We are committed to safeguarding the privacy of our customers and website visitors; this policy sets out how we will treat your personal information.
What information do we collect?
We may collect, store and use the following kinds of personal information:
information about your computer and about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation);
your information will only be held with your consent, being for operational purposes that enables legitimate business interests such as fulfilling contractual obligations relating to any transactions carried out between you and us on or in relation to this website, including information relating to any purchases you make of our goods or services (including booking a carer through the Company Platform);
information that you provide to us for the purpose of registering with us (including your name, address and email address);
information that you provide to us for the purpose of subscribing to our website services, email notifications and/or newsletters (including your name and email address;
any other information that you choose to send to us; and other information.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.
We may use both “session” cookie and “persistent” cookies on the website. Session cookies will be deleted from your computer when you close your browser. Persistent cookies will remain stored on your computer until deleted, or until they reach a specified expiry date.
We will use the session cookies to: keep track of you whilst you navigate the website; keep track of your bookings; prevent fraud and increase website security; and other uses. We will use the persistent cookies to: enable our website to recognise you when you visit; keep track of your preferences in relation to your use of our website; and other uses.
Our payment services providers may also send you cookies.
Using your personal information
We may use your personal information to:
administer the website;
improve your browsing experience by personalising the website;
enable your use of the services available on the website;
supply to you services purchased via the website;
send statements and invoices to you, and collect payments from you;
send you general (non-marketing) commercial communications necessary for providing services that you have requested;
send you email notifications which you have specifically requested;
send you our newsletter and other marketing communications relating to our business which we think may be of interest to you, by post or, where you have specifically agreed to this, by email or similar technology (and you can inform us at any time if you no longer require marketing communications);
deal with enquiries and complaints made by or about you relating to the website;
keep the website secure and prevent fraud;
verify compliance with the terms and conditions governing the use of the website (including monitoring private messages sent through our website private messaging service); and other uses.
Where you submit personal information for publication on our website, we will publish and otherwise use that information in accordance with the licence you grant to us.
We will not provide your personal information to any third parties unless in relation to fulfilling our contractual obligations to you (for example, invoicing).
In addition, we may disclose your personal information:
to the extent that we are required to do so by law;
in connection with any ongoing or prospective legal proceedings;
in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk);
to any person who we reasonably believe may apply to a court or other competent authority for disclosure of that personal information where, in our reasonable opinion, such court or authority would be reasonably likely to order disclosure of that personal information.
International data transfers
Information which you provide may be transferred to countries (including the United States and Japan which do not have data protection laws equivalent to those in force in the European Economic Area.
In addition, personal information that you submit for publication on the website will be published on the internet and may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
You expressly agree to such transfers of personal information.
Security of your personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
All electronic transactions entered into via the website will be protected by encryption technology.
You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
You may instruct us to provide you with any personal information we hold about you. Provision of such information will be subject to:
the payment of a fee (currently fixed at GBP £5); and
the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).
We may withhold such personal information to the extent permitted by law.
You may instruct us not to process your personal information for marketing purposes, by sending an email to us at email@example.com In practice, you will usually either expressly agree in advance to our use of your personal information for marketing purposes, or we will provide you with an opportunity to opt out of the use of your personal information for marketing purposes.
Third party websites
The website contains links to other websites. We are not responsible for the privacy policies or practices of third party websites.
Please let us know if the personal information ,which we hold about you needs to be corrected or updated.
If you have any questions regarding the Terms of Service or the Service, please contact us at firstname.lastname@example.org or by mail at:
Friends Helping at Home Ltd., Registered Office, 220 Torquay Road, Manor Corner, Paignton, TQ3 2HN
General Data Protection Regulation (GDPR) Policy
Friends Helping at Home believe that all data, required for the delivery of the service and the lawful running of the organisation must be collected, handled, maintained and stored in accordance to the requirements of the Data Protection Act 2018.
The General Data Protection Regulations (GDPR) form the basis of the Act but in order to be effective and compliant with its requirements, the Related Policy list should be viewed as core to this policy, as should Section 2 and the Related Guidance links.
PLEASE NOTE: All Guidance from the ICO should be considered “Live Documentation” and regularly checked until all Codes of Practice and Guidance are issued. Working Party 29 known as WP29 is a representative body from each of the EU member states who have developed and worked on the Act. WP29 still sits and meets in the European Parliament until all of the complexities of the Act have been clarified and amended into law.
After due consideration this organisation has determined that the following Lawful Bases are used in the collection of data
- Consent: the individual has given clear consent for us to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked us to take specific steps before entering into a contract.
- Legal Obligation: the processing is necessary for us to comply with the law (not including contractual obligations) and in line with the guidance of the CQC regulations.
- Vital Interests: the processing is necessary to protect someone’s life.
- Public Task: the processing is necessary for us to perform a task in the public interest, or for official functions and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (Does not apply if a public authority is processing data to perform its official tasks).
Data Protection Principles
The Act sets out 8 Principles, which must be adhered to when processing data Please refer to the Related Guidance links for further information. The GDPR sets out the following principles for which this organisation is responsible and must meet. These require that personal data shall be:
- Processed lawfully, fairly and in a transparent manner in relation to individuals;
- Be collected for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with purposes, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Accurate and where necessary, kept up to date, every reasonable step must be taken that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer purposes in so far as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the appropriate technical and organisational measures required by the GDPR (the safeguards) in order to safeguard the rights and freedoms of individuals; and
- Processed in a manner that ensures appropriate security of the personal data. Including protection against unauthorised or unlawful processing and against accidental loss. Destruction or damage, using appropriate technical or organisational measures.
There are several changes here in particular the Right of Access in relation to timescales and fees. These must be fully understood in relation to anyone submitting a Subject Access request. Please refer to the related Guidance Link
The GDPR provides the following rights for individuals:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Rights in relation to automated decision making and profiling
Each of the above rights has its own Best Practice Process which you will find here
This is a new requirement for data processing, it is an accessible information declaration which should set out clearly how we will gather, use handle, store and process personal data.
The Code uses the term “Privacy Notice” to describe all the privacy information that you make available or provide to individuals when you collect information about them. It is often argued that people’s expectations able personal data are changing, particularly through the use of social media, the use of mobile apps and the willingness of the public to share personal information via these platforms.
However, Friends Helping at Home are increasingly aware of the fragile trust which can be easily broken through data breaches and are therefore seeking transparency as a means of building trust and confidence with users of our services. It is the spirit of the Act that privacy, transparency and control become a given for users.
Being transparent by providing a privacy notice is an important part of fair processing. When planning a privacy notice, we need to consider the following:
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on individuals concerned?
- Is the intended use likely to cause individuals to object or complain?
The Privacy notice must be easily understood by users of the service and include all of the above, it must also be easily visible so in this organisation it will be displayed on our Friends Helping at Home Website: https://friendshelpingathome.co.uk/ and issued at Assessment Stage for clients and Recruitment stage for self-employed carers.
Privacy and Electronic Communications Regulations (PECR)
The Data Protection Act 2018 still applies if you are processing personal data. The PECR sets out some extra rules for electronic communications and please be mindful of electronic schedule systems which will also come under PECR
The GDPR sets out Guidance on files and retention including archiving, specifically Health and Social Care personal data is generally exempt.
As a provider of services Friends Helping at Home, file and retention guidelines are in place to make sure we are complying within the guidelines set by certain regulators which includes CQC and the NHS as well as Local Authorities via the Service Specification within any contractual arrangements.
A periodic check of the Regulator’s Guidance should be part of the review of this policy
In order to meet the requirements of the Act a thorough knowledge of the Guidance should be the priority for the Data Controller who is Andrew Richardson
It is also important that the Act is placed in the context of other compliance requirements namely The Health and Social Care Act 2008 (Regulated Activities) (Regulations 2014) and all other lawful requirements such as Regulation 18 Staffing to name but one.
In recognition of the complexities of the Act, the ICO has set up an advice service for small organisations. https://ico.org.uk/global/contact-us/advice-service-for-small-organisations/
Accessible Information and Communication
Access to Records
Duty of Candour
- Smaller Organisations ICO https://ico.org.uk/for-organisations/business/
- Your privacy Notice Checklist https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-notices-transparency-and-control/your-privacy-notice-checklist/
- Guide to the General Data Protection Regulations (GDPR) https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
- Guide to the Privacy and Electronic Communications May 2016 Regulations https://ico.org.uk/media/for-organisations/guide-to-pecr-2-3.pdf
- Records Management Code of Practice for Health and Social Care 2016 https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
- ICO Code of practice on privacy notices, transparency and control
- ICO Data protection Self-Assessment https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/
- Direct Marketing Guidance https://ico.org.uk/media/for-organisations/documents/1555/direct-marketing-guidance.pdf
- Data Protection Fees Information Commissioner https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2018/02/new-model-announced-for-funding-the-data-protection-work-of-the-information-commissioner-s-office/
- Example of Privacy Notice https://www.johnlewis.com/customer-services/shopping-with-us/privacy-notice
- Guide to privacy and Electronic Communications Regulations (PECR) https://ico.org.uk/for-organisations/guide-to-pecr/
All Directors, Branch Managers and Self-Employed carers must be made aware of the changes to the Data protection Legislation during their Induction. All relevant identified posts must have specific training on the requirements that are now place on organisations. The Data Controller should be responsible for the cascading of any training.
This policy has been updated to include the changes being implemented by the General Data Protection Regulations (GDPR) which are in place on 25/5/2018. This policy will be reviewed tri-annually and updated when required.
On the 25th May 2018 the new Data Protection Act 2018, which is based on the General Data Protection Regulations (GDPR) replaces the Data Protection Act 1998 in its entirety. It replaces the existing Data Protection Laws to make them fit for the digital age in which ever increasing personal data is being processed. The Act sets new standards for protecting personal data. Gives people more control over the use of their data and assists in the preparation for a future outside of the EU.
There are four main matters provided for, these are:
- General Data Processing
- Law Enforcement Data processing
- Data Processing for National Security Purposes
All of the above need to be set in the context of international, national and local data processing systems which are increasingly dependent upon internet usage for exchange and transit of data. The UK must lock into international data protection arrangements, systems and processes and this Act updates and reinforces the mechanism to enable this to take place.