Holistic Community Care Limited (“we” or “us”) is committed to data protection and data privacy. With the General Data Protection Regulation (GDPR) becoming enforceable from 25 May 2018, we have undertaken a GDPR readiness programme to review our entire business, the way we handle data and the way in which we use it to provide our services and manage business operations.
We hold personal data on all our employees to meet legal obligations and to perform vital internal functions. This notice details the personal data we may retain, process and share with third parties relating to your employment and vital business operations. We are committed to ensuring that your information is secure, accurate and relevant. To prevent unauthorised access or disclosure, we have implemented suitable physical, electronic, and managerial procedures to safeguard and secure personal data we hold.
JOB APPLICANTS AND EMPLOYEES
We have issued this notice to describe how we handle personal information that we hold about our staff and job applicants (collectively referred to as “you”). For the purposes of this notice, the term “employee” includes job applicants, those who are employed by us on a permanent basis or on a non-permanent basis (including temporary and contract workers, independent contractors, consultants, professional advisors, trainers, work experience/placement students and secondees). We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law. This notice sets out the personal data that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.
If you are in any doubt regarding this notice, please contact firstname.lastname@example.org.
Types of personal data we collect
During your employment with us, or when making an application for employment, we may process personal data about you and your dependents, beneficiaries and other individuals whose personal data has been provided to us.
The types of personal information we may process include, but are not limited to:
• Identification data – such as your name, gender, photograph, date of birth, staff member IDs.
• Contact details – such as home and business address, telephone/email addresses, emergency contact details.
• Employment details – such as job title/position, office location, employment contract, performance and disciplinary records, grievance procedures, sickness/holiday records.
• Background information – such as academic/professional qualifications, education, CV, criminal records data (for vetting purposes, where permissible and in accordance with applicable law).
• Spouse & dependents information, marital status.
• Financial information – such as banking details, tax information, withholdings, salary, benefits, expenses, allowances, stock and equity grants.
• IT information – information required to provide access to our IT systems and networks such as IP addresses, log files and login information.
• If you are a temporary employee, contract worker or consultant, the type of personal information we process is limited to that needed to manage your specific work assignment.
• References relating to previous roles and employment conduct may be undertaken prior to commencement of employment. We will only gather references from referees provided to us by the employee, or prospective employee.
Sensitive personal data (‘special categories of personal data’ under the General Data Protection Regulation) includes any information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data for the purposes of unique identification, trade union membership, or information about your health/sex life. Generally, we try not to collect or process any sensitive personal information about you, unless authorised by law or where necessary to comply with applicable laws. In some circumstances, we may need to collect some sensitive personal information for legitimate employment-related purposes: for example:
• data relating to your racial/ethnic origin, gender and disabilities for the purposes of:
• equal opportunities monitoring;
• to comply with anti-discrimination laws; and
• for government reporting obligations;
• data relating to your physical or mental health to:
• provide work-related accommodations,
• health and insurance benefits to you and your dependents; or
• to manage absences from work.
Purposes for processing personal data
If you are applying for a role with us then we collect and use this personal data for recruitment purposes – in particular, to determine your suitability for a specific role. This includes assessing your skills, qualifications and verifying your information, carrying out reference checks or background checks (where necessary) and to generally manage the hiring process and communicate with you about it.
If you are accepted for a role with us, the data collected during the recruitment process will form part of your ongoing employee record.
We collect and process personal data relating to our employees to meet our obligations under the employment contract and to comply with our legal obligations. We take the security of your data seriously and are committed to being transparent about how we collect and use that data and to meeting our data protection obligations.
Once you become an employee, we collect and use this personal information for managing our employment or working relationship with you – for example, your employment records and contract information (so we can manage our employment relationship with you), your bank account and salary details (so we can pay you), your equity grants (for benefits plan administration) and details of your spouse and dependents (for emergency contact and benefits purposes).
Where we process special categories of personal data, such as information about ethnic origin, sexual orientation, health or religion or belief, this is done for the purposes of equal opportunities monitoring. Data that we use for these purposes is anonymised or is only collected with the express consent of employees, which can be withdrawn at any time.
We have policies and controls in place to try to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed without authorisation and only accessed or used for specific legal purposes.
You have some obligations under your employment contract to provide the organisation with data. You may also have to provide the organisation with data in order to exercise your statutory rights, such as in relation to statutory leave entitlements. Failing to provide this data may mean that you are unable to exercise your statutory rights.
We process our employees’ personal information through a global human resources systems (“HR System”) called Citweb, which are tools that helps us to administer HR and employee compensation and benefits at an international level and which may allow staff members to manage their own personal information in some cases. Citation utilises third-party servers via Microsoft Azure to hold its HR System data and other business services; these are both based in the United Kingdom and have been assessed against stringent security requirements to ensure that all appropriate security controls are in place to protection personal information.
Legitimate business purposes
We may also collect and use personal information when it is necessary for other legitimate purposes, such as to help us conduct our business more effectively and efficiently – for example, for general IT security management, accounting purposes or financial planning. We may also process your personal information to investigate violations of law or breaches of our own internal policies.
The IT Department will record and monitor usage of our IT equipment, user activity, voice traffic, email and Internet usage as deemed necessary. The IT Department will observe the strictest confidentiality when undertaking these activities. They will make their report directly to the Board of Directors, who will determine the actions that may need to be taken in any particular case.
Our site is protected by circuit television (CCTV) systems as deemed necessary by our landlord and employees should expect all communal areas within the site (other than those where use would contravene common decency) to be visible on a television monitoring system. Any information obtained from systems will be used with strict adherence to the GDPR. Information will be used for the prevention and detection of crime and to ensure compliance with our policies and procedures and our legal obligations. This may include using recorded images as evidence in disciplinary proceedings.
We may also use your personal data where we consider it necessary for complying with laws and regulations, including collecting and disclosing employee personal information as required by law (e.g. for tax, health and safety, anti-discrimination laws), under judicial authorisation, or to exercise or defend our legal rights.
Legal basis for processing personal data
Our legal basis for collecting and using the personal data described above will depend on the personal data concerned and the way we collect it. We will normally collect personal data from you only where we need it to perform a contract with you (i.e. to manage the employer/employee relationship), where we have your freely given consent to do so, or where the processing is in our legitimate interests and only where this interest is not overridden by your own interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.
Any processing based on consent will be made clear to you at the time of collection or use – consent can be withdrawn at any time by contacting email@example.com.
Who we share your personal data with
We take care to allow access to personal data only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the data is used in a manner consistent with this notice and that the security and confidentiality of the data is maintained.
Transfers to third-party service providers
In addition, we make certain personal data available to third parties who provide services to us. We do so on a “need to know basis” and in accordance with applicable data protection and data privacy laws.
For example, some personal data will be available to our employee’s workplace pension provider and third-party companies who provide us with employment law advice, health and safety support, payroll support services, expenses, tax and travel management services, as well as to organisations such as Microsoft, in order to store information and transmit information by email via its cloud servers
Transfers to other third parties
We may also disclose personal data to third parties on other lawful grounds, including:
• To comply with our legal obligations, including where necessary to abide by law, regulation or contract, or to respond to a court order, administrative or judicial process
• In response to lawful requests by public authorities (including for national security or law enforcement purposes)
• As necessary to establish, exercise or defend against potential, threatened or actual litigation
• Where necessary to protect the vital interests of our employees or another person
• In connection with the sale, assignment or other transfer of all or part of our business; or
• With your freely given and explicit consent
Transfer of personal data abroad
We may need to transfer personal data to countries outside of the United Kingdom. When we export your personal data to a different country, we will take steps to ensure that such data exports comply with applicable laws. For example, if we transfer personal data outside the European Economic Area (EEA), such as to the United States, we will implement an appropriate data export solution such as entering into contracts with the data importer that contain EU model clauses or taking other measures to provide an adequate level of data protection.
Personal data will be stored in accordance with applicable laws and kept for as long as needed to carry out the purposes described in this notice or as otherwise required by law. Generally, this means your personal information will be retained until the end or your employment, employment application, or work relationship with us plus a reasonable period of time thereafter to respond to employment or work-related inquiries or to deal with any legal matters (e.g. judicial or disciplinary actions), document the proper termination of your employment or work relationship (e.g. to tax authorities), or to provide you with ongoing pensions or other benefits.
For more information, please see our Data Retention Policy, which outlines our current document retention schedule.
You may exercise the rights available to you under data protection law as follows:
• The right to be informed.
• The right of access.
• The right to rectification.
• The right to erasure.
• The right to restrict processing.
• The right to data portability.
• The right to object.
• Rights in relation to automated decision making and profiling.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. You can read more about these rights at:
To exercise any of these rights, please contact firstname.lastname@example.org.
Issues and complaints
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
This notice was drafted with clarity in mind. It does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed.
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office in their capacity as the statutory body which oversees data protection law – www.ico.org.uk/concerns.
Updates to this notice
This notice may be updated periodically to reflect any necessary changes in our privacy practices. In such cases, we will inform you by email. We encourage you to check this notice periodically to be aware of the most recent version.
Please address any questions or requests relating to this notice to email@example.com.
Annex A – Third-party processors
Key third-party processors
The following is our key third-party processors who will, during your employment, process your personal data.
We outsource our HR system to Citation who hold records on all our employees, which may include:
• Name and address
• Email address
• Salary and conditions of employment
• Disciplinary and grievance notes
• Qualifications and training records
We outsource our Health and Safety management to Citation, who may hold records on the following:
• Incidents involving our employees
• Risk assessments relating to our employees
• Training records
Citation’s systems use a secure cloud solution. Information on Citation’s security is available by contacting firstname.lastname@example.org.
We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and other organisations in the event you have a complaint. Please see the section on ‘Your rights’ for more information.
We are Holistic Community Care Limited. In order that we can provide care and support services to the people we support we collect and use certain personal information about you.
Personal information means any information about you from which you can be identified, but it does not include information where your identity has been removed (anonymous data).
As the ‘controller’ of personal information, we are responsible for how that data is managed. The General Data Protection Regulation (“GDPR”), which applies in the United Kingdom and across the European Union, sets out our obligations to you and your rights in respect of how we manage your personal information.
As the ‘controller’ of your personal information, we will ensure that the personal information we hold about you is:
1. used lawfully, fairly and in a transparent way.
2. collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. relevant to the purposes we have told you about and limited only to those purposes.
4. accurate and kept up to date.
5. kept only as long as necessary for the purposes we have told you about.
6. kept securely.
If you have any questions about this privacy notice or would like further explanation as to how your personal information is managed, please send an email to email@example.com, write to Unit 3B, Union Court, 20-22 Union Road, London, SW4 6JP or call 0207 091 0399.
Please note when we refer to:
• A “public body” we mean any organisation in the United Kingdom which delivers, commissions or reviews a public service and includes (but is not limited to) the Ombudsman, local authorities, councils, unitary authorities, clinical commissioning groups, health and social care trusts, the National Health Service as well as their arm’s length bodies and regulators.
• A “social or health care professional” we mean any person who provides direct services, acts as consultant or is involved in the commission of your healthcare or social care services, including (but not limited to) your General Practitioner (GP), dental staff, pharmacists, nurses and health visitors, clinical psychologists, dieticians, physiotherapists, occupational therapists, hospital staff, social workers and other care and support related professionals.
The personal information we collect and use in relation to people who enquire about and use our services
Information collected by us
When you enquire about our care and support services and during the course of providing care and support services to you we collect the following personal information when you provide it to us:
• your name, home address, date of birth and contact details (including your telephone number, email address) and emergency contacts (i.e. name, relationship and home and mobile numbers)
• your allergies and any medical, physical or mental conditions and in particular your care needs
• your likes, dislikes and lifestyle preferences (including your religious beliefs or other beliefs of a similar nature, racial or ethnic origin, genetics, health and sexuality, so far as they relate to providing you with suitable care)
• credit or direct debit details (if you pay for some or all of our services using one of these methods).
Information collected from other sources
We also obtain personal information from other sources such as:
• your allergies and any medical, physical or mental conditions and in particular your care and support needs, from any appropriate external social or health care professionals (including your GP)
• your name, home address, date of birth, contact details, needs assessments and financial assessments from any appropriate external social or health care professionals (including any relevant public body regardless of whether you are publicly funded)
• your likes, dislikes and lifestyle preferences (including your religious beliefs or other beliefs of a similar nature, racial or ethnic origin, genetics, health and sexuality, so far as they relate to providing you with suitable care) from your family, friends and any other person you have nominated as your representative
• your Attorney or Deputy (if applicable).
How we use your personal information
We use your personal information to:
• prepare, review and update a suitable care plan, describing the nature and level of care and support services which you have requested we supply to you
• to communicate with you, your representatives and any appropriate external social or health care professionals about your individual needs and personalise the service delivered to you
• make reasonable adjustments, when required, to meet your individual needs and to ensure we have suitable facilities to ensure your safety
• invoice you for the care and support services in accordance with our terms and conditions
• carry out quality assurance procedures, review our service and improve our customer experience (please note that feedback can also be provided anonymously)
• carry out market research.
Who we share your personal information with
We regularly share your medical information with appropriate external social or health care professionals (including your GP and pharmacist) and any individuals you have nominated as your representative. This data sharing enables us to establish the type of care and support you need. It also allows us to design the right care package to suit your individual circumstances, including if (in future) you decide to receive care from an alternative provider.
We will share personal information with law enforcement or other authorities if required by law. This includes information required by public bodies to evidence our compliance with the applicable regulatory framework. We are also required to share personal information with external social or health care professionals, including public bodies and local safeguarding groups (in some circumstances) to ensure your safety.
We will not share, sell or trade your personal information with any other third party.
Whether information has to be provided by you, and if so why
The provision of your medical, physical or mental condition is necessary to enable us to create a care plan and to provide you with suitable care and support services. Without this information, we will not be able to assess your care needs or provide any care services to you.
The provision of your name, home address is required so that we can arrange a care worker to attend your home to deliver the services and so that we can invoice you for the fees.
We will inform you at the point of collecting information from you, whether you are required to provide the information to us.
How long your personal information will be kept
• we will hold the personal information kept within your client file for six years as required by law.
• we will hold the personal information kept within our feedback procedure for three years so that we can identify trends and patterns in our service.
The personal information we hold
Reasons we can collect and use your personal information
We rely on the following grounds within the GDPR:
• Article 6(1)(b) – processing is necessary for the performance of our contracts to provide individuals with care and support services
• Article 6(1)(c) – processing is necessary for us to demonstrate compliance with our regulatory framework and the law
• Article 9(2)(h) – processing is necessary for the provision of social care or the management of social care systems and services
• Article 6(1)(f) – processing is necessary for the pursuit of legitimate interests, including marketing purposes, corporate due diligence and financial modelling, service development and innovation. The pursuit of these legitimate interests will serve to ensure that we continue to improve the quality of our service delivery, as well as ensuring that we are able to operate on a firm financial basis. Should you wish to opt-out of having your data collected and/or used in such a manner, please contact us at firstname.lastname@example.org
as the lawful basis on which we collect and use your personal data and special category data (such as your health).
Transfer of your information out of the EEA
We may transfer your personal information to the following which are located outside the European Economic Area (EEA) as follows:
● the USA in order to store information and transmit information by email via the cloud servers of our email provider.
The USA does not have the same data protection laws as the United Kingdom and EEA. Any transfer of your personal information will be subject to appropriate or suitable relevant safeguards that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information (as permitted under Article 49 of the GDPR). We will not otherwise transfer your personal data outside of the United Kingdom or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.
To obtain a copy of these safeguards or if you would like further information please contact us (see ‘How to contact us’ below).
Under the GDPR you have a number of important rights free of charge. In summary, those include rights to:
• fair processing of information and transparency over how we use your use personal information;
• access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address;
• require us to correct any mistakes in your information which we hold;
• require the erasure (i.e. deletion) of personal information concerning you, in certain situations. Please note that if you ask us to delete any of your personal information which we believe is necessary for us to comply with our contractual or legal obligations, we may no longer be able to provide care and support services to you;
• receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
• object at any time to processing of personal information concerning you for direct marketing;
• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
• object in certain other situations to our continued processing of your personal information;
• otherwise restrict our processing of your personal information in certain circumstances;
• claim compensation for damages caused by our breach of any data protection laws.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
How to contact us
If you would like to exercise any of those rights, or if you have any questions about this privacy notice or would like further explanation as to how your personal information is managed, please:
• send an email to email@example.com, write to Unit 3B, Union Court, 20-22 Union Road, London, SW4 6JP or call 0207 091 0399.
• let us have enough information to identify you (e.g. your name and address),
• let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
• let us know the information to which your request relates, including any account or reference numbers, if you have them
If you would like to unsubscribe from any email newsletter you can also click on the ‘unsubscribe’ button at the bottom of the email newsletter. It may take up to fourteen days for this to take place.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
Changes to this privacy notice
This privacy notice was published on 24 May 2018 and last updated on 24 May 2018.
We may change this privacy notice from time to time, when we do we will inform you [via [letter and/or email and/or in person.
Do you need extra help?
If you would like this notice in another format (for example: audio, large print, braille) please contact us (see ‘How to contact us’ above).