Privacy Notice
The General Data Protection Regulation (GDPR) builds on the Data Protection Act 1998, so as to envelope a more contemporary remit, what with the socio-technological contingence that pervades everyday life. This policy and procedure is framed on the Information Commissioner’s Office’s (ICO) ‘12 Steps to Take Now’, and will be context specific to the Spa Residential Home, that will effectively establish compliance with these new regulations, and in so doing will delve into the following 12 steps: awareness; information you hold; communicating privacy information; individuals’ rights; subject access requests; lawful basis for processing personal data; consent; children; data breaches; data protection by design and data protection impact assessments; data protection officers; and international. It is important at this point to stress that not all of the 12 steps will be applicable to Spa Residential Home Ltd.; however, these will be signposted accordingly.
Business Details
This is the Privacy Notice of Spa Residential Home Ltd. Our Registered Office is at Spa Residential Home, Temple Street, Llandrindod Wells, LD1 5HG. Spa Residential Home is registered with the Care Inspectorate Wales (CIW) to provide accommodation and personal care to persons over the age of 65 who may also be Elderly Mentally Infirm.
Data Protection Officer: Bradley Smith
Data Controller: Lewis Smith
01597 822020
What Does This Notice Cover?
This privacy information is to inform you on how we use your personal data; how it is collected, held and processed. It also explains your rights under the law relating to your personal data.
What is Personal Data?
The Information Commissioner’s Office defines Personal Data as “Information that relates to an identified or identifiable individual”. This can include both:-
• Basic Personal Data - Such as name, address, date of birth and contact details
• Sensitive Personal Data - Such as criminal convictions and offences data, due to the nature of such sensitive data, this data is processed in more limited circumstances. The personal data that we use is explained in a later section.
What are My Rights?
• The right to be informed about the collection and use of your personal data.
• The right of access to your personal data via a subject access request.
• The right to rectification of inaccurate personal data.
• The right to erasure of personal data, this is also known as ‘the right to be forgotten’.
• The right to request the restriction or suppression of your personal data.
• The right to data portability, meaning you can obtain and reuse your personal data across different companies and services.
• The right to object to the processing of your personal data in certain circumstances e.g. Direct Marketing.
• The right not to be subject to automated decision-making including profiling.
Further information about your rights can be obtained from the Information Commissioner’s Office (ICO).
If you have any cause for complaint regarding the way we use your data, complaints can be made to the Information Commissioner’s Office (ICO).
What Personal Data Do You Collect?
Based on your relationship with us we may collect some or all of the following personal data:
• Basic personal information, such as name, address, date of birth and contact details;
• Financial information, including account and transactional information and history;
• Information about you and your family (such as illnesses, dependents, medication, marital status, next of kin and contact details);
• Visual images (such as driver’s license, passport or other form of ID);
• Information received from other sources, such as health care providers;
• Information of services you have received from us;
• Our correspondence with you;
Service Users – As a Care Provider, it is necessary that we collect some personal data about our Service Users, including personal health and financial information, which is essential to our being able to provide effective care and support. The information is contained in individual files (manual and electronic) and other record systems, all of which are subject to strict security and authorised access policies.
This information comes from a variety of sources, such as: the Service User themselves; family members or friends; Medical Practice; Hazels; District Nurses; Social Workers; Advocates; and Hospitals. The information is shared ostensibly to enhance the wellbeing of the Service Users residing at the Spa Residential Home in line with the Social Services and Wellbeing Act 2014 e.g. ‘PART 3 - ASSESSING THE NEEDS OF INDIVIDUALS’; ‘PART 4 - MEETING NEEDS’; ‘PART 7 - SAFEGUARDING’; ‘PART 9 - CO-OPERATION AND PARTNERSHIP’; ‘PART 10 – COMPLAINTS, REPRESENTATIONS AND ADVOCACY SERVICES’, as well as theRegulation and Inspection of Social Care (Wales) Act (2016). Accordingly: only persons with a legitimate access to information based upon the purpose for which it was intended may access such information; information is held in such a way so that it is secure enough to prevent anyone without legitimate access being able to access the information; any person on whom Spa Residential Ltd keep personal data is entitled to see that information whether it is held manually or on computer, and may request it be amended or removed.
Employees and volunteers – Following a Recruitment Policy in line with regulations personal information is obtained; including CV’s; references; date of birth; Next of Kin; NI number; DBS certificate; references; certificates and qualifications; telephone number; address; contract of employment; photocopy of driver’s license and passport. All information is securely kept, retained and disposed of in line with GDPR. All employees are aware of their right upon entering a working contract of their right to access any information about them.
This information comes from a variety of sources: the staff member themselves; referees; and Disclosure Services. The information is only accessible to management of the Spa Residential Home; Regulatory Bodies; and the staff member themselves, should they request to view it. This information is required, ostensibly to prove that the individual has the capacity and competence to be able to provide personal care for Service Users at the Spa Residential Home to a satisfactory standard, and assures that every possible step has been taken to ameliorate the risk of harm to Service Users i.e. enhanced DBS checks, reference checks, as integrated within the Safeguarding Vulnerable Groups Act 2006 as well as the interrelated umbrella legislation: Social Services and Wellbeing Act 2014 and Regulation and Inspection of Social Care (Wales) (Act) 2016.
Visitors – All personal information obtained about visitors including name, phone number, relations to Service User will be protected in the same way as information on Service Users and Employees, as well as contemporary fire regulations.
How We Collect Information
The majority of personal information in relation to Service Users, employees and third parties is obtained directly from them through form filling, primarily manually but also electronically through contact forms found on our website.
More information regarding Service Users may be obtained through assessments and consultations as well as other regulatory bodies such as: Medical Practices, District Nurses, Social Workers and Advocates in the process of agreeing care; all the information shared is strictly confidential with authorised access only.
Employee’s personal information is obtained directly and with consent via references, CV’s and criminal records (DBS) checks. During the recruitment process, we seek applicant’s full consent to obtain all necessary information needed to decide whether to employ them.
All personal information obtained to meet our regulatory requirements is in line with data protection and confidentiality policies.
How Do You Use My Personal Data?
Under the Data Policy Requirements we must always have a lawful basis for using your personal data. As mentioned previously, data is necessary for conducting business and providing a duty of care to Service Users and employees. Your personal data may be used for any of the following purposes:
• Managing accounts;
• Supplying our services to you, personal details are needed to enter into a contract with you;
• Communicating with you via email, phone calls and post;
• Adhering to contemporary legislation.
How Long Will You Keep My Personal Data?
Following the Data Protection Act and relevant legislations, any data that becomes inactive is kept for as long as is necessary before being disposed of in a safe and confidential manner. The following periods can be used as guidance for how long specific data is kept:
• Employees Financial Information such as P60’s and P45’s – 6 years;
• Service Users Medical Information – 3 years;
• Service Users Sensitive Information – 3 years;
How and Where Do You Store or Transfer My Personal Data?
The security of your personal data is essential to us and as mentioned previously all manual information is stored securely with authorised access only while electronic information is protected through strong passwords and encryptions in compliance with data protection security.
All data is protected by one or all of the following:
• All personal data is secured, encrypted with authorised access only;
• Data is not processed for any purpose other than agreed upon in our terms and conditions;
• Data is protected from loss;
If personal data is ever transferred to an outside body e.g. Deprivation of Liberty Safeguards (DoLS) it will be encrypted and comply with data protection policies.
Do You Share My Personal Data?
Personal information of Service Users, employees and other is only shared with their consent on a “need to know” basis.
It is a requirement that confidential information obtained in the course of professional practice must not be disclosed without the consent of the Service User, or a person who is legally entitled to act on their behalf, except where disclosure is required by law, is in the public or Service User’s medical interest. This is exemplified in the Spa’s ‘Service User Guide’, which is provided to Service Users upon admission; and is also exemplified within the Spa’s contract with Powys County Council. Information held that regards Service Users will be retained for up to three years following departure from the Spa Residential Home or death; and information on staff will be retained for up to seven years, before being destroyed either via shredding receptacles or via secure deletion if in electronic format.
In limited circumstances, we may be legally required to provide personal information; this could be in relation to safeguarding or a criminal offence.
Lawful Basis for Processing Personal Data
The information is ostensibly processed to enhance the wellbeing of the Service Users residing at the Spa Residential Home in line with the Social Services and Wellbeing Act 2014 e.g. ‘PART 3 - ASSESSING THE NEEDS OF INDIVIDUALS’; ‘PART 4 - MEETING NEEDS’; ‘PART 7 - SAFEGUARDING’; ‘PART 9 - CO-OPERATION AND PARTNERSHIP’; ‘PART 10 – COMPLAINTS, REPRESENTATIONS AND ADVOCACY SERVICES’, as well as the Regulation and Inspection of Social Care (Wales) Act (2016). Accordingly: only persons with a legitimate access to information based upon the purpose for which it was intended may access such information; information is held in such a way so that it is secure enough to prevent anyone without legitimate access being able to access the information; any person on whom Spa Residential Ltd keep personal data is entitled to see that information whether it is held manually or on computer, and may request it be amended or removed.
Further, information processes regarding staff is ostensibly to prove that the individual has the capacity and competence to be able to provide personal care for Service Users at the Spa Residential Home to a satisfactory standard, and assures that every possible step has been taken to ameliorate the risk of harm to Service Users i.e. enhanced DBS checks, reference checks, as integrated within the Safeguarding Vulnerable Groups Act 2006 as well as the interrelated umbrella legislation: Social Services and Wellbeing Act 2014 and Regulation and Inspection of Social Care (Wales) (Act) 2016.
With respect to employees, upon signing a contract, they are agreeing to comply by all of the Spa Residential Home’s Policies and Procedures, including this one, which is exemplified by point ‘10’. With regards to Service User’s, they are agreeing to have their relevant data obtained, held, and processed, in accordance with this policy and procedure, when they, or their PoA for Health and Social Care sign their contract prior to their admission.
How Can I Access My Personal Data?
If you have any concerns about what data we hold, you can ask us for a copy of the personal data we hold of you. This is known as a “Subject Access Request” (SAR).
All subject access requests should be made in writing and emailed or posted to the address seen in section 12.
Spa Residential Home reserves the right to refuse a request if it is manifestly unfounded or excessive, or if it bears not to the professional context and or the Service User’s wellbeing. However, if we are to refuse, we will inform you of why, and that you have the right to complain to the supervisory authority and to a judicial remedy.
We will respond to your subject access request within 14 days, however depending on the complexity of your request the timeframe may increase to 1 month.
Consent is: “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. Service Users, or a person who is legally entitled to act on their behalf, is required to read and sign a Service User contract which states the grounds for which information is obtained, collated, and shared, in line with the GDPR. Staff consent via their Contract of Employment upon signing.
Not applicable to Spa Residential Home Ltd. at the time of writing.
Data Breaches
Should a data breach be detected and it is likely to result in a risk to the rights and freedoms of individuals i.e. discrimination, damage to reputation, financial loss; loss of confidentiality, or any other significant economic or social disadvantage, the Spa Residential Home will notify the ICO; the local authority; as well as the individual/s it pertains to.
Data Protection by Design and Data Protection Impact Assessments
The Spa Residential Home utilises Privacy by Design approach, whether this is through the use of secure email portals; anti-virused computers, and even self-lock cupboards, such as the one located in the staff room that holds Service User records. This removes the complacency factor which is a major cause of data protection breaches throughout the UK.
The DPIA is not applicable to Spa Residential Home Ltd. at the time of writing.
Not applicable to Spa Residential Home Ltd. at the time of writing.
Data Breaches
Should a data breach be detected and it is likely to result in a risk to the rights and freedoms of individuals i.e. discrimination, damage to reputation, financial loss; loss of confidentiality, or any other significant economic or social disadvantage, the Spa Residential Home will notify the ICO; the local authority; as well as the individual/s it pertains to.
Data Protection by Design and Data Protection Impact Assessments
The Spa Residential Home utilises Privacy by Design approach, whether this is through the use of secure email portals; anti-virused computers, and even self-lock cupboards, such as the one located in the staff room that holds Service User records. This removes the complacency factor which is a major cause of data protection breaches throughout the UK.
The DPIA is not applicable to Spa Residential Home Ltd. at the time of writing.
Not applicable to Spa Residential Home Ltd. at the time of writing.