privacy

GENERAL DATA PROTECTION REGULATION (GDPR)

Policy Statement

Castlemeadow Care is committed to being transparent and open about why personal data is required and how this is managed. This privacy notice explains your rights regarding the data opt-out policy, how data is collected, used, retained and disclosed in line with UK data protection laws.

Business details

This is the privacy notice of Castlemeadow Care.

Our registered office is at Lincoln House, Dereham Road, Swanton Morley, Dereham, Norfolk, NR20 4LT.

Castlemeadow Care is registered with the Care Quality Commission to provide accommodation and personal care with or without nursing.

Castlemeadow Care is also registered as data processor with the Information Commissioner’s Office (ICO).

Aims of this notice

As part of the services we offer, we are required to process personal data about our employees, our residents and, in some instances, the friends or relatives of our residents and staff. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

What personal information we collect, why and where we collect it and for what purposes

RESIDENTS

What data do we have?

As a registered care provider, to allow us to provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:

Your basic details and contact information e.g. your name, address, date of birth and next of kin;
Your financial details e.g. details of how you pay us for your care or your funding arrangements

We also record the following data which is classified as “special category”:

Health and social care data about you, which might include both your physical and mental health data
We may also record data about your race, ethnic origin, sexual orientation or religion.

Why do we have this data?

We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

We have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.

We process your special category data because:

It is necessary due to social security and social protection law (generally this would be in safeguarding instances);
It is necessary for us to provide and manage social care services;
We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses)
We have a legal requirement to collect, share and use the data
The public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).

Where do we process your data?

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

You or your legal representative(s);
Third parties.

We do this face to face, via phone, via email, via our website, via social media, via post, via application forms, any other means of communication with you whether verbal, physical or electronic.

Third parties are organisations we might lawfully share your data with. These include:

Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals;
The Local Authority;
Your family or friends – with your permission;
Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
The police or other law enforcement agencies if we have to by law or court order.

Personal information that becomes inactive, e.g. from enquiries or prospective users who do not enter the service is also kept securely for as long as it is needed, before being safely disposed of.

EMPLOYEES AND VOLUNTEERS

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:

Your basic details and contact information e.g. your name, address, date of birth, National Insurance Number and next of kin;
Your financial details e.g. details so that we can pay you, insurance, pension and tax details
Your recruitment and training records

We also record the following data which is classified as “special category”:

Health and social care data about you, which might include both your physical and mental health data – we will only collect this if necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/ paternity pay;
We may also, with your permission, record data about your race, ethnic origin, sexual orientation and religion.

As part of your application you are required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We keep a record of your criminal records information for limited time only.

Why do we have this data?

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

We have a legal obligation under UK employment law;
We are required to do so in our performance of a public task;
We have a legitimate interest in processing your data – for example, we provide data about your training to Skills for Care’s Adult Workforce Data Set, this allows Skills for Care to produce reports about workforce planning.
We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We process your special category data because

It is necessary for us to process requests for sick pay or maternity pay.

If we request your criminal records data it is because we have a legal obligation to do this due to the type of work you do. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We keep a record of your criminal records information for limited time only and we do record that we have checked this.

Where do we process your data?

As your employer we need specific data. This is collected from or shared with:

You or your legal representative(s);
Third parties.

We do this face to face, via phone, via email, via our website, via social media, via post, via application forms, any other means of communication with you whether verbal, physical or electronic.

Third parties are organisations we have a legal reason to share your data with. These include:

Her Majesty’s Revenue and Customs (HMRC);
Our pension and healthcare schemes provide details of external companies providing this resource;
External organisations which provide us with services e.g. HR support, recruitment support, benefits for our employees;
Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
The police or other law enforcement agencies if we have to by law or court order.
The DBS Service provided by U - Check

FRIENDS AND RELATIVES

What data do we have?

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

Your basic details and contact information e.g. your name and address.

Why do we have this data?

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.

Where do we process your data?

So that we can provide high quality care and support we need specific data. This is collected from or shared with:

You or your legal representative(s);
Third parties.

We do this face to face, via phone, via email, via our website, via social media, via post, via application forms, any other means of communication with you whether verbal, physical or electronic.

Third parties are organisations we have a legal reason to share your data with. These may include:

Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals;
The Local Authority;
The police or other law enforcement agencies if we have to by law or court order.

THIRD PARTIES

All personal information obtained about others associated with the delivery of the care service, including contractors, visitors, etc. will be protected in the same ways as information on residents and employees.

How we keep your information safe

Castlemeadow Care has a range of policies and procedures that enable us to comply with all data protection requirements. Our policies and procedures cover:

Access to Employee Data
Compliments and Complaints
Computer Security
Confidentiality of Residents’ Information
Consent to Care and Treatment
Data Protection
Record Keeping
Information Governance under the General Data Protection Regulation
Protecting Personal Data under the General Data Protection Regulation
Recruitment and Selection
Residents’ Access to Records
Sharing Information with Other Providers.

National Data Opt-Out

The national data opt-out gives everyone the choice to stop health and social care organisations sharing their “confidential patient information” with other organisations where it is used for reasons beyond individual treatment and care, such as research and planning purposes.

The term “confidential patient information” is used as the NHS do and where the opt-out is in force. In this context “confidential patient information” relates to information about service users’ health or social care that may identify them.

Adult Social Care providers, in line with your wishes and the national data opt-out, are required to apply national data opt-outs to use or disclose confidential patient information for purposes other than your direct care.

As a care service, we have an obligation to inform you about your right to choose regarding opting out of data sharing and are clear about how and when such a preference has been applied and a record of any decision regarding data opt-out kept.

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

How do we store your personal information?

Your information is securely stored for the time periods specified in the “Records Management Code of Practice”. We will then dispose of the information as recommended by the Records Management Code for example we will:

securely dispose of your information by shredding paper records via our nominated external contractor with appropriate confirmation of this kept on file or wiping hard drives to legal standards of destruction;
archive your information at safe locations

How personal information held by the care provider can be accessed

There are procedures in place to enable any resident, employee, volunteer, relative, friend or third party whose personal information we possess and might process in some way to have access to that information on request. The right to access includes both the information and any uses which we might have made of the information.

How we keep our privacy policies up to date

The staff appointed to control and process personal information in our organisation are delegated to assess all privacy risks continuously and to carry out reviews of our data protection policies, procedures and protocols at least annually.

Our website

In order to provide you with the best experience while using our website, we process some data about you.

More information can be found on our website: www.castlemeadowcare.co.uk.

Your Rights

The data that we keep about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:

You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service, unless you are asking for a large amount of information and/ or your request will take a lot of time and effort to process, in which case, we will charge an administrative cost;
You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Company’s Record and Record Keeping Policy.
You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.
Lodge a complaint with a supervisory authority.

You may need to provide adequate information for our staff to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.

However, please note that these rights are not absolute, and may be subject to our own legitimate interests and regulatory requirements.

If you wish to exercise any of the aforementioned rights, or receive more information, please contact our Data Security and Protection Lead (“DSPL”) using the details provided below:

Mr. Nick Huggins

Postal Address: Lincoln House, Dereham Road, Swanton Morley, Dereham, Norwich, NR20 4LT Email: GDPR@castlemeadow.co.uk

If you feel care services have not complied with requirements regarding your personal data rights, a complaint can be submitted to the Information Commissioner’s Office:

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF https://ico.org.uk/global/contact-us/

Email: GDPR@castlemeadow.co.uk

Written by: Viktor Zak

Approved by: DSPT Working Group

Date of first issue: March 2024

St John's House, Norwich The Paddocks, Swaffham The Mayfields, Long Stratton

Lincoln House, Dereham Wyndham House, North Wootton Highfield House, Halesworth

Our Privacy Policy

Sitemap