This privacy notice was last updated on 1st June 2022 and published on 14th June 2022
PRIVACY NOTICE
Please read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and other organisations in the event you have a complaint. Please see the section on ‘Your rights’ for more information.
The General Data Protection Regulation (GDPR), which is an EU regulation, came into force in May 2018 and was incorporated into UK data protection laws, so will apply even after the UK leaves the EU. The Data Protection Act 2018 is the UK’s implementation of GDPR.
Care Wyvern already has the relevant policies and procedures that already meet the requirements of the Data Protection Act. Our privacy notice, which follows ICO guidelines, will help to show that Care Wyvern is serious about protecting personal information we collect and processes from our clients, employees and others, and demonstrates how the organisation succeeds in doing this by providing an overview of our various policies and procedures.
1. Business details
This is the privacy notice of EsKe Ltd trading as Care Wyvern and maintaining the website, www.carweyvern.co.uk, located in the United Kingdom. Care Wyvern does not transfer information outside of the United Kingdom. By submitting your data through this site, you consent to the collection, processing, use, storage, and transfer of your personal data as set out in the statement guidelines below. Should you not agree to the above you should not complete the application contact form on this site. In order that we can provide care and support services to the people we support, along with potential, existing and past employees, this statement will explain how we collect, use, retain and dispose of certain personal information about you. Personal information means any information about you from which you can be identified, but it does not include information where your identity has been removed (anonymous data).
Our registered office is at 1 Second Avenue, Halstead, Essex, CO9 2SU.
Eske Ltd, trading as Care Wyvern, is registered with the Care Quality Commission to provide personal care to people in their own homes/accommodation and personal care with or without nursing services.
Care Wyvern runs it’s Domiciliary Care service to people in their own homes from 1 location in Taunton, Somerset.
Within Care Wyvern Ru Newman, Managing Director, acts as the ‘Data Controller’ (DC) of personal and other sensitive information. Care Wyvern has also appointed Tina East, Operations Manager, as ‘Data Protection Officer’ (DPO).
If you have any questions about this privacy notice or would like further explanation as to how your personal information is managed, please send an email to info@carewyvern.co.uk or write to Data Protection Officer, Care Wyvern, Yarde Place, Taunton, Somerset TA1 1UR or call 01823 325554.
2. Aims of this notice
Care Wyvern is required by law to tell you about your rights and our obligations regarding our collecting and processing any of your personal information, which you might provide to us. We have a range of policies and procedures to ensure that any personal information you supply is only with your active consent and will always be held securely and treated confidentially in line with the applicable regulations. We have listed the relevant documents in a later section (6) and can make any available.
3. What personal information we collect about: a) clients b) employees and c) third parties
a. Clients. As a registered care provider, we must collect some basic personal information, e.g. name and address, date of birth and next of kin of our clients, in addition to some financial information, e.g. how clients will pay or fund Care Wyvern for the services provision, which is essential to our being able to provide effective care and support. We also record the following data which is classified as “special category” e.g. health and social care data about our clients which may include both physical and mental health data. We may also record data relating to race, ethnic origin, sexual orientation or religion in order for the organisation to personalise the care delivery to individual need. Care Wyvern requires this information to ensure the service is of high quality and person centred. The information is contained in individual files (manual and electronic) and other record systems, all of which are subject to strict security and authorised access policies Personal information that becomes inactive, e.g. from enquiries or prospective users who do not enter the service is also kept securely for as long as it is needed, before being safely disposed of, please see appendix 1.
b. Employees and volunteers. The service operates a safe recruitment policy to comply with the regulations in which all personal information e.g. basic details, financial details, training records and vaccination/exemption status obtained, including CVs and references, is, like clients’ information, securely kept, retained and disposed of in line with data protection requirements. We also record the following data which is classified as “special category” e.g. health and social care data which may include both physical and mental health data. All employees are aware of their right to access any information about them. An enhanced Disclosure and Barring Service (DBS) check (Criminal Record Check) is also a legal requirement, as set out in the Data Protection Act 2018 and the Rehabilitations of Offenders Act 1974 (Exceptions) order 1975, for staff who deliver a regulated service such as ours. The legal reason for this data is so that Care Wyvern can contact and pay our staff, ensure they receive the correct training for their role within the organisation and provide support so staff can perform their employment responsibilities.
c. Third parties. All personal information obtained about others associated with the delivery of the care service, including contractors, visitors, etc will be protected in the same ways as information on service users and employees.
4. How we collect information
The bulk of clients’, employees’ and thirds parties’ personal information is collected directly from them or through form filling, mainly electronically, but also manually for some purposes, e.g. when contacting the service through its website.
With clients, we might continue to build on the information provided in enquiry and referral forms, and, for example, from needs assessments, which feed into their care and support plans.
With employees, personal information is obtained directly and with consent through such means as references, testimonials and criminal records (DBS) checks. When recruiting staff, we seek applicants’ explicit consent to obtain all the information needed for us to decide to employ them.
All personal information obtained to meet our regulatory requirements, under the Health and Social Care Act and/or the Mental Capacity Act 2005. will always be treated in line with our explicit consent, data protection and confidentiality policies.
Our website and databases are regularly checked by experts to ensure they meet all privacy standards and comply with our general data protection security and protection policies.
5. What we do with personal information
All personal information obtained on clients, employees and third parties is used only to ensure that we provide a service, which is consistent with our purpose of providing a person-centred care service, which meets all regulatory standards and requirements. It will not be disclosed or shared for any other purpose. Care Wyvern processes “special category” data for safeguarding purposes, for us to provide and manage social care services, to provide data to our CQC regulator as part of our public interest obligations and to the police or other law enforcement agencies if we are required to by a law or court order.
6. How we keep your information safe
As already stated, the service has a range of policies that enable us to comply with all data protection requirements. Foremost are:
• Data Subject Access Request Procedure
• Complaints and Compliments Policy
• Computer Security Policy
• Computer Access and Responsibilities Policy
• Confidentiality Policy
• Data Protection – GDPR Policy
• Data Breach Policy
• Rrecruitment and Selection Policy
• Social Media Policy
7. With whom we might share information
We only share the personal information of clients, employees and others with their consent on a “need to know” basis, observing strict protocols in doing so. Most information sharing of clients’ information is with other professionals and agencies involved with their care and treatment, e.g the Local Authority, Clinical Commissioning Groups, the Local Government Ombudsman, the Care Quality Commission, the NHS, as well as their arm’s length bodies and regulators.
Likewise, we would not disclose information about our employees without their clear agreement, e.g. when providing a reference. The only exceptions to this general rule would be where we are required by law to provide information, e.g. to help with a criminal investigation, when seeking to notify the Local Authority of a safeguarding matter or the Care Quality Commission of an incident that requires us to notify it, we would only do so with consent or ensure that the information provided is treated in confidence, HMRC or the Department of Work and Pensions. Where we provide information for statistical purposes, the information is aggregated and provided anonymously so that there is no privacy risk involved in its use.
8. How personal information held by the care provider can be accessed
There are procedures in place to enable any staff member, employee or third party whose personal information we possess and might process in some way to have access to that information on request. (See the policies listed in No. 6 above.) The right to access includes both the information and any uses which we might have made of the information.
9. How long we keep information
There are strict protocols in place that determine how long the organisation will keep the information, which are in line with the relevant legislation and regulations, see appendix 1
10. How we keep our privacy policies up to date
The staff appointed to control and process personal information in our organisation are delegated to assess all privacy risks continuously and to carry out comprehensive reviews of our data protection policies, procedures and protocols at least annually.
11. Your Rights
Under the GDPR you have a number of important rights free of charge. In summary, those include rights to:
• fair processing of information and transparency over how we use your use personal information;
• access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address;
• require us to correct any mistakes in your information which we hold;
• require the erasure (i.e. deletion) of personal information concerning you, in certain situations; Please note that if you ask us to delete any of your personal information which we believe is necessary for us to comply with our contractual or legal obligations, we may no longer be able to provide care and support services to you. Conversely this may also impact on your employment if you are an employee of Care Wyvern
• receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
• object at any time to processing of personal information concerning you for direct marketing;
• object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
• object in certain other situations to our continued processing of your personal information;
• otherwise restrict our processing of your personal information in certain circumstances;
• withdraw your consent to the processing of your personal data and information; Please note that if you withdraw consent to the processing of your personal information which we believe is necessary for us to comply with our contractual or legal obligations, we may no longer be able to provide care and support services to you. Conversely this may also impact on your employment if you are an employee of Care Wyvern
• claim compensation for damages caused by our breach of any data protection laws;
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
How to contact us
If you would like to exercise any of those rights, please:
• email, call or write to our Data Protection Officer, contact details on page 1 of this statement
• let us have enough information to identify you (eg your name and address),
• let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
• let us know the information to which your request relates, including any account or reference numbers, if you have them
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.