Privacy Policy

Purpose of this Policy

The purpose of this policy is to describe how we collect and use personal information about Service Users and Employees in accordance with the General Data Protection Regulation (GDPR)

Personal Information for Employees

In the collection of personal information, we will ask our Employees/Potential Employees for their explicit consent for personal data to be collected and used. This consent will form the lawful basis for the processing and will be asked for at the time of completing an application and through to recruitment and during employment

  • Information we collect
  • How we store this data
  • What rights Employees must access their data
  • The right for Employees personal information to be deleted on request
  • The reasons why we are storing personal information
  • How long we keep it
  • Who we share personal information with?

Information we collect

We collect information for the purposes of Employment to provide support and needs for Service users in their own home

The information we need for this are:

Name and address, current CV, all qualifications for the role applied for, contact information to include telephone numbers and email address.

References from former employers, bank account details, National Insurance number, photographic ID, work permit (if applicable) and Disclosure and Barring Certificate

How we store this data

All data collected will be stored digitally on secure computers and paper files will be stored in locked cabinets.

What rights Employees must access their data

Employees personal information is held in a transparent and lawful manner and can be accessed on request at any time in writing.

The right for Personal information to be deleted on request

An Employee has the right of erasure of all personal information held when they cease to work for the agency except for information we are lawfully obliged to keep for Legitimate reasons

The reasons why we are storing personal information

The reason we hold personal Information on our Employees is so we can lawfully operate a Care Agency for the purposes of assisting and supporting service users within their own homes in a safe and professional manner. We have an obligation to our service users to provide Care support workers who have the appropriate experience, skills, and knowledge to provide person centred care while maintaining the best practice. We are also obliged to provide Care support workers who have an up to date and clean Disclosure and Barring Certificate to protect and provide reliable staff to Vulnerable people

How long we keep this data

We will keep this data for 6 (six) years from the day the Support worker leaves Rural Care. We must keep all payroll data for a period of 6 years from the last date the candidate worked.

Who we share this data with?

By consenting to using your personal Information for the purposes of recruitment and Employment we will share your information with third parties for the purposes of Payroll functions, Pension providers, HR advisors and Legal bodies.

Personal Information for Service Users

In the collection of personal information, we will ask the Service User for their explicit consent for personal information to be collected and used. The personal Information obtained will allow for the assistance and support required by the Service User to be Individual to their needs, person centred while following Legal requirements

Some of the personal information that is collected for Rural Care to support and assist service users at home will be sensitive and is defined in the GDPR as “special categories of personal data” and its parameters have been expanded to include such categories as genetic data and biometric data where this is used to identify and individual person.

For example, information about an individual’s race, ethnic origin, genetics, biometrics (where used for ID purposes) health, or sexual orientation is all types of data that could create significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.

Rural Care will Collect and process Personal Information and ensure it will comply with the General Data Protection Regulation in force and its protection principles. This will include:

  1. Fairly and lawfully processed.
  2. Processed for limited purposes.
  3. Adequate, relevant, and not excessive.
  4. Accurate.
  5. Not kept for longer than is necessary.
  6. Processed in line with your rights.

What happens to your Personal Information after it is collected

  • Contact details are entered on to a database and used to contact you by telephone, e-mail, and post. All digital records are password protected.
  • All digital records are password protected.
  • The database has the lists of staff and service users by which rota’s and visit plans are created
  • Your contact details are sent to the staff phones that are booked onto your shifts and this is password protected
  • All computer digital records are protected with several layers of software to protect from cyber-attacks and virus attacks.
  • You have a care plan which stays in your house, and this is your property while it is under your care. We occasionally take paperwork out so that it can be stored in a locked filing cabinet.
  • Invoices and accounts are stored on a secure database system and a third party at payroll has another secure password protected system.

If you have not used our services for five (5) years, then we will contact you and request whether you would like your information to be discarded or if you would like to remain on the database system. If we do not obtain a response, then all records will be deleted.

Data Breach Procedures

INFORMING THE INFORMATION COMMISSIONER’S OFFICE

  1. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the Information Commissioner’s Office in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification is not made to the ICO within 72 hours, it shall be accompanied by reasons for the delay.
  2. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
  3. The notification referred to in paragraph 1 shall at least:

Describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned.

Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained.

Describe the likely consequences of the personal data breach.

Describe the measures taken or proposed to be taken by the controller to address the personal data breach, including where appropriate, measures to mitigate its possible adverse effect.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue delay.

The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.