Privacy Notice
Introduction
This notice was last updated on 24 November 2022.
The Orders of St John Care Trust (OSJCT) is registered with the Information Commissioner’s Office as a data controller within meaning of the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018. OSJCT has issued this privacy notice to comply with UK data protection law. It explains what information we intend to use, how we use it, the legal reasons for using your information, and your rights under the law.
When we refer to “we,” “our,” or “us” in this policy, we are referring to The Orders of St John Care Trust.
We require and collect personal information to help the Trust care for residents, their families and loved ones, as well as to support our employees and volunteers. Personal information is any information that relates to a living individual who can either be identified from that data, or by combining the data with other information.
This privacy notice also explains your rights as a service user regarding the National Data Opt-Out policy, how data is collected, used, retained and disclosed in line with UK data protection law. See Data Protection and Compliance with the General Data Protection Regulation (England, Scotland, Wales) Policy.
Requesting information from us
- Individuals who wish to request copies of information that we hold about them can submit a request by clicking on this link. They can do this by themselves or have somebody do so on their behalf, such as their solicitor or someone who holds a lasting power of attorney for them.
- Other organisations, such as the Police, Local Authority, Disclosure and Barring Service, HM Coroners, Continuing Health Care, etc., may request information that we hold about our residents, employees, volunteers and contractors, if they have a lawful reason to make such requests. The Trust will share such information when it is legitimate to do so, guided by the ICO’s advice on information sharing which can be found here Executive summary | ICO. Organisations who wish to request information about an individual whose information we hold, can submit a request by clicking on this link.
We have produced a useful Information Request Leaflet to explain more about what you may or may not be entitled to do.
The Trust is dedicated to making sure that personal information is used properly according to the law and that confidential information entrusted to us is safe. The Trust has appointed a Data Protection Officer (DPO) and their job is to help safeguard the way your information is used and uphold your information rights.
Any concerns or questions about how people’s information is being used, can be brought to the attention of the DPO. His name is Matt Bruce and he can be contacted by telephone on 0330 460 2251, by email at informationgovernance@osjct.co.uk or by writing to:
Data Protection Officer
The Orders of St John Care Trust
Eyre Court
Whisby Lane
Lincoln
Lincolnshire
LN6 3LQ
People also have the right to contact the Information Commissioner’s Office (ICO) if they have a complaint about the way we use information. The ICO can be contacted by clicking on this link, https://ico.org.uk/global/contact-us/, by telephone at 0303 123 1113, by email at casework@ico.org.uk or by writing to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
How and why personal information is collected
As part of the services offered, we are required to process personal information or data about you.
“Processing” can mean collecting, recording, organising, storing, sharing or destroying data.
We must have a lawful basis for processing personal data and as a registered care provider, it is essential this is collected, including financial information, to enable us to provide ongoing quality care and support.
Information is contained in individual files, electronic and manual and other record systems which are subject to strict security and authorised access policies.
This data is held because we have a legal obligation to do so, usually under the Health and Social Care Act 2012 or Mental Capacity Act 2005.
We process “special category” data because:
- it is necessary due to social security and social protection law, mostly in safeguarding situations and where it is necessary to protect your fundamental interests when you are physically or legally incapable of providing consent.
- it is needed for provision and management of social care services.
- we are required to provide data to the Care Quality Commission (CQC), our regulator, as part of public interest obligations.
Special category data can be said to be personal data that needs more protection because it is sensitive.
Data may be processed with your consent. If we need to ask for your permission, you will be given a choice and ask that confirmation is provided.
We will also explain clearly to you what we need the data for and how you can withdraw your consent at any point.
What data do we have?
We may process the following types of data:
- basic details and contact information, such as name, address, date of birth and next of kin, email address that you or your power of attorney have asked we hold
- financial details, such as how you fund care or funding arrangements.
We also record the following data which is classified as “special category”:
- health and social care data, which may include physical and mental health data
- data may be recorded about your race, ethnic origin, sexual orientation or religion.
Where is data processed?
This is done face-to-face, via telephone, email, our website, by post, application forms and/or apps.
Data is collected from or shared with:
- the service user or their legal representative(s)
- third parties.
Third parties are organisations we might lawfully share data with, which include other parts of the health and care system such as local hospitals, service users GP or other health and care professionals, the pharmacy, social workers, clinical commissioning groups, the Local Authority and family or friends, with the service user’s permission.
There is a legal obligation to share information with some organisations, such as for safeguarding purposes, the CQC, police or other law enforcement agencies if requested by law or a court order.
Data is retained in line with the Information Governance Alliance’s guidelines
Your rights
You have the right to refuse/withdraw consent to information sharing at any time. The data kept about you is your data, kept confidential and used appropriately.
Rights regarding personal data
- you have the right to be told when we collect information about you, what we do with that information, if and how we will share that information and for how long we will keep it.
- you can ask us to provide you with a copy of all data held about you or grant you access to it. You will not normally be charged for this
- incorrect information can be updated if any personal data is inaccurate or incomplete
- you can ask us to delete any personal data which is no longer necessary for the purpose for which we originally collected it
- if you don’t wish for us to delete information about you, which we no longer require for the purpose for which we collected it, you can ask us to restrict the processing of that information
- if we have asked for your consent to process data, this can be withdrawn at any time
- if we are processing your data as part of our legitimate role or to complete a task in the public interest, you have the right to object to that processing.
- you can ask us to make your information available to another person or organisation
- you can ask us to ensure that decisions taken about you, using your personal information, is always made by human beings
Identification may be required to support data requests to ensure personal data is not shared inappropriately and requests will be acted on as soon as possible, usually within one month.
What does this mean for me as a service user?
Information collected about you could be provided to other approved organisations, where there is a legal basis to do so, for example, to help plan services, improve care provision and for research into developing new treatments and preventing illness.
Information is only used where allowed by law and never for insurance or marketing purposes without explicit consent.
We will always seek written permission from you before sharing personal information with anyone else, for purposes other than direct care, such as for planning or for research. However, if you do not want your personal date to be used for planning or research, you can stop this.
- For Residents & Extra Care Housing (ECH) Clients
What information do you collect and use?
We use your personal information so that we can provide care services to you and we collect only enough information to allow us to provide you with the best possible care. We do this to fulfil our contract to care for you.
The information we collect from you includes:
• Information that identifies you, basic details such as name, gender, address, and contact details
• Medical and health information, including notes, images, and reports about your health and any treatment and care you have received or need in the future
• Financial information including bank details, billing details and savings
• Details of contact we have had with you to provide quotes for the cost of a care contract
• Information on your beliefs and associations, including religious and philosophical beliefs, and associations with clubs and societies
• Information about your language
• Information about your ethnicity
• Details of your residency status
• Information about any criminal activity
• Your image including photograph
We may also collect personal information about you from other people and organisations, such as:
• Medical and health information from health and social care organisations and professionals, including medical notes and reports about your health and any treatment and care you have received or need
• Social care and safeguarding reports, assessments and referrals
• If you are an ECH client we receive housing applications from the housing provider
Do you share my information?
We share your personal information under certain circumstances. When we do share information, we use as little as possible and on a need to know basis
• If you require regular or emergency medical treatment we will share your personal information to enable healthcare providers, such as hospitals and GPs, to care for you
• We will share information about you with friends and family, where you have indicated that you are happy for that information to be shared
• If you are funded by a local authority, we share your information with them
• We share your information with our legal representatives if we need to reclaim money owed to us to pay for your care
How do you use the information you collect?
We use your information to give you the best care possible. This includes:
• Using your identity to be able to know who you are, this helps us make sure you receive the right care
• Healthcare information, which helps us make sure you receive the right care, such as medication, as well as getting you to your hospital and GP appointments
• Using financial information to make sure that the Trust is paid for the care that it provides
• Understanding your beliefs, to help us get you to clubs and activities
• Details of your residency status, which helps us know if you have a right to live in the UK
• Customer surveys and feedback help us to improve the care that we provide to you
• Using information to protect you from individuals who wish to harm you
• Understanding your language information helps us to communicate effectively with you
• Handling concerns and complaints about the care we provide.
• Investigating incidents
• Using your image to identify you
• Sharing your photograph in marketing materials and publications, where you have provided consent
How long do you keep my information for?
The Trust keeps your personal information during your stay with us so that we can care for you. We also retain the information when you leave our care, for an appropriate time. Our ‘retention schedule’ helps us determine how long to keep records for, in line with guidance from NHS Digital. Information in care records is kept for at least 8 years after we last provide care to you.
We keep your information in case our records are requested by a future care provider, to audit the quality of the care we provide to our residents, and to defend ourselves against legal claims. We may keep anonymised information for longer than 8 years. Anonymised information cannot identify you. It helps us better understand how we care for our residents across the Trust.
For more information on retaining personal information for marketing and publishing, please see our Marketing, Market Research and Events section.
How do you comply with the law?
There are several reasons that the Trust can legally use your information:
• You, an appointed representative, or a local authority has signed a contract with us to care for you. The information entrusted to us helps us to fulfil that contract and take the best care of you. Without this information the Trust cannot care for you
• We have a legitimate interest in collecting information about ethnicity to help monitor equality of treatment across our organisation. There is a public interest in knowing if individuals belonging to ethnic groups are treated better or worse than others
• The Trust collects information about your residence or immigration status because there is a public interest in maintaining effective immigration controls
• We use information about your religious and philosophical associations and beliefs to provide you with the best care. Religious and philosophical beliefs impact the way in which individuals wish to be treated, treatment they may not wish to receive, and end of life care
• We rely on your consent for using your image for marketing and publishing purposes
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention Period Identity (name, D.O.B, contact details), photograph Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 8 years after discharge or last use of record Medical & healthcare information Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) Processing is necessary for health or social care purposes. UK GDPR Article 9(2)(h)
DPA Schedule 1, paragraph 2
8 years after discharge or last use of record Financial information Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 6 years after the end of the financial year the record corresponds to Details of information such as quotes and referrals Processing is necessary in order to take steps to enter into a contract UK GDPR Article 6(1)(b) N/a N/a 6 months after enquiry received Religious and philosophical beliefs Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) Processing is necessary for health or social care purposes. UK GDPR Article 9(2)(h)
DPA Schedule 1, paragraph 2
8 years after discharge or last use of record Residency or immigration status Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b)
Processing is necessary for reasons of substantial public interest.
Processing is necessary for the maintenance of effective immigration controls and the investigation or detection of activities that would undermine the maintenance of effective immigration control.
UK GDPR Article 9(2)(g)
DPA Schedule 2, paragraph 4(a)(b)
8 years after discharge or last use of record Criminal activity Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) Processing is necessary for preventing and detecting unlawful acts, for protecting the public against dishonesty, and for complying with regulatory agencies in investigating unlawful acts and dishonesty UK GDPR Article 10
DPA Schedule 1, paragraph 10,11,
8 years after discharge or last use of record Information from customer surveys Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 2 years after feedback received Language Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 8 years after discharge or last use of record Ethnicity Legitimate interest UK GDPR Article 6(1)(f) Processing is necessary for reasons of substantial public interest.
Processing is necessary for identifying and reviewing existence of equality of treatment between groups of people
UK GDPR Article 9(2)(g)
DPA Schedule 1, paragraph 8
8 years after discharge or last use of record - For Employees & Contractors (Including Applicants)
What information do you collect and use?
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we have entered into with you.
- Where we need to comply with a legal obligation.
- Where it is necessary for legitimate interests pursued by us or a third party, and your interests and fundamental rights do not override those interests.
We may also use your personal information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else's interests).
- Where it is needed in the public interest.
We use your personal information to fulfil our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the work place. We do this because you have entered into a contract with the Trust.
We collect information from you, as well as creating information once you have been successful in a job application, this includes:
• Information that identifies you, basic details such as name, gender, date of birth, address, telephone number, email address and other contact details
• Information that tells us your ethnicity, age, race
• Information the Trust creates that identifies you, such as employee reference, pay rates, payroll number and job role
• Financial information including bank account, pension details and national insurance number
• Computer records, including email and browser history relating to your work
• Any professional registration status or qualifications, such as nursing registration and validation
• Information declaring unspent criminal convictions
• Information relating to leave, including annual leave, maternity, paternity, adoption, and shared parental leave.
• Medical and health information, including sick leave, vaccinations, allergies or occupational health requirements
• Images and photographs
• Fingerprint data is collected and used as a unique identifier for the Trust’s e-rostering system. This only applies to employees working in our care homes and ECH schemes.
We may also collect personal information about you from other people and organisations, such as:
• Criminal record check conducted by the Disclosure & Barring Service (DBS)
• We request confidential references from referees that you have given to us, which contain information about you
• Receive from HMRC such as tax codes
• Our finance team receive information from the courts if you have an been issues attachment of earnings order (AEO) by the courts
We may also collect, store and use the following more sensitive types of personal information:
- Information about your health, including any medical condition, health and sickness records and vaccination status including:
- Details of any absences (other than holidays) from work including time on statutory parental leave and sick leave.
- Where you leave employment and the reason for leaving is related to your health, information about that condition needed for pension purposes.
Do you share my information?
We share your personal information under certain circumstances. When we do share information, we use as little as possible, and on a need to know basis.
• If you require emergency medical treatment we will share your personal information with health professionals to ensure you receive appropriate treatment
• We share your information with HMRC to ensure that you are taxed correctly
• If you have asked us to, we will share your information with our pension providers, reward partners
• If you have asked us to, we will share your personal details, including details of your earnings, length of service, employment status, etc. with appropriate organisations for personal applications such as mortgages or rental agreements
• If you are a member of a regulatory body such as the NMC, we will share your information with them to ensure that you are registered, monitor your need to revalidate, and report misconduct
• If you have consented, we will share you photograph in marketing materials and publications
• If you have been issued with an attachment of earnings order (AEO), we will inform the Centralised Attachment of Earning Payment (CAPS) office
• The Trust uses a third party to store and host data. They do not have access to the data unless granted by the Trust.
How do you use the information you collect?
We use your personal information so to fulfil our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the work place. This includes:
• Using financial information to make sure you are paid and taxed correctly
• Ensuring that you are a registered professional where that is a requirement for your role
• Using your information to manage your performance in fulfilling your contract with us
• Understanding how we can support you if you have a disability or impairment
• Ensuring that you are employed in a suitable environment
• Assessing if you may present any risk to other individuals
• Understanding the diversity of our workforce and complying with equality and diversity legislation
• Ensuring that you receive adequate training for your role
• Using your information to keep our residents and employees safe from dishonesty and harm
• Using your image for sharing news about the care we provide and for marketing purposes
• Handling concerns and complaints about the care we provide
• Investigating incidents
• If you have consented, we will share you photograph in marketing materials and publications
• If you have been issued with an attachment of earnings order (AEO), we will make relevant deductions from your pay
How long do you keep my information for?
The Trust keeps your personal information during your employment and we also retain the information when you leave the Trust for an appropriate time. Our ‘retention schedule’ helps us determine how long to keep records for. Employee information is kept for at least 3 years after you stop working for us. If you apply for a job with us and are unfortunately unsuccessful, we will erase your information within 6 months of the close of the recruitment process.
We keep your information to audit the quality of the care we provide to our residents and to defend ourselves against legal claims. We may keep anonymised information for longer than 6 years. Anonymised information cannot identify you and helps us better understand the colleagues that we have employed.
For more information on retaining personal information for marketing and publishing, please see our Marketing, Market Research, and Events section.
How do you comply with the law?
We can legally use your information for several reasons:
• You have a signed a contract of employment with us and we use the information to fulfil that contract
• We can share your information with healthcare professionals in emergency situations where your life is at risk
• We can use healthcare information for occupational medical care, and to assess your working capacity
• We have a legitimate interest to monitor and review the diversity of our workforce to help us promote equality and diversity across the Trust and use your information to do this
• We can use and share your information to prevent and detect crime, assist law enforcement agencies, and protect other individuals from dishonesty.
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention period Contract information Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 6 years after employee leaves Identity (name, D.O.B, contact details) Processing is necessary in order to take steps to enter into a contract, and for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 3 years after employee leaves
6 months after an unsuccessful application
Medical & healthcare information, including sick leave and vaccinations Processing is necessary for the performance of a contract
UK GDPR Article 6(1)(b)(d) Processing is necessary for health or social care purposes, in particular, the purposes of occupational and preventative medicine, and the assessment of an employee’s working capacity UK GDPR Article 9(2)(h)
DPA Schedule 1, paragraph 2(2)(a)(b)
6 years after employee leaves Medical & healthcare information, including sick leave and vaccinations Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party UK GDPR Article 6(1)(f) Medical & healthcare information Processing is necessary to protect the data subject’s vital interests UK GDPR Article 6(1)(d) Processing is necessary to protect the data subject’s vital interests UK GDPR Article 9(2)(c)
3 years after employee leaves Financial information Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 6 years after the close of each financial year Qualifications, work history, professional registrations Processing is necessary in order to take steps to enter into a contract, and for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 3 years after employee leaves Residency or immigration status Processing is necessary for the compliance with a legal obligation to which the data controller is subject UK GDPR Article 6(1)(b)
Immigration Act 2006
Processing is necessary for the maintenance of effective immigration controls and the investigation or detection of activities that would undermine the maintenance of effective immigration control. UK GDPR Article 9(2)(g)
DPA Schedule 2, paragraph 4(a)(b)
3 years after employee leaves Criminal convictions and offences Processing is necessary in order to take steps to enter into a contract, and for the performance of a contract UK GDPR Article 6(1)(b) Processing is necessary for preventing and detecting unlawful acts, for protecting the public against dishonesty, and for complying with regulatory agencies in investigating unlawful acts and dishonesty UK GDPR Article 10
DPA Schedule 1, paragraph 10,11.
3 years after employee leaves Ethnicity, racial, and language information Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party UK GDPR Article 6(1)(f) Processing is necessary for reasons of substantial public interest.
Processing is necessary for identifying and reviewing existence of equality of treatment between groups of people
UK GDPR Article 9(2)(c)(h)(g)
DPA Schedule 1, paragraph 8,9
3 years after employee leaves Photograph Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 3 years after employee leaves Annual, maternity, paternity, and shared parental leave Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) N/a N/a 3 years after employee leaves Fingerprint data Processing is necessary for the performance of a contract UK GDPR Article 6(1)(b) Processing is necessary for the performance of a contract UK GDPR Article (9)(2)(b) - For Volunteers (Including Work Experience)
What information do you collect and use?
We will only use your personal information when the law allows us to. Most commonly, we will use your information in the following circumstances:
- Where we need to perform the contract we have entered into with you.
- Where we need to comply with legal obligation.
- Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.
We may also use your information in the following situations, which are likely to be rare:
- Where we need to protect your interests (or someone else's interests).
- Where it is needed in the public interest.
We use your personal information so to fulfil our obligations to you as volunteers, and to maintain the privacy and confidentiality of our residents and employees. We do this because you have entered into a volunteer agreement with the Trust.
We collect information from you which includes:
• Information that identifies you, basic details such as name, date of birth, address, telephone number, email address and other contact details
• Information that tells us your ethnicity, age, and gender
• Financial information including bank account
• Interests and preferences
• Information declaring unspent criminal convictions
• Medical and health information including vaccinations
• We will publish your image, if you are happy for us to do so
We may also collect personal information about you from other people and organisations, such as:
• Criminal record check conducted by the Disclosure & Barring Service (DBS)
• We request confidential references from referees that you have given to us, which contain information about you
We may also collect, store and use the following more sensitive types of personal information:
- Information about your health, including any medical condition, health and sickness records, and vaccination status.
Do you share my information?
We share your personal information under certain circumstances. When we do share information, we use as little as possible, and on a need to know basis.
• The Trust uses an online system to manage volunteer data. Volunteers have access to their profile to amend or change their data at any time.
• If you require emergency medical treatment we will share your personal information with health professionals to ensure you receive appropriate treatment
• We will publish your image, if you are happy for us to do so
How do you use the information you collect?
We use your personal information so that we can make sure we protect you in your place of volunteering and to make the most of the volunteering partnership. This includes:
• Understanding how we can support you if you have a disability or impairment
• Ensuring we offer you volunteering in a place that is suitable for you
• Understanding the diversity of our volunteers
• Ensuring that you receive adequate training for your role
• Using your interests and preferences information to find the right volunteering opportunity for you
• Using your information to keep our residents and employees safe from dishonesty and harm
• We will publish your image, if you are happy for us to do so
• Handling concerns and complaints about the care we provide
• Investigating incidents
How long do you keep my information for?
The Trust keeps your personal information during the time you volunteer with us, we also retain the information when you leave the Trust. Our ‘retention schedule’ helps us determine how long to keep records for. We keep your information in to understand the quality of the care we provide to our residents and to defend ourselves against legal claims. In all cases we will only hold on to the minimum information we need to meet our regulatory and legal requirements.
We may keep anonymised information for longer than 3 years after you last volunteered with us. Anonymised information cannot identify you, and helps us better understand who has volunteered for us
For more information on keeping personal information for marketing and publishing, please see our Marketing, Market Research and Events section.
How do you comply with the law?
We can legally use your information for several reasons:
• You have consented for us to use your information and have access to the data to amend or change it at any time
• We can share your information with healthcare professionals in emergency situations where your life is at risk
• We have a legitimate interest in using your information to monitor and review the diversity of our team to help us promote equality and diversity across the Trust
• We have a legitimate interest in knowing any information that helps to prevent and detect crime. We can use and share this information to prevent and detect crime, assist law enforcement agencies, and protect other individuals from dishonesty
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention Period Identity (name, D.O.B, contact details) Consent UK GDPR Article 6(1)(a) N/a N/a 3 years after volunteer leaves Medical & healthcare information including vaccinations Consent UK GDPR Article 6(1)(a) Consent
UK GDPR Article 9(2)(a) 3 years after volunteer leaves Medical & healthcare information including vaccinations Processing is necessary to protect the information subject’s vital interests UK GDPR Article 6(1)(d) Processing is necessary to protect the information subject’s vital interests UK GDPR Article 9(2)(c)
3 years after volunteer leaves Criminal convictions and offences Legitimate interest UK GDPR Article 6(1)(f) Processing is necessary for preventing and detecting unlawful acts, for protecting the public against dishonesty, and for complying with regulatory agencies in investigating unlawful acts and dishonesty UK GDPR Article 10
DPA Schedule 1, paragraph 10,11.
3 years after volunteer leaves Ethnicity, racial, and language Consent UK GDPR Article 6(1)(a) Processing is necessary for reasons of substantial public interest.
Processing is necessary for identifying and reviewing existence of equality of treatment between groups of people
UK GDPR Article 9(2)(a)
3 years after volunteer leaves - For Guardians, Relatives, and Friends
What information do you collect and use?
We use your personal information so that we can understand if there are legal guardians, relatives and friends, who they are, who to contact in an emergency situation, and our residents’ visitor preferences.
We collect information from you, we also collect information from our residents or employees, this includes:
• Information that identifies you, basic details such as name, date of birth, address, telephone number, email address and other contact details
• Information about legal guardianship of a resident
• Information about the legal guardianship of a volunteer, if the volunteer is under 18
Do you share my information?
We share your personal information under certain circumstances. When we do share information, we use as little as possible, and on a need to know basis.
• If you require emergency medical treatment we will share your personal information with health professionals to ensure you receive appropriate treatment.
• We will publish your image, if you are happy for us to do so.
How do you use the information you collect?
We use your personal information so to fulfil our obligations to our residents This includes:
• Using your information to keep our residents and employees safe from dishonesty and harm
• Ensuring that the relatives of relatives and employees are contacted in emergency situations or if there changes in the health of a resident
• Keeping a record of any individuals who are permitted access to the confidential health information about our residents
How long do you keep my information for?
The Trust keeps your personal information within the care record of the resident it relates to. We keep your information for 6 years from your last contact with us. If you require emergency medical treatment we will keep this information for 6 years after the last recorded event. We keep your information in to audit the quality of the care we provide to our residents, and to defend ourselves against legal claims. In all cases we will only hold on to the minimum information we need to meet our regulatory and legal requirements.
For more information on retaining personal information for marketing and publishing, please see our Marketing, Market Research and Events section.
How do you comply with the law?
We can legally use your information for several reasons:
• We have a legitimate interest in protecting the privacy of our residents, and protecting them from dishonesty and harm.
• We can share your information with healthcare professionals in emergency situations where your life is at risk
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention Period Identity (name, D.O.B, contact details) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party UK GDPR Article 6(1)(f) 6 years Healthcare information Processing is necessary in order to protect the vital interests of the data subject UK GDPR Article 6(1)(d) Processing is necessary in order to protect the vital interests of the data subject UK GDPR Article 9(2)(c) 6 years from when the record is last used - For Suppliers
What information do you collect and use?
We use your personal information as part of procurement of services and supplies.
We collect information from all supplier employees we come into contact with, which includes:
• Information that identifies you, basic details such as name, address, telephone number, email address and other contact details
• If you are a sole trader, we collect financial information including bank account information which identifies you as an individual
Do you share my information?
If you are seeking to enter into a contract with us, and are not a sole trader, we do not intend to share any of your personal information. If you are a sole trader we will share financial information with our bank.
How do you use the information you collect?
We use your information when you submit pre-qualifying questionnaires (PQQ), and contracts to supply goods or services. If you are a sole trader we use your information to pay you for your services.
How long do you keep my information for?
The Trust keeps your personal information relating to contracts for a limited time. We retain personal information relating to suppliers for 6 years following the end of the contract, or services delivered. We keep your information to monitor the performance of contracts and to defend ourselves against legal claims.
How do you comply with the law?
We are able to legally use your information for several reasons:
• You have a signed a contract with us and we use the information to fulfil that contract
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention period Identity (name, contact details) Processing is necessary in order to take steps to enter into a contract, and the performance of a contract UK GDPR Article 6(1)(b) 6 years after contract period is complete or services/goods have been delivered - For Enquiries & Complaints
What information do you collect and use?
You may contact the Trust seeking information about housing vacancies, or information about the care that is available in different care homes that we conduct. You may also contact us as a member of the public with a complaint regarding the Trust’s conduct or the conduct of an employee.
We collect information from you which includes:
• Information that identifies you, basic details such as name, date of birth, address, telephone number, email address and other contact details
• Information about your complaint
Do you share my information?
We do not intend to share any of your personal information.
How do you use the information you collect?
We use your information to answer your questions to the best of our ability, and communicate with you. If you consent to marketing, we will use your information to send you marketing materials about the services we provide.
How can I update or delete the information you hold on me in relation to enquiries?
If at any time you would like to notify us of any changes to your personal information, or would like us to delete your personal information relating to an enquiry, you can contact our Customer Services Team who will be happy to help you using the details below:
Telephone: 0800 988 8133
Email: enquiries@osjct.co.uk
How long do you keep my information for?
The Trust keeps your personal information relating to contracts for a limited time. We keep information relating to enquiries for 1 year after the enquiry is made. We keep information relating to complaints for 6 years following the closure of the complaint. We keep your information to defend ourselves against legal claims.
How do you comply with the law?
We can legally use your information for several reasons:
• If you are enquiring about housing vacancies, we use your information because you have sought to enter into a contract with us
• If you make an enquiry unrelated to vacancies, we have a legitimate interest in using the information to respond to your enquiry
• If you have raised a complaint with us, we have a legitimate interest in processing your information so that we can investigate your concerns and respond to your complaint
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention Period Enquirer name Necessary for identifying the enquirer. UK GDPR Article 6(1)(b) - Steps taken necessary to enter into a contract. 12 months following last contact with the Trust Enquirer address Necessary for contacting the enquirer. UK GDPR Article 6(1)(b) 12 months following last contact with the Trust Enquirer email address Necessary for contacting the enquirer. UK GDPR Article 6(1)(b) 12 months following last contact with the Trust Enquirer telephone number Necessary for contacting the enquirer. UK GDPR Article 6(1)(b) 12 months following last contact with the Trust Prospective resident - name Necessary for identifying the prospective resident. UK GDPR Article 6(1)(b) 12 months following last contact with the Trust Prospective resident - address Necessary for identifying the prospective resident. UK GDPR Article 6(1)(b)
12 months following last contact with the Trust Prospective resident - care requirements Necessary for assessing what the care needs of the prospective resident are likely to be so that a home with capacity can be identified. UK GDPR Article 6(1)(b), Article 9 (2)(h) - data processed is necessary for provision of social care treatment, meeting the conditions of DPA18 schedule 1, paragraph 2 (e)(f) 12 months following last contact with the Trust - Information Collected by Our Website
What information do you collect and use?
When you visit our website (www.osjct.co.uk) our servers automatically record information, including information that your web browser sends whenever you visit a website. We have use cookies, you can find out more about cookies here.
We collect information from you which may include:
• Your internet protocol (IP) address
• The date and time of your web site visit
• Language preferences
• Cookie information
• The device you are using to access our website including what type of device it is
• What operating system you are using
• Device settings
• Application IDs
• Unique device identifiers
Whether we collect some or all this information often depends on what type of device you are using and its settings.
Do you share my information?
We use Google Analytics, a web analytics service provided by Google, Inc. ("Google"). The information generated about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. Further information about Google’s privacy policy may be obtained from http://www.google.com/privacy.html.
How do you use the information you collect?
We use this information to prevent and detect crime and dishonesty, we also use your information to analyse trends in the pages on our website that are accessed, and improve your website experience. The number of employees with access to this personal information is very limited. Personal information is used anonymously for statistical purposes.
How long do you keep my information for?
The Trust keeps your personal information indefinitely, except cookie data which we will retain only for so long as we have your consent.
How do you comply with the law?
We can legally use your information because we have a legitimate interest, which is to help us prevent and detect crime or dishonesty, such as a cyber-attack. We also have a legitimate interest in knowing which parts of our website individuals are accessing, to help us understand what services individuals are interest in. We rely on consent for the use of cookies and you can find more information in our cookie policy.
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention period IP address, your device ID Legitimate interest UK GDPR Article 6(1)(f) Please see our cookie policy Cookie information Consent UK GDPR Article 6(1)(a) Please see our cookie policy - Marketing, Market Research, & Events
What information do you collect and use?
We collect and use your personal information for use in marketing of the care the Trust provides. We also use the information to publish news stories about the work that we do.
We collect information from you which may include:
• Information that identifies you, basic details such as name, date of birth, address, telephone number, and email address
• Photograph
• Feedback
Do you share my information?
Where you have consented, your information (such as a photograph) can be shared to individuals who receive marketing materials or publications, and you will receive marketing materials or publications where you have agreed to receive them.
How do you use the information you collect?
Where you have provided consent, we will:
• Send you service related information via post, email, or text
• Send you newsletters and magazines via post, email, or text
• Invite you to events that we host
• Use your image or feedback in publications and marketing materials about the Trust
• Ask for your feedback about services we provide
• Use your feedback to analyse trends, identify business opportunities, and improve the care we provide
How long do you keep my information for?
We rely on your consent to process this information, and will hold it only for as long as you consent to. Should you wish to withdraw consent at any time, for some or all of the information and if you wish us to erase the information please contact us as soon as possible. If you have subscribed to a e-newsletter, please click the unsubscribe button on the email.
As well as the right to withdraw consent, you also have the additional right to ask for the information to be erased. If the information has been published in the public domain we will remove the information from our website. Where it is reasonably possible for us to do so, we will inform other organisations who are processing that information (such as a shared news story).
How do you comply with the law?
We can legally use your information for two reasons:
• You have provided consent for us to share your personal information for marketing purposes and publishing news stories
• You have provided consent for us to send you marketing materials
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.
Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention period Identity (name, D.O.B, contact details) Consent UK GDPR Article 6(1)(a) N/a N/a Cease processing when consent withdrawn. Photograph (non-employee) Consent UK GDPR Article 6(1)(a) N/a N/a Cease processing when consent withdrawn or individual dies. Photograph (employee) Consent UK GDPR Article 6(1)(a) N/A N/a Cease processing when consent withdrawn or employee leaves. - Pandemic – Coronavirus
During a pandemic we collect and use data in ways which we normally would not. This helps us to ensure that the services we provide are safe for residents, employees, volunteers, and their families.
What information do you collect and use?
We collect information including:
• Whether you have been tested for coronavirus and your result.
• Whether you have come into contact with someone who has or may have coronavirus.Do you share my information?
Information sharing is vital for the UK’s effort to tackle the pandemic. Where possible we share anonymised information. Where we do share personal data we share as little as necessary, and only where necessary, this includes:
• Sharing information with testing sites where you have agreed to be tested.
• Sharing limited information with Public Health England (PHE). Information shared with PHE is anonymised is most cases.
• Sharing information with the NHS Track & Trace Service.
How do you use the information you collect?
We use the information we collect to monitor the spread of coronavirus among our residents, clients, employees, and volunteers.If you visit a home and we think you may have come into contact with someone with coronavirus during your visit, we will share your information with the NHS Track & Trace Service, with your consent.
How long do you keep my information for?
This is a new a highly virulent disease about which there are many unknowns. As the pandemic runs its course, the Trust will review how long we retain data for.Resident and client diagnoses will be kept for 8 years within the care file. Housing employee test results will be kept for one week. Consent forms will be kept for 3 months. Data relating to employees, volunteers, and visitors will be kept for a minimum of 3 years.
To share your data with the NHS Test & Trace Service, the information is automatically deleted after 21 days.
How do you comply with the law?
To use this data for individual employee and residents tests, the Trust relies on having a legitimate interest to process data relating to a suspected or confirmed diagnosis of coronavirus. Using this data is necessary for the management of the social care services we provide by helping us understand the spread of infection within our workforce and care home populations.To use data for individual employee and resident tests, the Trust relies on explicit consent.
To use data for the pooled test pilot, the Trust relies on explicit consent.
To share your data with the NHS Test & Trace Service, we rely on your explicit consent.
I want to know the legal fine print
All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, which is called special category data. If organisations use special category information, they must have a second legal condition. These conditions are contained in the UK General Data Protection Regulation (UK GDPR) tailored by the Data Protection Act 2018; and are set out in the table below, along with the specific retention periods.Information used Legal condition for using information Legislative references Second legal condition for using information (where required) Legislative references Retention Period Individual OSJCT employee coronavirus tests
Identity (name, contact details).
Suspected or confirmed coronavirus diagnosis
Processing is necessary for the purposes of the legitimate interests pursued by the controller UK GDPR Article 6(1)(f) Processing is necessary for the assessment of the working capacity of an employee.
Processing is necessary for the provision of social care.
Processing is necessary for the management of healthcare systems or services, or social care systems or services.
DPA18, schedule 1, paragraph 2(a), (e), (f) 3 years Individual OSJCT employee coronavirus tests
Identity (name, contact details).
Suspected or confirmed coronavirus diagnosis
Consent UK GDPR Article 6(1)(a) Explicit Consent
UK GDPR Article 9(2)(a) Consent form - 3 months.
Test result - 1 week.
Pooled/cohort coronavirus tests.
Identity (name, contact details)
Suspected or confirmed coronavirus diagnosis.
Consent UK GDPR Article 6(1)(a) Consent UK GDPR Article 9(2)(a)
3 years Identity (name, contact details) to share with NHS Test and Trace Consent UK GDPR Article 6(1)(a) Consent UK GDPR Article 9(2)(a)
21 days Vivaldi
Identity (name, contact details).
Symptom information.
Ethnicity
Consent UK GDPR Article 6(1)(a) Consent UK GDPR Article 9(2)(a)
3 years - Legal and Regulatory Obligations
We may receive requests for information from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence. When we receive these requests we will inform you as soon as possible. There are circumstances in which we cannot inform you that information is used or shared, because it may prejudice the work of law enforcement agencies and other organisations.
We may be required to use and keep personal information for legal reasons, such as the prevention, detection, or investigation of crime or fraud. We may also use personal information to meet our internal and external audit requirements, and information security purposes.
- Security
We are committed to keeping your personal information secure. We have put in place physical, electronic and operational procedures intended to safeguard and secure the information we collect. All OSJCT employees have a legal duty to respect the confidentiality of your information, and access to your confidential information is restricted only to those who have a reasonable need to access it.
We do not hold any information outside the EU.
When using an OSJCT website, you will notice that the URL starts with HTTPS and you see a locked/green padlock symbol. This means that your information will be encrypted in transit when it is sent from your computer to our server. However, we cannot ensure the security of your information when it is being transmitted to our website or other digital sites from other pages. All transmission of personal information and other information is done at your own risk.
Information submitted to OSJCT through a website is normally unprotected until it reaches us. In addition, users are also requested not to send confidential details or credit card numbers, for example, by email.
We are continuously implementing and updating administrative, technical, and physical security measures to help protect unauthorised access, loss, destruction or alteration of information and information.
- Your rights
Under the General Data Protection Regulation, individuals (data subjects) have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in information protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.
Access to personal information
The UK GDPR says data controllers like us must process personal data by means of “appropriate technical and organisation measures” to keep people’s information secure. We use an information management portal to comply with this requirement. We can respond to your request much quicker and more securely if you click on this link and complete the request form, but you don’t have to use the form. If you wish to, you can contact our Data Protection Officer directly through any of the ways mentioned above.
You should include adequate information to identify yourself and such other relevant information that will reasonably assist us in fulfilling your request. Your request will be dealt with as soon as possible.
Right to rectification (correction)
You can request us to rectify and correct any personal information that we are processing about you which is incorrect. We provide you with account settings and tools to access the information associated with your account.
Right to withdraw consent
Where we have relied upon your consent to process your personal information, you have the right to withdraw that consent. To opt out of marketing, you can use the unsubscribe link found in the email marketing communication you receive from us. For other marketing preferences you can contact us, providing details of services or marketing that you wish to opt-out.
Right of erasure (right to be forgotten)
You can request us to erase your personal information under certain circumstances. This right only applies in certain circumstances, it is not a guaranteed or absolute right.
Right to data portability
This right allows you to obtain your personal information in an electronic format, where you have provided information to us with your consent, or where the information was necessary for us to provide you with our services or employment. You can request that the information be given in a format which enables you to transfer that personal information to another organisation. You may have the right to have your personal information transferred by us directly to the other organisation, if this is technically feasible.
Right to restrict processing of personal information
You have the right in certain circumstances to request that we suspend our processing of any or all your personal information. Where we suspend our processing of your personal information we will still be permitted to store your personal information, but any other processing of this information will require your consent, subject to certain exemptions. This could restrict the ability of the Trust to care for residents and pay employees.
Right to object to processing of personal information
You have the right to object to our use of your personal information which is used where we feel that we have legitimate interest. However, we may continue to process your personal information, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal information in connection with any legal claims.
Rights relating to automated decision making and profiling
You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right means you can request that we involve one of our employees or representatives in the decision-making process.
- The National Data Opt-Out Policy
The national data opt-out gives everyone the choice to stop health and social care organisations sharing their “confidential patient information” with other organisations where it is used for reasons beyond individual treatment and care, such as research and planning purposes.
The term “confidential patient information” is used as the NHS do and where the opt-out is in force. In this context “confidential patient information” relates to information about service users’ health or social care that may identify them.
Adult Social Care providers, in line with your wishes and the national data opt-out, are required to apply national data opt-outs to use or disclose confidential patient information for purposes other than your direct care.
As a care service, we have an obligation to inform you about your right to choose regarding opting out of data sharing and are clear about how and when such a preference has been applied and a record of any decision regarding data opt-out kept.
Most care services do not use or share service users’ information beyond direct care and OSJCT does not share our service users’ information with any pharmaceutical, medical or other researchers and do not use sensitive information for purposes beyond your care and treatment.
We only share personal information on a “need to know” basis, observing strict protocols when doing so. Most of the data sharing is with other professionals and agencies involved with care and treatment. The only exceptions to this general rule would be where we are required by law to provide information, e.g., to help with a criminal investigation.
At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose.
If you are happy with this use of personal information, you do not need to do anything but can change this decision at any time.
If you choose to opt out, your confidential patient information will still be used as necessary to support your individual care delivery.
As national data opt-outs are set or changed by individuals themselves, this must be done by you, the service user or someone legally able to act on your behalf. More details about the wider use of confidential personal information and to register your choice to opt out can be found at: https://digital.nhs.uk/services/national-data-opt-out or by phone at 0300 303 5678.
To opt out by post on behalf of a service user who lacks capacity, fill out and print off Manage Another Person’s Choice on Their Behalf, NHS Data Opt-Out by Post. It can only be done by an individual who holds a lasting power of attorney (LPA) for the person who owns the data.
- Changes to our Privacy Notice
We last updated our Privacy Notice on 29 July 2022. If we make changes to this Privacy Notice, we will post the revised Privacy Notice in the news section of our website and update the “Last Updated” date at the top of this Privacy Notice.