sexual orientation or religion.
As part of your application you may – depending on your job role – be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We do not keep this data once we’ve seen it but record the DBS number and reapply every 3 years.
Why do we have this data?
We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.
We process your data because:
• We have a legal obligation under UK employment law;
• We are required to do so in our performance of a public task;
• We have a legitimate interest in processing your data – for example, we provide data about your training to Skills for Care’s Adult Workforce Data Set, this allows Skills for Care to produce reports about workforce planning.
• We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations. This includes a record that we have checked that you are either vaccinated or exempt.
We process your special category data because
• It is necessary for us to process requests for sick pay or maternity pay.
If we request your criminal records data it is because we have a legal obligation to do this due to the type of work you do. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any). We do record that we have checked this.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Where do we process your data?
As your employer or registered agency we need specific data. This is collected from or shared with:
1. You or your legal representative(s);
2. Third parties.
We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.
Third parties are organisations we have a legal reason to share your data with. These include:
• Her Majesty’s Revenue and Customs (HMRC);
• Our pension and healthcare schemes, including Nest.
• Our external payroll provider; AFE Accountants Ltd.
• Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
• The police or other law enforcement agencies if we have to by law or court order.
• The DBS Service, Hoople Ltd.

Friends/Relatives

What data do we have?
As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:
• Your basic details and contact information e.g. your name and address.
Why do we have this data?
By law, we need to have a lawful basis for processing your personal data.
We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.
We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Where do we process your data?
So that we can provide high quality care and support we need specific data. This is collected from or shared with:
1. You or your legal representative(s);
2. Third parties.
We do this face to face, via phone, via email, via our website, via post, via application forms, via apps
Third parties are organisations we have a legal reason to share your data with. These may include:
• Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals;
• The Local Authority;
• The police or other law enforcement agencies if we have to by law or court order.

Our Website

www.constantiacare.co.uk
In order to provide you with the best experience while using our website, we process some data about you.

Your rights

The data that we keep about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:
1. You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service;
2. You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
3. You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Information Governance Alliance’s guidelines (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016)
4. You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
5. You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
6. If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.
You may need to provide adequate information for our staff to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
If you would like to complain about how we have dealt with your request, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
https://ico.org.uk/global/contact-us/