Effective date of implementation 28 May 2018

Purpose:  To comply with the requirements of the General Data Protection Regulations 2018.

Scope:  This policy covers all aspects of information obtained and held by Clifton Homecare Ltd (CHCL) including (but not limited to):

  • Service user and employees details, medical history & NOK details
  • Personal information provided by clients & families in order that we can deliver our care and support duties
  • Employee details to enable a contract of employment to be issued.

Caroline Brady has been appointed as the Data Protection Officer (DPO) and is responsible for data protection.

GDPR identifies the rights of individuals:-

  • Right to be informed
  • Right of access
  • Right to rectification (in CHCL case immediately any discrepancy is identified)
  • Right to erasure portability
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights in relation to automated decision making & profiling

Right to be informed

We may collect information or data about you in various ways in order to develop a support and care plan to allow the team at CHCL to meet your needs safely. The main circumstances we do so are noted below:-

  • The information obtained from either the client, relative, lasting power of attorney appointee or advocate is used in the formulation of the care plan. All appropriate parties will be encouraged to read the care plan to ensure the information is accurate and correctly documented. These details are stored in a file at the client’s location. Any updates to the support and care plan will be documented after approval of the details by yourselves. At the end of each visit and at the time of medication administration the care team will complete notes summarising the duties completed and medication administered.
  • Our website does not collect details of your IP address and which version of the web browser you used to review our website. We use photographs of some of our clients in our marketing video BUT only after consultation with yourselves (and relatives if necessary) after consent has been obtained and records of consent are retained. We maintain a photo headshot of clients within their client file for safeguarding and security purposes

 Rights of access

We have to request your approval for Clifton Homecare to maintain these personal records. You have a right to access your personal data but we can refuse access to data if we feel your request is unreasonable, repetitive or excessive. Clifton Homecare will provide information within one month from receipt of request. We are allowed to charge a reasonable fee to cover admin costs.

 Right to rectification

 If Clifton Homecare or you believe any specific information we have obtained is, in your or our opinion incorrect, please inform the Data Protection Officer (Caroline Brady) as soon as this is identified. If we, as a Company, believe the information is accurate and correct, we will not change the information. You have a right to make a complaint and you can seek to enforce your rights through a judicial remedy. Please refer to our separate Complaints policy and procedure for details.

 Right to restrict processing

We do not process any information electronically. We produce a care plan using Windows software. Any information gleaned from a client in relation to production and subsequent implementation of the care package is appropriate, relevant to the care we provide and used to maintain a client’s wellbeing and safety.

Our payroll processing is undertaken by Drangan Accountancy and our DBS checking process is managed by On Line DBS. Drangan Accountancy and On Line DBS have their own GDPR policies and procedures.

 Right to data portability

As stated previously we do not process any information electronically.

Right to object

The GDPR right to object allows clients and staff to object to certain types of data processing and stop Clifton Homecare from continuing to process their personal data. There are only certain situations when a legitimate right to object can be sent to a company.

These are:

  • Direct marketing
  • The processing of personal data for statistical purposes related to historical or scientific research
  • The processing of data for tasks in the public interest
  • The exercising of official authority invested in you
  • Objections to data processing in yours or a third party’s legitimate interest
  • Objections to data processing based on their own beliefs and situations

 Clifton Homecare have one month to assess, review and provide feedback to an objection, in accordance with the legitimate right to object.

Rights in relation to automated decision making and profiling

 We do not use any automated decision making or profiling software.

 Obtaining consent

 We may use personal information:

  • To provide you with information relevant to your care package and details of any medical practitioner requirements specific to your care
  • To notify you of any change to our services we provide for you
  • To assist with any contractual obligations
  • To allow training courses to be undertaken and any additional training required to be identified
  • Supervisory reports completed after regular monitoring of employee performance

Personal and special category of data obtained from client, staff and any other source relevant to our domiciliary care activities may include:

  • Racial or ethnic origin of a client or employee
  • Their religious beliefs if these will impinge on any care packages we implement
  • Their physical and/or mental health condition
  • Their sexual life but only so far as this will affect the care package we provide
  • Name and contact details

We use Cloud based software for maintaining electronic storage information – a secure system, password protected with password changed regularly.

Service user and employee files are locked away when the office is closed. No records are left on desks when the office is unmanned and no paper records are stored in company cars.

Messaging to staff uses a secure password protected WhatsApp software which is encrypted and client details such as key-safe codes are sent to staff email addresses via a link, which requires use of a password to open.

All passwords are changed regularly and all clients are encouraged to change key-safe codes regularly. Clifton Homecare will assist with this process, if required.

Retention periods of records obtained

  • We collect employee information such as their address, contact details, next of kin and any details of any physical concerns that may affect their health and/or wellbeing whilst at work
  • The personal data we maintain is kept to a minimum subject to CQC and data retention requirements:
  • Client records – 7 years after ceasing to be a client
  • Staff records – 7 years after ceasing to be an employee
  • Unsuccessful staff application forms – 6 months after vacancy closing date
  • Timesheets and financial documents – 7 years
  • Employers liability insurance – 40 years
  • All paper based records that have been superseded and contain an identifier are shredded before disposal