We Do Staffing, We Do Listening, We Do Communication, We Do Honesty, We Do Care.
Care providers, Availl

GENERAL DATA PROTECTION REGULATION (GDPR) AND SUBJECT ACCESS

Statement

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the Eurpeon Union. It also addresses the export of personal data outside the EU. The GDPR replaces the 1995 Data Protection Directive.

Availl are committed to protecting data and the lawful processes and safekeeping of data. Our data must be:

  • Fairly and lawfully processed
  • Processed for specified purposes
  • Adequate, relevant and not excessive
  • Accurate, and where necessary kept up to date
  • Not kept for longer than is necessary
  • Processed in line with the rights of the individual
  • Kept secure
  • Not transferred to countries outside the European Economic Area unless there is adequate protection for the information and consent obtained
  • Consent will be gained from the relevant parties to hold, distribute data according to their requests.

It also gives us all individuals (data subjects) certain rights, including the right to see information that is held about them and to have it corrected if it is wrong.

We are committed to upholding the principles of the General Data Protection Regulation including guaranteeing that all data is fairly and lawfully processed; is processed for limited purposes only and not kept for longer than is necessary; is accurate, adequate, relevant and not excessive; is stored and handled securely.

Additionally, Availl is committed to the principles of sharing all information held about any Client or Staff with that individual as far as is reasonably possible.

Procedures

The General Data Protection Regulation (GDPR) requires every organisation processing personal data to register with the Information Commissioner’s Office (ICO). Renewal is required on an annual basis. Availl will maintain compliant with the registration requirements.

The guiding rule is that all recorded information about an individual should be recorded in co-operation with that person and a signature obtained to confirm this and the accuracy of the information. Contributions from the individual or, where appropriate, from his or her representative, should be actively encouraged.

In all cases the Client will be given unrestricted access to the personal records held by Availl, with the exceptions shown below, and their signature will be requested to show that they have seen or contributed to the records.

Where information is deemed to not be disclosed to the Client, this must be formally approved by the Registered Manager with a signed endorsement. The Registered Manager may only do this on either of the following ground.

  • That there is a serious risk of injury to the Client or others if the information is disclosed, or –
  • That an offence may be committed if the information/material was accessible to the Client.

Where a third party, such as a Doctor, provides information, he or she should be advised that this may be shared with the Client. If permission is not given, the Registered Manager should decide if it is appropriate to store the information on file, in which case this should be in a confidential section.

Once placed in the confidential section the information may only be disclosed with the Registered Managers approval, in consultation with the author/originator and, where appropriate, with the Clients representative.

If a person lacks capacity to manage their affairs, a person acting under an order of the Service of Protection or acting within the terms of a registered Enduring Power of Attorney can request access on his or her behalf.

The General Data Protection Regulation applies only to data about living people. Therefore, information held on the deceased is not personal data, as defined by the act. Even though the General Data Protection Regulation does not apply to such data there may still be issues of confidentiality surrounding access to records about the deceased and careful consideration will therefore be given to any such requests.

If a Client claims that information contained in the record is inaccurate, incorrect or misleading, he or she may ask for it to be corrected or changed. Records must be changed where an opinion or an assumption has been expressed on the basis of inaccurate or incorrect information where there is a difference of opinion, the original record may remain the same and an additional record of the Clients view is made.

Loss of data

If, despite the security measures you take to protect the personal data you hold, a breach of security occurs, it is important to deal with the breach effectively. The breach may arise from a theft, a deliberate attack on your systems, the unauthorised use of personal data by a member of staff, accidental loss, or equipment failure. However, the breach occurs, you must respond to and manage the incident appropriately. You will need a strategy for dealing with the breach, including:

  • A recovery plan, including damage limitation;
  • Assessing the risks associated with the breach;
  • Informing the appropriate people and organisations that the breach has occurred; and
  • Reviewing your response and updating your information security

The breach must be reported to the ICO using the report form online (www.ico.org.uk).

All health service organisations (excluding those in Scotland, Northern Ireland and Wales) must now use the IG Toolkit Incident Reporting Tool. This will report IG SIRIs to the Health and Social Care Information Centre (HSCIC), Department of Health, ICO and other regulators.

Rights of access (Subject Information)

Because we observe a clear policy of sharing the maximum amount of information with the subject, we do not experience or anticipate many formal applications for access of information under the General Data Protection Regulation (GDPR). Where we do the Freedom of information Act 2000 will also be followed.

Nevertheless, we fulfil our obligations under the Acts in the following way:

  • The applicant should submit his or her request to the Registered Manager.
  • This will be formally acknowledged within 10 days and the response plan confirmed.
  • The Registered Manager will make arrangements to collect together all of the information about the subject held by Availl in order to provide access to it. The Registered Manager may take legal advice as appropriate.
  • Access will be provided as soon as possible and no more than 40 days after receipt of the request. The applicant will be required to confirm receipt of the information.
  • Where information relates to or is from third parties, consent to disclose information should be sought within ten days of the receipt of a request for access. The consent must be obtained within the 40 day period outlined above.
  • Normally any information provided to the applicant should not include any data about, or such that it would allow the data subject to identify any third party unless permission has been sought and received from that individual or a specific decision has been made to release the information without their consent.
  • The records will normally be made available to the applicant in the presence of the Registered Manager who will be available to explain or interpret entries if the applicant so wishes and to explain why the information was processed. The applicant may bring a person of their choice with them.

Use of computers

Availl uses computers to store and print policy and procedure notifications and any necessary forms required together with providing business information. It is also used to store personal information regarding Clients and Staff for the purpose of producing documents.

Person identifiable information should always be held securely and when used treated with respect. This rule applies whether the information is held manually or in a computer or by memory by Staff.

  • Computers are password protected and only accessed only by designated users.
  • Passwords must not be shared with anyone.
  • All computers should be logged off and switched off at the end of each working day.
  • All cabinets containing confidential information are locked and the keys are locked away in a cupboard overnight.
  • Information will only be disclosed on telephone enquiries after the appropriate checks have been made.
  • Computer screens must not be visible to anyone visiting the office.
  • Screens must be directed away from the view of the entrance to protect any information that may be displayed when in use.
  • Should an employee leave the company then a request for termination of their pass words should be requested immediately.
  • Visiting bodies e.g. Care Quality Commission, Police and Home Office, requesting to see Staff files should be asked to produce an identification badge and a phone call to their office should be made to confirm their identity before allowing them access to the data they require.
  • Confidential information regarding Clients and Staff that is no longer required should be shredded in the shredder provided. Confidential information should NOT be torn up and placed in the bins.
  • Where large amounts of documents need to be destroyed an on-site document destruction service must be used. A duty of care; controlled waste transfer note or destruction certificate will be obtained and held on file.
  • Clients can be assured that safe and secure records management arrangements will continue to be in place for the legally required period should Availl close its operations.

The length of time records should be kept is:

  • Social care records for adults; 3 years from the last date of entry
  • Risk assessments; retain the latest risk assessment until a new one replaces it
  • Purchasing excluding medical devices and medical equipment; 18 months
  • General operating policies and procedures; retain the current version and previous version for three years
  • Any incidents, events or occurrences that require notification to the Care Quality Commission; three years
  • Use of restraint or the deprivation of liberty; three years
  • Detention; three years
  • Maintenance of the premises; three years
  • Maintenance of equipment; three years
  • Electrical testing; three years
  • Fire safety; three years
  • Water safety; three years
  • Medical gas safety, storage and transport; three years
  • Money or valuables deposited for safe keeping; three years
  • Staff employment; three years following date of last entry
  • Duty rosters; four years after the year to which they relate
  • Purchasing of medical devices and medical equipment; 11 years
  • Final annual accounts; 30 years

It is a requirement that each branch of Availl is registered with the Information Commissioners Office under the General Data Protection Regulation (GDPR). This registration must be renewed annually.

Further information on managing data can be found at www.ico.org.uk

PRIVACY

Privacy and your personal data

Availl is committed to protecting the privacy of our staff and clients. This privacy policy is intended to inform you on how we gather, define and utilise your personal identifiable information It applies to information collected by us and provided by you. It is also intended to assist you in making informed decisions when registering and using our services. It is important that you read this privacy notice together with any other notice or Terms of Business we may provide. This privacy notice supplements other notices and is not intended to override them.

All your personal Information shall be held and used in accordance with the General Data Protection Regulation.

Data controller

For the purposes of Data Protection Laws and this Privacy Policy, Availl are acting as a data controller and are responsible for your personal data, under the following circumstances:

  • a) Where personal data has been provided to us directly from you for your own purposes
  • b) We are acting as a data controller.
  • c) Where we have been provided with your personal data from a third-party for your own purposes. Where this applies, we will contact you within one month of acquiring the personal data.

Where we have been provided with your personal data from a third-party for a joint purpose, both the third-party and Availl are acting as data controllers. Where this applies, we will contact you within one month of acquiring the personal data.

Availl are not acting as Data Controllers where we are provided with personal data by a third-party, under their instruction, for the purpose and benefit of that third-party. Where this applies, they should have notified you that they would be passing your personal data to us at the time they collected your data and within their own privacy notices/standards.

If Availl have received your personal data as part of a business to business relationship, the data controller is the source it come from.

What information do we collect?

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

Identity Data includes forenames, maiden names, last name, username or similar identifier, marital status, title, date of birth and gender.

Health and Medical Data past and present medical conditions, contact numbers and details of relatives, next of kin and professionals included in the responsibility of providing care such as Doctors, Care Managers and Multidisciplinary Professionals.

Contact Data includes address, billing address, email address and telephone numbers.

Special Categories of Personal Data this includes details about your race or ethnicity, religion, sexual orientation, trade union membership, information about your health and genetic and biometric data). We also collect information about criminal convictions and offences.

Financial Data includes bank account

Transaction Data includes details about payments to and from you and other details of services you have purchased from us.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.

Usage Data includes information about how you use our website and services.

Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your Personal Data but is not considered Personal Data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this privacy notice.

The legal basis for processing your personal data
Availl will only process personal data where there is a lawful basis as per Data Protection Laws. This lawful basis shall be one or more of the following:

  • a) Express consent from you;
  • b) In order to perform and/or complete a contract with a third party;
  • c) To comply with a legal obligation;
  • d) To protect your vital interest;
  • e) It is in the public interest; and
  • f) There is a legitimate interest.

Legitimate interests are a flexible basis upon which the law permits the processing of an individual's personal data. To determine whether we have a legitimate interest in processing your data, we balance the needs and benefits to us against the risks and benefits for you of us processing your data. This balancing is performed as objectively as possible by our Data Protection Lead. You are able to object to our processing and we shall consider the extent to which this affects whether we have a legitimate interest.

How we share your information

In certain circumstances we will share your Information with other parties. Details of those parties are set out below along with the reasons for sharing it.

Data retention Availl holds different categories of personal data for different periods of time. Wherever possible, we will endeavour to minimise the amount of personal data that we hold.

a) If 'consent' is the basis for our lawful processing of your data, we will retain your data so long as both the purpose for which it was collected, legal compliance and your consent, are still valid. Occasionally, we might identify a legitimate interest in retaining some of your personal data that has been obtained by consent. If we do, we will inform you that we intend to retain it under these conditions and identify the interest specifically.

b) If we process your data on the basis of 'legitimate interests', we will retain your data for so long as the purpose for which it is processed remains active. We review the status of our legitimate interests every twelve (12) months and will update this notice whenever we determine that either a legitimate interest no longer exists or that a new one has been found.

c) All categories of personal data that are held by us because they are essential for the performance of a contract, will be held for a period of six years, as determined by reference to the Limitations Act 1980, for the purposes of exercising or defending legal claims.

Your rights as a data subject When reading this notice, it might be helpful to understand that your rights arising under Data Protection Laws include:

  • a) The right to be informed of how your Personal Data is used (through this notice);
  • b) The right to access any Personal Data held about you;
  • c) The right to withdraw consent at any time, by emailing or writing to your local branch
  • d) The right to rectify any inaccurate or incomplete Personal Data held about you;
  • e) The right to erasure where it cannot be justified that the information held satisfies any of the criteria outlined in this policy, or where you have withdrawn consent;
  • f) The right to prevent processing for direct marketing purposes, scientific/historical research or in any such way that is likely to cause substantial damage to you or another, including through profile building; and
  • g) The right to object to processing that results in decisions being made about you by automated processes and prevent those decisions being enacted.

Cookies
Similar to other commercial websites, our Website uses a technology called "cookies" and web server logs to collect information about how our Website is used. Cookies are small text files that are placed on your computer's hard drive through your web browser when you visit any web site. They are widely used to make web sites work, or work more efficiently, as well as to provide information to the owners of the site.

Like all other users of cookies, we may request the return of information from your computer when your browser requests a web page from our server. Cookies enable our web server to identify you to us, and to track your actions and the pages you visit while you use our website. The cookies we use may last for a single visit to our site (they are deleted from your computer when you close your browser), or may remain on your computer until you delete them or until a defined period of time has passed.

Although your browser software enables you to disable cookies, we recommend that you allow the use of cookies in order to take advantage of the features of our website that rely on their use. If you prevent their use, you will not be able to use all the functionality of our website. Here are the ways we may use cookies:

  • a) to record whether you have accepted the use of cookies on our web site. This is solely to comply with the law. If you have chosen not to accept cookies, we will not use cookies for your visit, but unfortunately, our site will not work well for you.
  • b) to allow essential parts of our web site to operate for you.
  • c) to operate our content management system.
  • d) to operate the online notification form - the form that you use to contact us for any reason. This cookie is set on your arrival at our web site and deleted when you close your browser.
  • e) to enhance security on our contact form. It is set for use only through the contact form. This cookie is deleted when you close your browser.
  • f) to collect information about how visitors use our site. We use the information to improve your experience of our site and enable us to increase sales. This cookie collects information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from, and the pages they visited.
  • g) to record that a user has viewed a webcast. It collects information in an anonymous form. This cookie expires when you close your browser.
  • h) to record your activity during a web cast. For example, as to whether you have asked a question or provided an opinion by ticking a box. This information is retained so that we can serve your information to you when you return to the site. This cookie will record an anonymous ID for each user, but it will not use the information for any other purpose. This cookie will last for a period of time after which it will delete automatically.
  • i) to store your personal information so that you do not have to provide it afresh when you visit the site next time. This cookie will last for a period of time after which it will delete automatically.
  • j) to enable you to watch videos we have placed on YouTube and other video sharing websites, who will not store personally identifiable cookie information when you use their privacy-enhanced mode.

Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

If you fail to provide Personal Data

The information about you that we have collected for the performance of our contracts is required in order for us to successfully fulfil our obligations to you. If you choose not to provide the personal data requested, we will not be able to enter into a contract with you to provide the benefits we offer. If we are already processing your personal information under a contract, you must end our contractual relationship (as/where permitted) in order to exercise some of your rights.

We process some personal information as part of a contractual relationship with a data controller. Any requests to restrict this type of processing should be forwarded to the data controller; they will be responsible for discussing your concerns and making any decisions.

This policy can be changed by us at any time. If we change our policy in the future, we will advise you of material changes or updates by email, where we are holding your email address or alternatively by post where we hold your address.

If you are unhappy about our use of your Information, you can contact the Registered Manager at your local branch. You are also entitled to lodge a complaint with the UK Information Commissioner’s Office using any of the below contact methods.

Does your personal data leave the EU?

The only reason would be to request a reference check for a member of staff applying for a position if they had recently been employed outside of the EU.

Complaints

We politely ask that all complaints are brought to the attention of Availl directly and in the unlikely event that you were not happy with the outcome, then you can bring your complaint to the attention of:

  • Telephone: 0303 123 1113
  • Website: https://ico.org.uk/concerns/
  • Post: Information Commissioner's Office
  • Wycliffe House
  • Water Lane
  • Wilmslow
  • Cheshire
  • SK9 5AF