Privacy policy for residents and service providers
This privacy policy provides guidance about the personal data that we collect, why we collect it and what we do with it.
We recognise the privacy and security of personal data is of great importance to our residents, their families and friends, our staff and others such as GPs, independent service providers and all those involved in looking after the welfare of our residents.
Our privacy policy is governed by the principle of only collecting and using personal data when it helps us to provide a better service to our residents and to meet our legitimate interests, including protecting our residents and staff.
What personal data do we collect about you?
As a data controller we collect information that identifies you or is about you, including:
For residents and freelance service providers:
Identity data such as your name, gender
Contact data such as your address, email address and telephone numbers
Financial data including your bank account details
For residents only:
Marital status, date of birth, photographic images, next of kin
Details and records of treatment and care, including notes and reports about care, treatment, accidents and general health.
Results of assessments and investigations.
Special categories of data including information about your medical and health background, and other categories such as sexuality, race, religion or beliefs, disabilities or allergies.
Everything we do with your personal data counts as processing it, including collecting, storing, amending, transferring and deleting it. When we process your personal data, we are legally required to comply with both the Data Protection Act 2018 (“DPA”) and the UK General Data Protection Regulation (“GDPR”), which came into effect on 1 January 2021, to make sure that your data is properly protected and used appropriately.
Why we process personal data about you?
We must have a lawful basis for processing your personal data, and that basis will include serving our legitimate interests below:
For residents and freelance service providers:
To fulfil our obligations arising from contracts entered into with you
To comply with our legal and regulatory obligations
For residents only:
To manage the services we provide to you
To more widely protect our residents and staff, maintain their safety, health and welfare
To better understand our residents’ needs and preferences
To market and advertise our services, including with the use of photographs and images
For the special categories of data as mentioned above, the lawful basis for processing includes that you have provided your explicit consent to process the data, and it is necessary to allow us to develop the appropriate care and support package and documentation for you, to administer treatments and agree funding arrangements.
How we store and protect your data
For residents and freelance service providers:
We take the privacy and security of your personal data very seriously. Personal data is held in secure electronic and paper records, and, in accordance with the DPA and GDPR principles, is handled with the highest level of care by having clear internal policies and procedures, and only allowing access to those authorised to know.
For residents only:
As data security standards continue to evolve, we complete an annual assessment of our data security measures using the NHS Data Security and Protection Toolkit, to ensure we are aligned with current best practice and that our performance matches with the National Data Guardian’s 10 data security standards. Our staff are also required to undertake regular training in data protection, confidentiality, IT and cyber security.
Do we share personal data with others?
For freelance service providers:
We will only share personal data with third parties where required by law, where it is necessary to administer our working relationship with a service provider or where we have another legitimate interest in doing so.
For residents only:
To provide the best possible care and welfare, we will sometimes need to share data about our residents with others such as:
Other health and social care professionals involved in the delivery of care
Funders of care packages - local commissioning teams
The local authority Quality Assurance and Safeguarding team
Regulators - this will normally be anonymized
The police or other law enforcement agencies if we have to by law or court order
Trustees of the charity itself
How long will we retain your personal data?
We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, contractual or reporting requirements. How long we keep the data for is determined by law and is largely determined by necessity.
After the relevant retention period, your personal data covered by the particular retention period will be permanently deleted or securely destroyed.
What are your rights?
You have a number of rights in respect of the personal data we hold about you, as below. These rights apply during the period in which we are processing your data.
Right to be informed
You have the right to be informed about the collection and use of your personal data. This includes our reasons for processing your personal data, how long we will hold that personal data, and who it will be shared with.
Right to access your data
You have the right to ask us for a copy of the personal data we hold for you. We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.
We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we will let you know.
Right to have your data rectified
If personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we do not feel it is appropriate, in which case we will explain why. We will also let you know if we need more time to comply with your request.
Right to be forgotten
You have the right to ask us to delete personal data we hold about you. This right is available to you if:
We no longer need your personal data for the purpose for which we collected it
We have collected your personal data on the grounds of consent and you withdraw that consent
You object to the processing and we do not have any overriding legitimate interests to continue processing the data
We have unlawfully processed your personal data by failing to comply with GDPR; and
The personal data has to be deleted to comply with a legal obligation
In certain situations we would have to refuse the request, such as where we have a continuing legal obligation, but in that case we would explain why we could not comply.
Right to restrict processing
You have the right to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we do not have to delete it. This right is available to you if:
You believe the personal data we hold is not accurate, in which case we will cease processing it until we can verify its accuracy
You have objected to us processing the data, in which case we will cease processing it until we have determined whether our legitimate interests override your objection
The processing is unlawful; or
We no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim
In certain situations we would have to refuse the request, such as where the request is manifestly unfounded or excessive, but in that case we would explain why we could not comply.
Right to data portability
You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us when:
Processing is based on your consent or for performance of a contract, and
We carry out the processing by automated means (ie excluding paper files)
We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.
Right to object
You are entitled to object to us processing your personal data:
If the processing is based on legitimate interests, or performance of a task in the public interest
For direct marketing purposes; and/or
For the purposes of scientific or historical research and statistics
We will stop processing your data unless there are compelling, legitimate grounds which override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
Rights relating to automated decision making
Automated individual decision-making is a decision made by automated means without any human involvement, using algorithms and machine-learning.
We do not carry out any automated decision making using your personal data.
If you have a complaint about our processing
If you think we have processed your personal data unlawfully or that we have not complied with GDPR, may we ask that you contact our Registered Manager Samantha Tobin in any of the following ways, to discuss the matter further:
Email: manager@ridgegatehome.org.uk
Post: 88 Doods Road, Reigate, Surrey RH2 0NR
Telephone: +44 (0)1737 242926 (opt 3)
If you feel our response is less than satisfactory, you can consider reporting your concerns to the Information Commissioner’s Office (“ICO”) at https://ico.org.uk/make-a-complaint/data-protection-complaints/dataprotection-complaints/.