DATA PROTECTION
PRIVACY NOTICE POLICY
DATA PROTECTION
PRIVACY NOTICE POLICY
Company Contact details: | Address: Fountain Court, New Leaze, Bradley Stoke, Bristol, BS32 4LA Phone: 01174030943 Web page: https://nurselinecs.co.uk/ E-mail address: admin@nurselinecs.uk |
Company Name: | Nurseline Community Service (‘the Company’) |
Date: | 30-11-21 |
Review Date: | 3 years |
Last amended: | |
Version: | 1 |
Nurseline Community Services deliver short and longer-term packages of specialist, outcome-focused support for adults (18+), children and young people (aged 13-17) and young people transitioning into adult services (16-17) with a range of complex care support needs including mental health. The Company must process personal data (including sensitive personal data) so that it can provide these services – in doing so, the Company acts as a data controller.
You may give your personal details to the Company directly, such as on an application, assessment, or registration form or via our website, or we may collect them from another source such as a jobs board. The Company must have a legal basis for processing your personal data. For the purposes of providing health care and service and keeping information relating to the employees’ rights, we will only use your personal data in accordance with the terms of the following statement.
1.Collection and use of personal data
a. Purpose of processing and legal basis
The Company will collect your personal data (which may include sensitive personal data) and will process your personal data for the purposes of providing you with work-finding services. The legal bases we rely upon to offer these services to you are:
- Legitimate interest
In some cases we may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. We may also use your information during the course of internal audits to demonstrate our compliance with certain industry standards.
b. Recipient/s of data
The Company may process your personal data and/or sensitive personal data with the following recipients:
- Payroll Systems (Sage)
- Online rostering / Workforce management system / Document Storage (Sirenum, 3B Forms)
- Document destruction service (Shred-It)
- Auditors
- Care Quality Commission and other relevant regulators
- Commissioners and Allied Health professionals
- Cloud Based Hosting Services (Excalibur)
- Email Marketing Tools / Analytics Tool (Mailchimp, Google Analytics)
c. Statutory/contractual requirement
Your personal data is required by law and/or a contractual requirement (e.g. our client may require this personal data), and/or a requirement necessary to enter into a contract. You are obliged to provide the personal data and if you do not the consequences of failure to provide the data are:
- Failure to provide this data will affect us being able to commence the service delivery and therefore we would be unable to find you suitable work.
2. Overseas Transfers
The Company may transfer only the information you provide to us to countries outside the European Economic Area (‘EEA’) for the purposes of providing you with work-finding services. We will take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein.
3. Data retention
The Company will retain your personal data only for as long as is necessary. Different laws require us to keep different data for different periods of time.
We must also keep your personal and health records, payroll records, holiday pay, sick pay and pensions auto-enrolment records in accordance with the statutory retention period as required by law.
Where the Company has obtained your consent to process your personal and sensitive personal data, we will do so in line with our retention policy (a copy of which is attached). Upon expiry of that period the Company will seek further consent from you. Where consent is not granted the Company will cease to process your personal data and sensitive personal data.
4. Your rights
Please be aware that you have the following data protection rights:
- The right to be informed about the personal data the Company processes on you;
- The right of access to the personal data the Company processes on you;
- The right to rectification of your personal data;
- The right to erasure of your personal data in certain circumstances;
- The right to restrict processing of your personal data;
- The right to data portability in certain circumstances;
- The right to object to the processing of your personal data that was based on a public or legitimate interest;
- The right not to be subjected to automated decision making and profiling; and
- The right to withdraw consent at any time.
Where you have consented to the Company processing your personal data and sensitive personal data you have the right to withdraw that consent at any time by contacting:
REGISTERED MANAGER:
Tracy Crane
E-mail: tracy.c@nurselinecs.uk
Landline: 0117 456 4799
Mobile: 07572 237133
CQC NOMINATED PERSON INDIVIDUAL:
Sarah Ambe
E-mail: sarah.ambe@catalystgrp.co.uk
Office: 0345 894 2264
Mobile: 07960 254357
01174030943
5. Complaints or queries
If you wish to complain about this privacy notice or any of the procedures set out in it please contact our Compliance Manager.
01174030943
You also have the right to raise concerns with Information Commissioner’s Office on 0303 123 1113 or at https://ico.org.uk/concerns/, or any other relevant supervisory authority should your personal data be processed outside of the UK, if you believe that your data protection rights have not been adhered to.
DATA RETENTION POLICY
Date | 30-11-21 |
Company Name: | Nurseline Community Service (‘the Company’) |
Review Date: | 1 year |
Version: | 1 |
The GDPR has set up additional requirements around 8k. We can only keep data for as long as is necessary and it must be kept up to date. The retention periods can differ based on the type of data processed, the purpose of processing or other factors. Throughout this document Nurseline Community Service will be referred to as the Company.
6. The Company guidelines for retaining data
Personal data should not be retained for longer than is necessary for the purpose it has been obtained for. Ensuring personal data is disposed of when no longer needed will reduce the risk that it will become inaccurate, out of date or irrelevant.
This policy covers all company data stored on company-owned, and company provided systems and media, regardless of location.
Under the GDPR, individuals have the right to request erasure, or to be forgotten. This means that the Company must remove the individuals personal data, however this is not an absolute right as some data must be retained to comply with statutory requirements. The type of record will determine the length of time the record must be kept for.
Listed below are records that must be retained and the period of time of retention. These obligations will override any request to erase data.
Category | Type of Document | Format | Retention Period |
---|---|---|---|
Employment | Duty Rotas | Paper/Electronic | 6 years after date to which they relate |
Employment | Health Assessment Records for Night Workers | Paper/Electronic | 2 years from the date they were entered into |
Employment | Criminal Convictions of workers | Paper/Electronic | Deleted once conviction is spent under Rehab of Offenders Act |
Employment | Disclosure and Barring Certificate | Paper/Electronic | No longer than 6 months from appointment. However, key data can be retained in line with policy and procedure |
Employment | Annual Leave Record | Paper/Electronic | 6 years. If leave is carried over from year to year, this may be extended |
Employment | Immigration Checks | Paper/Electronic | 2 years after termination of employment |
Employment | Collective Workforce Agreements and Works Council Minutes | Paper/Electronic | Permanently |
Employment | Consents for the processing of personal and sensitive data | Paper/Electronic | For as long as the data is being processed and up to 6 years afterwards |
Employment | Application Forms and Interview Notes (for unsuccessful candidates) | Paper/Electronic | 6 months – 1 year |
Employment | Employment Records- Qualifications | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Employment Records- References | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Employment Records- Annual Appraisal Reports | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Employment Records - Job History | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Employment Records - Resignation, Termination and/or retirement letters | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Employment Records - Disciplinary | Paper/Electronic | 6 years or longer where decided on a local level |
Employment | Employment Records - Grievance | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Employment Records - Travel and subsistence | Paper/Electronic | Throughout employment and up to 6 years after employment ceases (or 75th birthday whichever is sooner) if summary has been made |
Employment | Occupational Health Reports | Paper/Electronic | Throughout employment and up to 6 years after employment ceases |
(or 75th birthday whichever is sooner) if summary has been made Throughout employment and up to 6 years after employment ceases or 75th birthday whichever is longer | |||
Employment | Clinical Training Records | Paper/Electronic | Throughout employment and up to 6 years after employment ceases or 75th birthday whichever is longer |
Employment | Mandatory Training | Paper/Electronic | Throughout employment and up to 10 years after employment ceases |
Employment | Other Training | Paper/Electronic | 6 years after training completed |
Employment | Medical Records under Ionising Radiations Regulations | Paper/Electronic | Until person reaches 75 years of age, but at least 50 years |
Employment | Medical records as specified by COSHH regulations | Paper/Electronic | 40 years from the date of the last entry |
Employment | Retirement Benefits Schemes – Records of notifiable events e.g. relating to incapacity | Paper/Electronic | 6 years from the end of the scheme year in which the event took place |
Supported Individual | Adult Social Care Records | Paper/Electronic | 8 years from when care ceased if no serious incidents recorded |
Supported Individual | Child Social Care Records | Paper/Electronic | 25th birthday if no serious incidents recorded If the person had treatment until they were 17, retain until 26th birthday |
Supported Individual | Records of Detention, Restraint, DoLS | Paper/Electronic | 3 years |
Supported Individual | Care Records with standard retention periods | Electronic | Where the electronic system has the capacity to destroy records in line with the retention schedule, and where a metadata stub can remain demonstrating that a record has been destroyed, then the code should be followed in the same way for electronic records as for paper records with a log being kept of the records destroyed. If the system does not have this capacity, then once the records have reached the end of their retention periods they should be inaccessible to users of the system and upon decommissioning, the system (along with audit trails) should be retained for the retention period of the last entry related to the schedule |
Supported Individual | Incidents (serious) | Paper/Electronic | 20 years and review |
Supported Individual | Incidents (non-serious) | Paper/Electronic | 10 years and review |
Administration | Fire & general risk assessments, including Buildings and Health & Safety | Paper/Electronic | 3 years |
Administration | Water safety | Paper/Electronic | 3 years |
Administration | Maintenance of premises | Paper/Electronic | 3 years |
Administration | PAT testing | Paper/Electronic | 3 years |
Administration | Purchasing medical devices and equipment | Paper/Electronic | 18 months |
Administration | Maintenance of equipment logs | Paper/Electronic | 11 years |
Administration | Accident Books, Accident Records/Reports | Paper/Electronic | 3 years from date of last entry (or if involves young adult/child until they reach 21 years old) |
Administration | Records of Visitors | Paper/Electronic | 3 years |
Administration | Telephony system records | Electronic | 1 year - review and destroy if no longer required |
Administration | Recorded conversations that might be needed for legal purposes at a later date | Electronic | 6 years |
Administration | Destruction Certificates or Electronic Metadata Destruction Stub | Paper/Electronic | 20 years |
All other data that falls outside of these parameters will be destroyed in one of the following scenarios:
- Upon request from the individual
- 1 year from the last date of completing a work assignment
- Application forms that have not progressed to interview will be deleted after 3 months
7. Data destruction
Once the retention timeframe expires the Company will seek further consent from you. Where consent is not granted the Company will cease to process your personal data and sensitive personal data and will destroy this information. This includes hard and electronic copy. Regular monthly checks will be conducted to keep up to date with the data destruction.
Hard copies are destroyed in confidential waste which is regularly collected by Shred-It. Electronic copies are deleted from our cloud based services and document storage.