5.2. Where at all possible, in the instance that we have appropriately shared that
individual’s records with any third-party we will inform this third-party of the
rectification if appropriate.
5.3. In all cases we will respond to a request for rectification within one month.
Should the request be complex this may be extended to two months, however,
we will inform the individual in writing of the extension and the reasons why it is
required within one month.
5.4. To request for their records to be rectified service users or staff should contact
us with the request for rectification either verbally or in writing, staff receiving a
request should pass on the request without delay to the Data Protection Officer. If
the rectification is due the record being incomplete, then the individual should
also provide the supplementary information to update the record.
5.5. While we are assessing the request to rectify records, we will restrict
processing of the data in question. This will be done in line with our Right to
Restrict Processing Procedure as outlined in our Record Keeping Policy.
5.6. In the instance where the rectification request is refused, the reason will be
explained in full and in writing within one month of the original request having
been received.
5.7. A record of all rectification requests and outcomes will be kept by the Data
Protection Officer for a period of 3 years and 6 years where an appeal has been
made.
5.8. All individuals who have their rectification request refused will be informed of
their legal rights to complain to the ICO and to seek a judicial remedy;
5.9. All staff will be informed of this policy in the staff handbook.
5.10. All service users, or their legal representative, will be informed of this policy,
as well as their other rights as regards their personal data, when they sign initial
contracts with us.
5.11. In order to process your request for rectification, you might be asked to
provide identifying documents so that we can authenticate that it is appropriate
for you to update your data.
101
6. Responsibilities
6.1. The Senior Information Risk Owner has overall responsibility for Data Quality
policies and procedures being reviewed annually.
6.2. The Data Protection Officer has overall responsibility for staff training in data
quality and for monitoring data quality throughout the organisation. They also are
responsible for responding to rectification requests and recording the outcome of
any request.
6.3. The Registered Manager is responsible for the quality of records and making
sure that staff understand their commitments in ensuring data quality.
6.4. Every member of staff is individually responsible for the quality of data they
personally record – whether on paper or electronically. Additionally, they are
responsible for reporting any mistakes they do notice to the Data Protection
Officer.
6.5. Staff are aware that data accuracy and security is a contractual and legislative
requirement and that breach of this policy might result in disciplinary action.
7. Approval
7.1. This policy has been approved by the undersigned and will be reviewed at
least annually.
John Lee Managing Director & SIRO
Approval Date 13th January 2020
Review Date 13th January 2021
102
Network Security Policy
Introduction
1.1. This Network Security Policy is the overarching policy for data security and
protection for All About You Care Services Limited (hereafter referred to as "us",
"we", or "our").
2. Purpose
2.1. This document sets out our policy for the protection of the confidentiality,
integrity and availability of the network, establishes responsibilities for network
security and provides reference to documentation relevant to this policy.
3. Scope
3.1. This policy applies to all staff, including temporary staff and contractors.
3.2. This policy applies to our networks which are used for:
3.2.1. The storage, sharing and transmission of care data and images;
3.2.2. Printing or scanning of care data or images;
3.2.3. The provision of internet systems for receiving, sending and storing non-
care data or images.
4. Policy
4.1. All About You Care Services information network will be available when
needed, can be accessed by company personnel and other legitimate users
subject to consent, the network data will contain complete and accurate
information.
4.2. The network will be able to withstand or recover from threats to its availability,
integrity and confidentiality. To satisfy this we undertake to:
4.2.1. Protect all hardware, software and information assets under its control;
4.2.2. Provide effective protection that is commensurate with the risks to its
network assets;
4.2.3. Implement the Network Security Policy in a consistent and timely manner;
4.2.4. To comply with all relevant legislation.
5. Risk assessments
5.1. We will carry out security risk assessment(s) in relation to all the business
processes covered by this policy. These risk assessments will cover all aspects
of the network that are used to support those business processes.
103
5.2. The risk assessment will identify the appropriate security countermeasures
necessary to protect against possible breaches in confidentiality, integrity and
availability.
6. Physical & environmental security
6.1. We have the following physical barriers to security in place
6.1.1. Our main internal server (drive Z) is housed in a secure office protected by
a one five lever mortice lock at entry point and a numeric door pad at entry
point two
6.1.2. the building is locked overnight and protected by a monitored alarm
system, door sensors and internal PIR sensors.
6.1.3. the monitored alarm service provided by a NACOSS GOLD, Recognised
company compliant with their range of standards and Codes of Practice.
6.1.4. Access to visitors is accessed by ringing a door-bell followed by personal
invitation only. The main entry is protected by a locked door. access and
egress are accessible to staff with the use of proximity key fobs.
6.2. The Data Protection Officer and SIRO are responsible for ensuring that door
lock codes are changed, following a compromise or suspicion the code has been
compromised.
7. External network connections
7.1. We will ensure that all connections to external networks and systems have
documented and approved System Security Policies.
7.2. The company SIRO and DPO must approve all connections to external
networks and systems before they commence operation.
7.3. Data is hosted externally by Tagtronics Cloud Solution
7.4. Our providers servers are hosted with UKFast, which has a full documentation
framework with ISO27001 and PCI DSS that supports this function for
Information: http://www.ukfast.co.uk/
7.5. Summary:
7.5.1. UK Fast has achieved and maintains the standards of:
• ISO9001 – Quality Management
• ISO27001 – Information Security
• ISO14001 – Environmental Management
104
• PAS2060 – Carbon Neutrality
• PCI-DSS Level 1 – Payment credit card industry status
• More information can be found here:
http://www.ukfast.co.uk/accreditations.html
7.5.1.1. UKFast is governed by ISO27001 across the business.
7.6. Security of Remote Desktop Service (RDS)? In terms of our SQL database;
• Transparent Data Encryption
• Encryption in transit
• Encryption at rest? (Cloud)
7.7. In terms of security, our cloud solution essentially has two levels of security to
access the software, users input separate usernames/passwords to:
• Gain remote access to our hosted server via Remote Desktop Service (RDS).
• Access the software itself.
8. Server location and failovers procedures:
8.1. Our accredited provider (ISO9001 – Quality Management, ISO27001 –
Information Security) secure data centre is located in Manchester and provides a
back-up of all data of a daily basis. Necessary failover and disaster recovery
procedures are in place i.e. server monitoring, secondary servers, back-up of all
data at a different off-site location.
8.2. Our Tagtronics system can be configured to control the functionality that is
accessible by each individual software user. These user permissions are
controlled by the Data Protection Officer, allowing us to authorise which staff
have are able to access/edit the different aspects of the system.
9. User responsibilities, awareness & training
9.1. We will ensure that all users of the network are provided with the necessary
security guidance, awareness and training to discharge their security
responsibilities.
9.2. These procedures for care staff are be outlined in the staff handbook.
10. Accreditation of network systems
10.1. Our Data Protection Officer is responsible for ensuring that the network does
not pose an unacceptable security risk to the organisation. He will undertake
checks on actual implementations based on approved security policies.
105
11. Malicious software
11.1. We use Bitdefender Gravityzone Endpoint security this ensures;
11.1.1. layered endpoint protection platform (EPP) to defend endpoints against
malicious software threats.
12. Secure disposal or re-use of equipment
12.1. We will ensure that where equipment is being disposed of all data on the
equipment (e.g. on hard disks or tapes) is securely overwritten.
13. System change control
13.1. Our Information Governance Lead and Data Protection Officer are jointly
responsible for updating all relevant Network Security Policies, design
documentation, security operating procedures and network operating procedures.
14. Reporting security incidents & weaknesses
14.1. All potential security breaches must be investigated and reported to the Data
Protection Officer and an Information Incident Report Form must be completed.
14.2. We will follow the procedures set out in the Data Security Policy.
15. Business continuity & disaster recovery plans
15.1. We will ensure that business continuity plans are produced for the network.
15.2. The plans must be reviewed and tested on a regular basis.
16. Approval
This policy has been approved by the undersigned and will be reviewed at least annually.
John Lee Managing Director & SIRO
Simon Lee Operation Director & Data Protection Officer
Approval Date 13th January 2020
Review Date 13th January 2021
106
Policy for the Use of Mobile Devices
Mobile technology is now an essential part of our business with data being processed and
accessed by staff via smartphones. Call monitoring and care software is routinely used to
accessed confidential information via mobile telephones and other mobile devices.
Examples of information are; service user’s names; address; medication; and care plan
details essential for the care worker to carry out their duties.
1. Introduction
1.1. This Protection Policy of data accessed via mobile devices is the overarching policy
for data security and protection of data accessed by mobile devices for All About
You Care Services Limited (hereafter referred to as "us", "we", or "our").
2. Purpose
2.1. This document sets out our policy for the protection of the confidentiality, integrity
and availability of the data accessed by mobile devices, establishes responsibilities
for security.
3. Scope
3.1. This policy applies to all staff, and managers.
3.2. Mobile devices include mobile telephones, tablets and laptop computers
4. Training
4.1. All staff care must be trained in the use of the app as part of their induction training.
4.2. Safe use and will be monitored by supervisors during spot checks to ensure security
of data.
5. Security Measures
5.1. Staff must;
5.1.1. log out of the app when not on duty
5.1.2. leave mobile devices unlocked when not in use
5.1.3. use a suitably complex PIN to lock mobile devices
5.1.4. use fingerprint or facial ID to lock mobile devices if available
6. Lost or stolen Mobile Devices.
Staff are more likely to have their tablets or phones stolen (or lose them) when they are out
and about. should a device be lost or stolen:
6.1. The member of staff responsible for a device that is lost or stolen will immediately
contact the Data Protection Officer (DPO) on 01253 899982
6.2. The DPO will immediately disable access to Tagtronics software and to user of the
stolen or lost device.
107
6.3. Access will be reinstated by the DPO:
6.3.1. when the device is found and returned to the user
6.3.2. When a new device is issued a new password and User ID will be issued by
the DPO to the user
7. Keeping devices and apps up to date.
Just like a ‘desktop’ computer mobile devices and apps need to be kept up to date to
ensure that critical security updates are applied:
7.1. Install manufacturer software updates
7.2. Install software updates
7.3. Apps must be refreshed during the day to update any changes
8. Trusted Wi-Fi Networks
8.1. Staff must not use public Wi-Fi hotspots (for example in coffee shops), there is no
way to easily find out who controls the hotspot.
8.2. Staff must not use service user’s Wi-Fi connections
When connected to the to the above hotspots, somebody else could access or what you’re
working on whilst connected your private login details could be stolen.
9. Bring Your Own Device (BYOD) refers to staff using their own mobile devices to
access company data.
9.1. staff using their own device must agree to abide by this policy
9.2. If allowing access to their mobile device to a third party;
9.2.1. must ensure they are logged out of company software
9.2.2. Their company access name, password and ID is not divulged to anyone
9.2.3. Their company access name, password and ID is not stored on the device.
John Lee Managing Director & SIRO
Simon Lee Operation Director & Data Protection Officer
Approval Date 13th January 2020
Review Date 13th January 2021
108
Subject Access Request Policy
Introduction
Individuals have the right to access their personal data and supplementary information. The
right of access allows individuals to be aware of and verify the lawfulness of the processing.
Our business must comply with the requirements of the General Data Protection
Regulations (GDPR) and we must be able to demonstrate compliance to the Information
Commissioner’s Office (ICO).
Upon receipt of a request for information our internal policy is as follows:
Responsibility
Simon Lee our Data Protection Officer is responsible for the handling of Subject Access
Requests (SAR) in our business.
The duties of the Data Protection Officer include but are not limited to:
• Log the receipt and fulfilment of all requests received from a data subject/the person
making the request/ requestor to see his or her personal information.
• Acknowledge the subject access request (SAR).
• Verify the identity of any person making a SAR.
• Maintain a database on the volume of requests and compliance against the statutory
timescale.
• Verify whether if we are the controller of the data subject’s personal data.
• Check if we are not a controller, but rather a processor. If so, inform the data subject
and refer them to the actual controller. This needs to be recorded in writing.
• Where applicable, decide if a request is excessive, unfounded or repetitive and
communicate this to the requestor.
• Decide if an exemption applies.
• If a SAR is submitted in electronic form, any information should preferably be provided
by electronic means as well.
Oral or written requests
109
Subject access requests can be made in writing, electronically or verbally.
If a member of staff is in any doubt if a certain situation has given rise to a SAR, contact the
Data Protection Officer by email ([email protected]) providing full details of the
incident. Staff should do this without delay and certainly within [TWO] business days.
Where a member of staff receives a subject access request, they must email the relevant
information to the Data Protection Officer without delay and certainly within working two
business days.
How do we verify the requestor’s identity?
The requestor must supply valid evidence to prove their identity.
We may verify the requestor’s identity either through a phone call where we ask questions
that only the requestor will know the answers to or by requesting forms of identification.
We accept the following forms of identification:
• Current UK/EEA Passport
• UK Driving Licence
• Financial Statement issued by bank, building society or credit card company
• Utility bill for supply of gas, electric, water or telephone landline
How to process the request
Our aim is to determine what information the requestor is asking for. If the request is not
clear, or where if we process a large quantity of information about an individual, the GDPR
permits us to ask the individual to specify the information the request relates to. Where this
applies, we will proceed with a request for additional information.
We must verify whether we process the data requested. If we do not process any such
data, we must inform the data subject accordingly.
We must respond to the data subject within 1 month of receiving the request. This is a
requirement under the GDPR.
Any employee, who receives a request from Data Protection Officer to locate and supply
information relating to a SAR, must make a full exhaustive search of the records which they
are responsible for or owns. This may include but is not limited to emails (including archived
emails and those that have been deleted but are still recoverable), Word documents,
spreadsheets, databases, systems, removable media (for example, memory sticks),
recordings, paper records in relevant filing systems.
The Data Protection Officer should check whether the data requested also involves data on
other data subjects and make sure this data is filtered before the requested data is supplied
to the requestor; if data cannot be filtered, ensure that other data subjects have consented
to the supply of their data as part of the SAR.
All the information that has been requested must be provided unless an exemption can be
applied (see below). Information must be supplied in an intelligible form and we will explain
acronyms, codes or complex terms.
No charge to comply with the request (with exceptions)
110
We will provide a copy of the information free of charge, as per the GDPR rules. However,
we may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive,
particularly if it is repetitive.
We may also charge a reasonable fee to comply with requests for further copies of the
same information. We understand that this does not mean that we can charge for all
subsequent access requests.
Where applicable, the Data Protection Officer will determine the ‘reasonable fee’ that must
be based on our administrative cost of providing the information.
Excessive, manifestly unfounded or repetitive requests
Where requests are manifestly unfounded, excessive and repetitive, we may refuse to act
on the request or charge a reasonable administration fee. the Data Protection Officer will
make a decision on this.
the Data Protection Officer must provide information on our decision to the requestor in
writing within 1 moth and must state how they reached their decision.
Complex requests
As stated, we have to respond to a SAR within 1 month. If more time is needed to respond
to complex requests, an extension of another two months is permissible, provided this is
communicated to the data subject in a timely manner within 1 month.
Where we decide not take action on the request of the data subject, we need to inform the
data subject of this decision without delay and at the latest within 1 month of receipt of the
request.
Our response to the requestor
After processing the SAR, our response to the requestor should include:
• The purpose(s) the processing;
• The categories of personal data concerned;
• The recipients or categories of recipients to whom personal data has been or will be
disclosed, in particular in third countries or international organisations, including any
appropriate safeguards for transfer of data;
• The envisaged period for which personal data will be stored, or, if not possible, the
criteria used to determine that period;
• The existence of the right to request rectification or erasure of personal data or
restriction of processing of personal data concerning the data subject or to object to
such processing;
• The right to lodge a complaint with the ICO, our ICO registration number is Z1146450
• If the data has not been collected from the data subject: the source of such data;
111
• The existence of any automated decision-making, including profiling and any
meaningful information about the logic involved, as well as the significance and the
envisaged consequences of such processing for the requestor.
How to handle exemptions?
If a member of staff believes that we have a valid business reason for an exemption, please
inform the Data Protection Officer without delay by email to [email protected]
Exempt information must be redacted from the released documents with an explanation of
why that information is being withheld.
Complaints
Where a requestor is not satisfied with a response to a SAR, we must manage this as a
complaint. We must advise the requestor that if they remain unhappy with the outcome they
may complain to the Information Commissioners Office or take legal action against us.
Breach statement
Breaches of this policy by members of staff will be investigated and may result in
disciplinary action. Serious breaches of policy may be considered gross misconduct and
result in dismissal without notice, or legal action being taken against the relevant member of
staff.
GDPR: Freedom of Information Requests
All About You Care Services is a private organisation holding contracts with the public
sector, The Freedom of information Act 2000 stipulates private organisations holding
contracts with public organisations must release information relating to those contracts.
Who can make a Freedom of Information request?
Everybody has the right to access official information. In compliance with the Freedom of
Information Act; it is the default position of All About you Care Services Limited to disclose
information relating to public contracts it holds.
The company will treat all requests equally, it is not necessary to verify your identification.
You can ask about anything relating to the contracts we operate on behalf of publicly
funded bodies. We currently hold contracts with the NHS and Local authority Social
Services departments.
What information will you disclose?
We aim to be as transparent as possible; we will provide as much information as necessary
to fulfil your request. However, under the Freedom of Information Act we can withhold
certain information, for instance if it is commercially sensitive, an unwarranted invasion of
privacy, confidential or not in the public interest. We can also refuse to release information
that is intended for publication at a subsequent date.
How long will my request take?
If you request information that we consider exempt under the Act, we will explain why we
consider exemptions apply. We will respond to requests within 20 working days.
112
Is there a charge?
Requests are normally free. However, if you request large amounts of information that
requiring excessive printing, photocopying or formatting, then we are permitted to charge a
small amount to cover these costs. We will let you know if a charge will be made.
Responsibility
Simon Lee our Data Protection Officer is responsible for the handling of Freedom of
Information Requests (FOI).
The duties of the Data Protection Officer include but are not limited to:
• Log the receipt and fulfilment of all requests received from the person making the
request
• Acknowledge the FOI request
• Where applicable, decide if a request is excessive, unfounded or repetitive and
communicate this to the requestor.
FOI request must be made in writing to:
The Data Protection Officer
All About You Care Services
12 Sovereign Court
Wyrefields
Poulton Le Fylde
Lancashire FY6 8JX
Responsibility
113
Data Breach Policy
This is the Data Breach Policy of All About You Care Services Limited.
Background
The General Data Protection Regulation (GDPR) is based around six principles of handling
of personal data. We must comply with all six principles as a business; otherwise we’ll be in
breach of the GDPR. We understand that the principles give people specific rights in
relation to their personal information and place certain obligations on those organisations
that are responsible for processing it.
Aim
The GDPR requires that we must take appropriate measures against unauthorised or
unlawful processing and against accidental loss, destruction of or damage to personal data.
This policy sets out how we deal with a data security breach.
What is a personal data breach?
The Information Commissioner’s Office states that a personal data breach can be broadly
defined as a security incident that has affected the confidentiality, integrity or availability of
personal data. In short, there will be a personal data breach whenever any personal data is
lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on
without proper authorisation; or if the data is made unavailable and this unavailability has a
significant negative effect on individuals.
Action to be taken in the event of a data breach
1. Containment and recovery
The immediate priorities are to:
• Contain the breach;
• Assess the potential adverse consequences for individuals, based on how
serious or substantial these are, and how likely they are to happen; and
• To limit the scope.
In the event of a security incident or breach, staff must immediately inform the Simon Lee
our Data Protection Officer.
The Data Protection officer will take the lead on investigating the breach. In the event where
the Data Protection officer is absent for whatever reason, then John Lee our Information
Governance Lead will take the lead to investigating a breach.
Steps to take where personal data has been sent to someone not authorised to see it:
• Inform the recipient not to pass it on or discuss it with anyone else;
• Inform the recipient to destroy or delete the personal data they have
received and get them to confirm in writing that they have done so;
• Explain to the recipient the implications if they further disclose the data; and
• Where relevant, inform the data subjects whose personal data is involved
what has happened so that they can take any necessary action to protect
themselves.
114
2. Assessing the risk
Perhaps most important is an assessment of potential adverse consequences for
individuals, how serious or substantial these are and how likely they are to happen.
Examples of the type of questions to consider:
What type of data is involved? i.e. If stolen, could it be used for
How sensitive is it? purposes which are harmful to the
If data has been lost or stolen, are there individuals to whom the data relate?; if it
any protections in place such as has been damaged, this poses a different
encryption? type and level of risk
What has happened to the data?
Whether they are staff, customers,
Estimate how many individuals’ personal clients or suppliers, for example, will to
data are affected by the breach some extent determine the level of risk
Who are the individuals whose data has posed by the breach and, therefore, your
been breached? actions in attempting to mitigate those
risks
What harm can come to those Are there risks to physical safety or
individuals? reputation, of financial loss or a
combination of these and other aspects
Are there wider consequences to of their life?
consider such as a risk to public health or
loss of public confidence in an important
service you provide?
Establish whether there is anything you
can do to recover any losses and limit
the damage the breach can cause
3. Notifying the ICO and individuals, where relevant
a) Who is responsible?
In our business, John Lee / IGL is the point of contact for staff and the ICO on this policy
and on all matters relating to data protection.
John Lee / IGL is also responsible for notifying the ICO and individuals (where applicable)
of relevant personal data breaches.
b) What breaches do we need to notify the ICO about?
When a personal data breach has occurred, we need to establish the likelihood and
severity of the resulting risk to people’s rights and freedoms. If it’s likely that there will be a
risk then we must notify the ICO; if it’s unlikely then we don’t have to report it.
If we decide we don’t need to report the breach, we need to be able to justify this decision,
and we will document it.
115
c) When to notify the ICO and dealing with delays
Notifiable breaches must be reported to the ICO without undue delay, but not later than 72
hours after becoming aware of it.
If we don’t comply with this requirement, we must be able to give reasons for the delay.
In some instances it will not always be possible to investigate a breach fully within 72 hours
to understand exactly what has happened and what needs to be done to mitigate it. Where
that applies, we should provide the required information in phases, as long as this is done
without undue further delay.
d) Breach information to the ICO
When reporting a breach, we will provide the following information:
• a description of the nature of the personal data breach including, where possible:
o the categories and approximate number of individuals concerned;
o and the categories and approximate number of personal data records
concerned;
• our contact person John Lee / IGL
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the
personal data breach, including, where appropriate, the measures taken to mitigate
any possible adverse effects.
e) Individuals
Where notification to individuals may also be required, Simon Lee / DPO will assess the
severity of the potential impact on individuals as a result of a breach and the likelihood of
this occurring. Where there is a high risk, we will inform those affected as soon as possible,
especially if there is a need to mitigate an immediate risk of damage to them.
g) Information to individuals
John Lee / IGL and Simon Lee / DPO will jointly consider who to notify, what we are going
to tell them and how we are going to communicate the message. This will depend to a large
extent on the nature of the breach but will include the name and contact details of our data
protection officer (where relevant) or other contact point where more information can be
obtained; a description of the likely consequences of the personal data breach; and a
description of the measures taken, or proposed to be taken, to deal with the personal data
breach and including, where appropriate, of the measures taken to mitigate any possible
adverse effects.
The breach need not be reported to individuals if:
• We have implemented appropriate technical and organisational protection
measures, and those measures were applied to the personal data affected
by the personal data breach;
• We have taken subsequent measures which ensure that the high risk to the
rights and freedoms of data subjects is no longer likely to materialise;
• It would involve disproportionate effort (in this case a public communication
may be more appropriate).
116
In the case of a breach affecting individuals in different EU countries, we are aware that the
ICO may not be the lead supervisory authority. Where this applies, [INSERT NAME/DPO]
should establish which European data protection agency would be the lead supervisory
authority for the processing activities that have been subject to the breach.
h) Third parties
In certain instances, Simon Lee / DPO may need to consider notifying third parties such as
the families and advocates of service users, police, insurers, professional bodies, bank or
credit card companies who can assist in reducing the risk of financial loss to individuals.
i) Document all decisions
Simon Lee / DPO must document all decisions that we take in relation to security incidents
and data breaches, regardless of whether or not they need to be reported to the ICO.
4. Evaluate our response and mitigation steps
We investigate the cause of any breach, decide on remedial action and consider how we
can mitigate it. As part of that process we also evaluate the effectiveness of our response to
incidents or breaches. To assist in this evaluation, we consider:
• What personal data is held, where and how it is stored
• Risks that arise when sharing with or disclosing to others
• This includes checking the method of transmission to make sure it‘s secure
and that we only share or disclose the minimum amount of data necessary
• Weak points in our existing security measures such as the use of portable
storage devices or access to public networks
• Whether or not the breach was a result of human error or a systemic issue
and determine how a recurrence can be prevented – whether this is through
better processes, further training or other corrective steps
• Staff awareness of security issues and look to fill any gaps through training or
advice
• The need for a Business Continuity Plan for dealing with serious incidents
• The group of people responsible for reacting to reported breaches of security
5. Review
This document is dated 7/1/2020 and will reviewed by us every 12 months.
117
Data Privacy Notice for Job Applicants
1. Why have you been given this privacy notice?
All About You Care Services Limited is a “data controller”. This means we are required
under data protection legislation to notify you of how we will, collect process and store your
personal data during the application and recruitment process. We will also explain what
rights you have in relation to how we process your personal data.
2. What are our obligations to you in relation to how we process your personal
data?
We are required by law to ensure that when processing any of your personal data that it is:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used in
any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept in a form which permits you to be identified for only as long as necessary for the
purposes we have told you about.
• Kept securely.
3. What personal data will we collect, use and store about you?
In order to process your job application, we will collect the following information about you
• your name, address and contact details, including email address and telephone
number
• details of your qualifications, skills, experience and employment history
• information about your current level of remuneration, including benefit entitlements
• information about your entitlement to work in the UK
• assessment interview, psychometric test, technical assessment
• pre-employment screening, disclosure and barring service
We may also collect, store and use the following “special categories” of more sensitive
personal information:
• Equal opportunities monitoring information.
• Whether or not you have a disability for which the organisation needs to make
reasonable adjustments during the recruitment process.
4. How do we collect your personal data?
We will collect this information from a range of sources, which will include your application
form, CV, your passport or other identity documents, or information provided directly by you
through interviews or other forms of assessment [list other ways in which you will gather
personal data].
118
The organisation will also collect personal data about you from third parties, such as
references supplied by former employers, information from employment background check
providers, employment agency and information from criminal records checks. The
organisation will seek information from third parties only once a job offer to you has been
made and will inform you that it is doing so.
Unsolicited CV’s
If we receive an unsolicited CV at a time when we are not recruiting, we will delete the CV
and inform you of this. If we want to hold this unsolicited personal data on file for future
recruitment rounds, we will inform you of this in a privacy notice, along with the other
required information.
5. How will we use your personal data?
Throughout the recruitment process we will need to process your personal data for one or
more of the following lawful bases:
a) Where we need to process your personal data to take specific steps at your request
before entering into a contract with you or we need to process data to enter into a
contract with you. This may include making reasonable adjustments to the recruitment
process to accommodate disabilities as and when requested.
b) Where we need to process your personal data to comply with a legal obligation, for
example if your application is successful, we will check your right to work in the UK
before a job offer is made.
c) Our legitimate reason for processing your personal data is to enable us to gather data
so that we can assess which candidate’s skills and experience is the best match with
our job role requirements and therefore suitable for employment. We also need to
process job application information in order to respond to and defend against legal
complaints. [You must identify and list any other legitimate interests that you or any
third party may have] We will process your personal data for these legitimate reasons
provided that your interests and fundamental rights do not override those interests.
d) Where we need to protect your interests (or someone else’s interests).
e) Where it is needed in the public interest [or for official purposes].
6. When will we use your personal data?
During the application and recruitment process we will use your personal information for
specific purposes. The list below describes the purpose of our processing:
• Assessing suitability to perform the role
• Interview
• Checking your right to work in the UK.
• Where the business carries out equal opportunities monitoring in relation to special
categories of data, which may relate to ethnic origin, sexual orientation, health or
religion or belief,
• For some roles, the business is obliged to seek information about criminal convictions
and offences.
The organisation will not use your data for any purpose other than recruitment purposes.
Where your application or interview is unsuccessful, and we wish to keep your application
on file in case there are future employment opportunities for which you may be suited we
will ask for your written consent to keep your personal data on file. You are not obliged to
provide consent but if consent is provided you are free to withdraw your consent at any
time.
119
7. What happens if you do not provide us with information?
We will only ask you to provide information which we believe is necessary for the
application and recruitment process. You are under no statutory or contractual obligation to
provide data during the recruitment process. However, if you do not provide sufficient
information, we may not be able to process your application properly or at all. Also we may
not be able to meet our legal obligations towards you with regard to reasonable
adjustments.
8. What happens if we need to use your personal data for a new purpose?
We have indicated above a list of circumstances in which we will use your data. We will
usually only use your personal data as indicated. However, if we consider that it is
necessary and reasonable to use your personal data for an unrelated purpose, we will
notify you and explain the legal basis which allows us to do so.
9. How do we use your special categories information?
Any personal data which reveals your ethnic origin, political opinions, religious and
philosophical beliefs, trade union membership, genetic, biometric or health data, sex life
and sexual orientations will be regarded as special categories of personal data. We will only
use this data in the following ways:
• In order to comply with employment and other laws to ensure that the recruitment
process is conducted in a fair and inclusive manner.
• To ensure we meet our health and safety and equality obligations towards you we will
use information about your physical or mental health or disability status to make
appropriate reasonable adjustments to the recruitment process.
• Where it is needed in the public interest, for example for equal opportunity monitoring
and reporting.
There may be circumstances where we need to process this type of information for legal
claims or to protect your interests (or someone else’s) and you are not able capable of
giving your consent or where the relevant information has already been made public.
10. Do we need your consent to use special categories data?
If we are using your personal sensitive data in accordance with the lawful purposes set out
in this privacy notice, in these circumstances we do not need your written consent to use
sensitive personal data.
However, in limited circumstances, we may request your written consent to allow us to
process your sensitive personal data. If it becomes necessary to request your consent to
process your sensitive personal data, we will provide you with details of the information that
we require and why we need it, so that you can decide whether you wish to provide your
consent. It is not a condition of applying for the role with us that you must agree to any
request for consent. Giving consent will always be a decision made by your freewill/choice.
11. Criminal convictions
120
Given the nature of the role and duties you will perform we, will request and hold
information about criminal convictions. In addition, where applicable we will only request
this information if you are successful in your application and where we are legally entitled to
do so.
Where applicable, we will use information about criminal convictions and offences in the
following ways:
• Make judgement on your suitability to work with vulnerable people.
• Handle cash and assist vulnerable people with their finances
We have in place policy and safeguards which we are required by law to maintain when
processing this data. A copy of the policy can be obtained from your interviewer.
12. Automated decision making
During the application and recruitment process we will not rely on any automated decision
making.
13. Will we share your personal data with third parties?
We will not share your data with third parties, unless your application for employment is
successful and you accept our offer of employment.
14. Which third party service providers will we share your personal data with?
If that occurs, we will then share your data with:
• Former employers to obtain references for you
• Employment background check providers to obtain necessary background checks
• The Disclosure and Barring Service to obtain necessary criminal records checks
• Training organisation to verify validity of training certificates / qualifications
15. Third party service providers and data security
Third party service providers are only permitted to process your personal data in
accordance with our specified instructions. They are also required to take appropriate
measures to protect your privacy and personal information. We do not allow your
information to be used by the third parties for its own purposes and business activities.
16. Will we share your personal data with other entities within our business group?
Your information will be shared internally for the purposes of the recruitment exercise. This
includes:
• Members of the HR and recruitment team
• Interviewers involved in the recruitment process
• Managers in the business area with a vacancy
• IT staff
121
17. Will we transfer your personal data outside of the European Economic Area?
The organisation will not transfer your data outside the European Economic Area.
18. How do we ensure your personal data is secure?
We take your privacy and protection of data very seriously. Consequently, we have put in
place appropriate security measures to prevent unauthorised use of your personal data.
Details of the measures which are in place can be obtained from Simon Lee / Data
Protection Officer. We will notify you and any applicable regulator of any suspected
unauthorised use of your personal data.
19. How long will we keep your personal data?
We will retain your personal data for as long as is necessary to fulfil the purposes for which
it was collected for.
If your application for employment is unsuccessful, we will hold your data on file for 6
months after the end of the relevant recruitment process. At the end of that period or once
you withdraw your consent your data will be deleted or destroyed.
If your application for employment is successful, personal data gathered during the
recruitment process will be transferred to your personnel file and retained during your
employment. The periods for which your data will be held will be available in our data
retention policy.
20. How will we store your data?
Your data will be stored in a number of different places, including on your application
record, in HR management systems and on other IT systems (including email).
21. Your duty to inform us of any changes
In order that we can ensure that the personal data we hold in relation to you is accurate, it
is important that you keep us informed of any changes to that data.
22. What rights do you have in respect of how we use your personal data?
Subject to legal limitations you have the right to:
• Request access to your data: You can ask us to provide a copy of the personal data
we hold about you.
• Request corrections to be made to your data: If you think that your personal data is
incomplete, inaccurate you can ask us to correct it.
• Request erasure of your data: If you consider there is no lawful basis for us to
continue processing your data you can ask for that data to be deleted or removed.
• Object to the processing of your data: If our lawful basis for processing your data
relates to a legitimate business interest (or third party interest) you can raise an
objection to that interest. You can also object to us using your information for direct
122
marketing purposes.
• Request that processing restrictions be put in place: If you believe that your
information is being processed without a lawful reason or that the information is
incorrect you can request that a freeze/restricting is placed on the processing of the
information until your concerns are addressed.
• Request a transfer of your personal data: You can ask us to transfer your personal
data to a third party.
If you wish to exercise any of the above rights, please contact Simon Lee / DPO.
23. Will I have to pay a fee?
You will not be expected to pay a fee to obtain your personal data unless we consider that
your request for access to data is unfounded or excessive. In these circumstances we may
charge you a reasonable fee or refuse to comply with your request. We may also charge a
reasonable fee where we have supplied a copy of your personal data and you then request
another copy of the same information.
24. Before we comply with your request
Whenever you make a request for access to personal data, to ensure that we are releasing
personal data to the correct person we may ask questions to confirm your identity.
25. Right to withdraw your consent
If we have asked for your written consent to obtain information, you have the right to
withdraw your consent at any time. To withdraw your consent please contact Data
Protection Officer (Simon Lee). Once we receive your notice of withdrawal, we will cease
processing your data unless we have any other lawful basis on which to continue
processing that data.
26. Who is responsible for ensuring that rights and obligations under this privacy
notice are met?
We have appointed a data protection officer to ensure that your personal information is
handled in accordance with this privacy notice, the data protection laws and any changes
that might be made to those laws. If you have any concerns or complaint relating to how we
process your personal data you are entitled to contact the Information Commissioner’s
Office. This office oversees all UK data protection issues.
27. Important information about this privacy notice
This notice does not form part of any contract of employment or any other contract to
provide services. We reserve the right to amend or update this privacy notice at any time.
We will provide you with a new notice when we make any updates.
28. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our
Data Protection Officer on 01253 899982. If this does not resolve your complaint to your
123
satisfaction, you have the right to lodge a complaint with the Information Commissioners
Office quoting our registration number: Z1143150. ICO contact details: Tel. 03031231113
or via email https://ico.org.uk/global/contact-us/email/ or at the Information Commissioner's
Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, England.
I acknowledge that on [ / / ](date), I received a copy of All About You Care
Services Privacy Notice for job applicants and that I have read and understood it.
Printed Name of job applicant
………………………………………………
Signature
………………………………………………
124
Privacy Notice for Employees
1. Why have you been given this privacy notice?
All About You Care Services Ltd. is a “data controller”. This means that we are required
under data protection legislation to notify you of how we will process your personal data
both during the employment relationship and post termination. This notice will explain how
we collect your personal data, its use, storage, transfer and security. We will also explain
what rights you have in relation to how we process your personal data. It is important that
you read this notice, together with any other privacy notice we may provide during your
employment, so that you are aware of how and why we are processing your personal data.
This notice does not form part of any contract of employment or other contract to provide
services. We may update this notice at any time.
2. What are our obligations to you in relation to how we process your personal
data?
We are required by law to ensure that when processing any of your personal data that it is:
• Used lawfully, fairly and in a transparent way.
• Collected only for valid purposes that we have clearly explained to you and not used
in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Accurate and kept up to date.
• Kept in a form which permits you to be identified for only as long as necessary for
the purposes we have told you about.
• Kept securely.
3. What personal data will we collect, use and store about you?
• Your name, salutation, addresses, contact numbers, and personal email addresses.
• Date of birth.
• Gender.
• Next of kin and emergency contact information.
• National Insurance number.
• Bank account details, payroll records and tax status information.
• Salary, annual leave, pension and benefits information.
• Start date.
• Location of employment or workplace.
• Copy of driving licence.
• Recruitment information (including copies of right to work documentation, references
and other information included in a CV or cover letter or as part of the application
process).
• Employment records (including job titles, work history, working hours, training
records and professional memberships).
• Compensation history.
• Performance information.
• Disciplinary and grievance information.
125
• CCTV footage and other information obtained through electronic means such as
swipe card records.
• Information about your use of our information and communications systems.
• Photographs.
• We may also collect, store and use the following “special categories” of more
sensitive personal information:
• Information about your race or ethnicity, religious beliefs, sexual orientation and
political opinions.
• Trade union membership.
• Information about your health, including any medical condition, health and sickness
records.
• Information about criminal convictions and offences.
4. How do we collect your personal data?
We collect your personal data by a variety of means. At recruitment stage we have already
collected data through the application process directly from you OR background check
provider. We may sometimes collect additional information from third parties including
former employers, and individuals for the purpose of character references, where
applicable.
Whilst you are working with us periodically we may need to collect additional personal
information from you not identified on the above list but before doing so we will provide you
with a written notice setting out details of the purpose and the lawful basis of why we are
collecting that data, its use, storage and your rights.
5. How will we use your personal data?
For the most part we will use your personal data for one of the following lawful bases:
f) Where we need to perform the contract, we have entered into with you.
g) Where we need to comply with a legal obligation.
h) Where it is necessary for our legitimate interests (or those of a third party) and your
interests and fundamental rights do not override those interests.
i) There are other rare occasions where we may use your personal data, which are:
j) Where we need to protect your interests (or someone else’s interests).
k) Where it is needed in the public interest, or for official purposes.
6. When will we use your personal data?
During your employment and for a short period after the relationship has ended, we will use
your personal information for specific purposes.
The list below describes the purpose of our processing, the personal data involved (from
clause 3 above) and the lawful basis for our processing (from clause 5 above):
• Determining the terms on which you work for us.
• Checking your right to work in the UK.
• When making payments to you to also include any necessary tax and NI deductions.
• Providing the following benefits to you:
• Accrued holiday pay
126
• Liaising with your pension provider and making payments.
• Administration related to your contract of employment.
• Business management and work force planning, including accounting and auditing.
• Conducting and managing reviews of performance and determining performance
requirements.
• Making decisions regarding remuneration, bonus, commission and compensation.
• Making decisions regarding promotions to include assessing qualifications for a
particular role
• Gathering evidence for a possible disciplinary or gathering evidence in respect of an
informal complaint or grievance.
• Making decisions about your continued employment or engagement.
• Making arrangements for the termination of our working relationship.
• Education, training and development requirements.
• Dealing with legal disputes involving you or other employees, workers and
contractors, including accidents at work.
• Managing sickness absence, ascertaining your fitness to work.]
• Complying with health and safety obligations, completion of accident book and
RIDDOR reporting]
• Prevention of fraud through CCTV monitoring
• Monitoring use of our information and communication systems to ensure compliance
with our internal procedures and prevention of security lapses and breach of data
protection laws.
• Preventing malicious software distribution
• Gathering data analytics to assess retention and attrition rates
• Equal opportunities monitoring
It’s possible that some of the grounds for processing will overlap.
7. Your failure to provide information
We will only ask you to provide information which we believe is necessary for the
performance of the contractual employment relationship (for example bank account details
to pay you) or our associated legal obligations (for example giving salary information to
HMRC). If you fail to provide certain information when requested, we may not be able to
meet our contractual obligations to you or we may not be able to fulfil our legal obligations.
8. What happens if we need to use your personal data for a new purpose?
We will only use your personal data for the stated purposes, unless we consider that there
is a need to use it for another reason and that reason is compatible with the original
purpose. However, if we consider that it is necessary and reasonable to use your personal
data for an unrelated purpose, we will notify you and explain the legal basis which allows us
to do so.
There may be circumstances where we have to process your personal data without your
knowledge or consent, where this is required by law and in compliance with the above
rules.
127
9. How do we use your sensitive personal information data?
Any personal data which reveals your, ethnic origin, political opinions, religious and
philosophical beliefs, trade union membership, genetic, biometric or health data, sex life
and sexual orientations will be regarded as special categories of personal data. We will only
use this data in the following ways:
• In order to comply with employment and other laws when processing and managing
situations connected with absences arising in relation to your sickness or family/
dependant related leave.
• To ensure we meet our health and safety obligations towards you and other
employment related obligations we will use information about your physical or mental
health or disability status to assess your capability to perform your role, monitor and
manage your sickness absence, provide appropriate workplace adjustments and
administer health related benefits.
• Where it is needed in the public interest, for example for equal opportunity
monitoring and reporting.
There may be circumstances where we need to process this type of information for legal
claims or to protect your interests (or someone else’s) and you are not able capable of
giving your consent or where the relevant information has already been made public.
10. Do we need your consent to use sensitive personal data?
If we are using your personal sensitive data in accordance with our written policy to perform
our legal obligations or exercise specific rights connected to your employment, in these
circumstances we do not need your written consent to use sensitive personal data.
However, in limited circumstances, we may request your written consent to allow us to
process your sensitive personal data. For example, your written consent will be required
before we instruct a medical practitioner to prepare a medical report. If, it becomes
necessary to request your consent to process your sensitive personal data, we will provide
you with details of the information that we require and why we need it, so that you can
decide whether you wish to provide your consent. It is not a condition of your contract of
employment with us that you must agree to any request for consent. Giving consent will
always be a decision made by your freewill/choice.
11. Criminal convictions
We envisage that we will hold information about criminal convictions.
We will only collect information about criminal convictions if it is appropriate given the
nature of the role and duties you will perform and where we are legally entitled to do so.
We will use information about criminal convictions and offences in the following ways:
To decide in our opinion if you are of good character and a fit and proper person to work
with elderly and vulnerable people.
128
We are allowed to use your personal information in this way to carry out our obligations
under the Health and Social Care Act 2008 and the Safeguarding Vulnerable Groups Act
(SVGA).
12. Automated decision making
We do not envisage that any decisions will be taken about you using automated means,
however we will notify you in writing if this position changes.
13. Will we share your personal data with third parties?
In order to meet our legal obligations connected with your employment relationship it is
necessary to share your personal information with certain third parties (see below). We also
need to share your data when we have legitimate business reasons for doing so and also
where it is necessary in order to perform your contract.
14. Which third party service providers will we share your personal data with?
The following third-party service providers process personal information about you for the
following purposes:
HMRC payroll and tax purposes
ESSE bookkeeping Payroll processing
NEST. Your pension provider
We may share your personal information with other third parties, for example in the context
of the possible sale or restructuring of the business. We may also need to share your
personal information with a regulator or to otherwise comply with the law.
15. Third party service providers and data security
Third party service providers are only permitted to process your personal data in
accordance with our specified instructions. They are also required to take appropriate
measures to protect your privacy and personal information. We do not allow your
information to be used by the third parties for its own purposes and business activities.
16. Will we share your personal data with other entities within our business group?
As a consequence of the need to report on business performance, accounting, internal
business transformations and IT activity [describe other activities] your personal data will be
shared with other entities within the business group.]
17. Will we transfer your personal data outside of the European Economic Area
(EEA)?
We do not transfer personal data outside the EEA.
18. How do we ensure your personal data is secure?
We take your privacy and protection of data very seriously. Consequently, we have put in
place appropriate security measures to prevent unauthorised use of your personal data.
129
Details of the measures which are in place can be obtained from John Lee. We will notify
you and any applicable regulator of any suspected unauthorised use of your personal data.
19. How long will we keep your personal data?
We will retain your personal data for as long as is necessary to fulfil the purposes for which
it was collected for. Details of retention periods for specific purposes are available in our
data retention policy which is available from John Lee. When your employment relationship
comes to an end with our business we will either retain or securely destroy your personal
data in accordance with our data retention policy or other applicable laws and regulations.
20. Your duty to inform us of any changes
In order that we can ensure that the personal data we hold in relation to you is accurate, it
is important that you keep us informed of any changes to that data.
21. What rights do you have in respect of how we use your personal data?
Subject to legal limitations you have the right to:
• Request access to your data: You can ask us to provide a copy of the personal
data we hold about you.
• Request corrections to be made to your data: If you think that your personal data
is incomplete, inaccurate you can ask us to correct it.
• Request erasure of your data: If you consider there is no lawful basis for us to
continue processing your data you can ask for that data to be deleted or removed.
• Object to the processing of your data: If our lawful basis for processing your data
relates to a legitimate business interest (or third party interest) you can raise an
objection to that interest. You can also object to us using your information for direct
marketing purposes.
• Request that processing restrictions be put in place: If you believe that your
information is being processed without a lawful reason or that the information is
incorrect you can request that a freeze/restricting is placed on the processing of the
information until your concerns are addressed.
• Request a transfer of your personal data: You can ask us to transfer your
personal data to a third party.
If you wish to exercise any of the above rights, please contact Simon Lee / DPO.
22. Will I have to pay a fee?
You will not be expected to pay a fee to obtain your personal data unless we consider that
your request for access to data is unfounded or excessive. In these circumstances we may
charge you a reasonable fee or refuse to comply with your request.
23. Confirmation of identity
130
Whenever you make a request for access to personal data, we may request specific
information to confirm your identity. This is usually done to ensure that we are releasing
personal data to the correct person.
24. Right to withdraw your consent
If we have asked for your written consent to obtain information, you have the right to
withdraw your consent at any time. To withdraw your consent please contact our Data
Protection Officer on 01253 899982. Once we receive your notice of withdrawal, we will
cease processing your data unless we have any other lawful basis on which to continue
processing that data.
25. Important information about this privacy notice
We reserve the right to amend or update this privacy notice at any time. We will provide you
with a new notice when we make any updates.
26. How to make a complaint
To exercise all relevant rights, queries or complaints please in the first instance contact our
Data Protection Officer on 01253 899982. If this does not resolve your complaint to your
satisfaction, you have the right to lodge a complaint with the Information Commissioners
Office on 03031231113 or via email https://ico.org.uk/global/contact-us/email/ or at the
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9
5AF, England. If you have cause to contact the Information Commissioner’s office with a
concern regarding All About You Care Services, you should quote our Data Protection
Registration number: Z1143150
131
Privacy Notice for Service Users
Introduction
We are All About You Care Services Limited. In order that we can provide care and support
services to the people we support we collect and use certain personal information about
you.
Personal information means any information about you from which you can be identified,
but it does not include information where your identity has been removed (anonymous
data).
As the ‘controller’ of personal information, we are responsible for how that data is managed.
The General Data Protection Regulation (“GDPR”), which applies in the United Kingdom
and across the European Union, sets out our obligations to you and your rights in respect of
how we manage your personal information.
As the ‘controller’ of your personal information, we will ensure that the personal information
we hold about you is:
• used lawfully, fairly and in a transparent way.
• collected only for valid purposes that we have clearly explained to you and not used
in any way that is incompatible with those purposes.
• relevant to the purposes we have told you about and limited only to those purposes.
• accurate and kept up to date.
• kept only as long as necessary for the purposes we have told you about.
• kept securely.
If you have any questions about this privacy notice or would like further explanation as to
how your personal information is managed, please send an email to [email protected],
telephone 01253 899982, or write to:
The Data Protection Officer
All About You Care Services Limited
12, Sovereign Court,
Wyrefields,
Poulton Le Fylde.
Lancashire FY6 8JX
Please note when we refer to:
• A “public body” we mean any organisation in the United Kingdom which delivers,
commissions or reviews a public service and includes (but is not limited to) the
Ombudsman, local authorities, councils, unitary authorities, clinical commissioning
groups, health and social care trusts, the National Health Service as well as their
arm’s length bodies and regulators.
• A “social or health care professional” we mean any person who provides direct
services, acts as consultant or is involved in the commission of your healthcare or
social care services, including (but not limited to) your General Practitioner (GP),
132
dental staff, pharmacists, nurses and health visitors, clinical psychologists, dieticians,
physiotherapists, occupational therapists, hospital staff, social workers and other
care and support related professionals.
The personal information we collect and use in relation to people who enquire about
and use our services
Information collected by us
When you enquire about our care and support services and during the course of providing
care and support services we collect and store the following personal information you
provide it to us:
• your name, home address, date of birth and contact details (including your telephone
number, email address) and emergency contacts (i.e. name, relationship and home
and mobile numbers)
• your allergies and any medical, physical or mental conditions and in particular your
care needs
• your likes, dislikes and lifestyle preferences (including your religious beliefs or other
beliefs of a similar nature, racial or ethnic origin, your health, your background
history (so far as they relate to providing you with suitable care)
• credit or direct debit details (if you pay for some or all of our services using one of
these methods)
• If we are commissioned to administer your medication, details of your medication
• Details of your Social or health care professionals
• Key safe numbers to gain access to keys for your home
• Risk assessments of your home environment
• anonymised annual satisfaction survey, information used to improve our service to
you and other service users.
Information collected from other sources
We also obtain personal information from other sources such as:
your allergies and any medical, physical or mental conditions and in particular your care
and support needs, from any appropriate external social or health care professionals
(including your GP), your name, home address, date of birth, contact details, needs
assessments and financial assessments from any appropriate external social or health care
professionals (including any relevant public body regardless of whether you are publicly
funded), your likes, dislikes and lifestyle preferences (including your religious beliefs or
other beliefs of a similar nature, racial or ethnic origin so far as they relate to providing you
with suitable care) from your family, friends and any other person you have nominated as
your representative, your Attorney or Deputy (if applicable). If we are commissioned to
administer your medication, details of your medication. Key safe numbers to gain access to
keys for your home
How we use your personal information
We use your personal information to:
• prepare, review and update a suitable care plan, describing the nature and level of
care and support services which you have requested we supply to you
133
• to communicate with you, your representatives and any appropriate external social
or health care professionals about your individual needs and personalise the service
delivered to you
• make reasonable adjustments, when required, to meet your individual needs and to
ensure we have suitable facilities to ensure your safety
• invoice you for the care and support services in accordance with our terms and
conditions
• carry out quality assurance procedures, review our service and improve our
customer experience
Who we share your personal information with
We regularly share your medical information with appropriate external social or health care
professionals (including your GP and pharmacist) and any individuals you have nominated
as your representative. This data sharing enables us to establish the type of care and
support you need. It also allows us to design the right care package to suit your individual
circumstances, including if (in future) you decide to receive care from an alternative
provider.
We will share personal information with law enforcement or other authorities if required by
law. This includes information required by public bodies to evidence our compliance with
the applicable regulatory framework. We are also required to share personal information
with external social or health care professionals, including public bodies and local
safeguarding groups (in some circumstances) to ensure your safety.
We will do not share, sell or trade your personal information with any other third party.
National Data Opt-Out Policy
The national data opt-out was introduced on 25 May 2018, enabling NHS patients to opt out
from the use of their data for research or planning purposes. In March 2020 care
organisations are required to be compliant with the national data opt-out policy.
We do not currently have any data uses which require the application of national data opt-
outs, therefore we declare ‘compliance’ with the national data opt-out policy. We will
continue to review and identify if opt-outs need to be applied. We confirm the company will
implement the technical capabilities should the need be identified, or- put in place those
technical capabilities if required.
Whether information has to be provided by you, and if so why
The provision of your medical, physical or mental condition is necessary to enable us to
create a care plan and to provide you with suitable care and support services. Without this
information, we will not be able to assess your care needs or provide any care services to
you.
The provision of your name, home address is required so that we can arrange a care
worker to attend your home to deliver the services and so that we can invoice you for the
fees.
We will inform you at the point of collecting information from you, whether you are required
to provide the information to us.
134
How long your personal information will be kept
We will hold the personal information kept within your client file for eight years after the last
date of entry, or three years from cessation of your service as required by law.
We will hold the personal information kept within our feedback procedure for three years so
that we can identify trends and patterns in our service
The personal information we hold
Reasons we can collect and use your personal information
We rely on the following grounds within the GDPR:
• Article 6(1)(b) – processing is necessary for the performance of our contracts to
provide individuals with care and support services
• Article 6(1)(c) – processing is necessary for us to demonstrate compliance with our
regulatory framework and the law
• Article 9(2)(h) – processing is necessary for the provision of social care or the
management of social care systems and services
as the lawful basis on which we collect and use your personal data and special category
data (such as your health).
Your rights
Under the GDPR you have a number of important rights free of charge. In summary, those
include rights to:
• fair processing of information and transparency over how we use your use personal
information;
• access to your personal information and to ascertain other supplementary
information that this Privacy Notice is already designed to address;
• require us to correct any mistakes in your information which we hold;
• require the erasure (i.e. deletion) of personal information concerning you, in certain
situations. Please note that if you ask us to delete any of your personal
information which we believe is necessary for us to comply with our
contractual or legal obligations, we may no longer be able to provide care and
support services to you;
• receive the personal information concerning you which you have provided to us, in a
structured, commonly used and machine-readable format and have the right to
transmit those data to a third party in certain situations;
• object at any time to processing of personal information concerning you for direct
marketing;
• object to decisions being taken by automated means which produce legal effects
concerning you or similarly significantly affect you;
• object in certain other situations to our continued processing of your personal
information;
• otherwise restrict our processing of your personal information in certain
circumstances;
135
• claim compensation for damages caused by our breach of any data protection laws;
For further information on each of those rights, including the circumstances in which they
apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on
individuals’ rights under the General Data Protection Regulation.
How to contact us
If you would like to exercise any of those rights, please:
email, telephone or write to:
The Data Protection Officer
All About You Care Services Limited
12 Sovereign Court
Wyrefields
Poulton Le Fylde
FY6 8JX
Telephone no. 01253 899982
Email: [email protected]
Let us have enough information to identify you (e.g. your name and address), let us have
proof of your identity and address (a copy of your driving licence or passport and a recent
utility or credit card bill), and let us know the information to which your request relates,
including any account or reference numbers, if you have them
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being
accidentally lost or used or accessed in an unauthorised way. We limit access to your
personal information to those who have a genuine business need to know it. Those
processing your information will do so only in an authorised manner and are subject to a
duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will
notify you and any applicable regulator of a suspected data security breach where we are
legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information
and your computers and devices against fraud, identity theft, viruses and many other online
problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM
Government and leading businesses.
How to complain
We hope that we can resolve any query or concern you raise about our use of your
information.
The GDPR also gives you right to lodge a complaint with a supervisory authority, in
particular in the European Union (or European Economic Area) state where you work,
136
normally live or where any alleged infringement of data protection laws occurred. The
supervisory authority in the UK is the Information Commissioner who may be contacted at
https://ico.org.uk/concerns/ or telephone: 0303 123 1113. If you have cause to contact the
Information Commissioner’s office with a concern regarding All About You Care Services,
you should quote our Data Protection Registration number: Z1143150
Changes to this privacy notice
This privacy notice was published on 3rd May 2018. We may change this privacy notice
from time to time, when we do, we will inform you by letter or in person.
Do you need extra help?
If you would like this notice in another format (for example: audio, large print, braille) please
contact us (see ‘How to contact us’ above).
137
Data Retention Policy & Retention Schedule
This is the Data Retention Policy of All About You Care Services Ltd.
Introduction
We recognise that in the running of our business, we collect and process personal data
from a variety of sources. This personal information is collated in several different formats
including letters, emails, legal documents, employment records, operations records, images
and statements. The personal data is held in both hard copy and electronic form.
Aims of the policy
Our business will ensure that personal data that we hold is kept secure and that it is held for
no longer than is necessary for the purposes for which it is being processed. In addition, we
will retain the minimum amount of information to fulfil our statutory obligations and the
provision of goods or/and services - as required by the data protection legislation, including
the General Data Protection Regulation (GDPR).
Retention
This retention policy (with its schedule), is a tool used to assist us in making decisions on
whether a particular document should be retained or disposed of. In addition, it takes
account of the context within which the personal data is being processed and our business
practices.
Decisions around retention and disposal should be taken in accordance with this policy.
Where a retention period of a specific document has expired, a review should always be
carried out prior to the disposal of the document. This does not have to be time-consuming
or complex. If a decision is reached to dispose of a document, careful consideration should
be given to the method of disposal.
Responsibility
The Data protection Officer is responsible to keep this retention schedule up to date, to
reflect changing business needs, new legislation, changing perceptions of risk management
and new priorities for our business.
The Data protection Officer is responsible for determining (in accordance with this Policy)
whether to retain or dispose of specific documents.
The Data protection Officer may delegate the operational aspect of this function to other
members of the management team.
Disposal
We must ensure that personal data is securely disposed of when it’s no longer needed.
This will reduce the risk that it will become inaccurate, out of date or irrelevant.
The method of disposal should be appropriate to the nature and sensitivity of the
documents concerned and includes:
• Non-Confidential records: place in waste paper bin for disposal
• Confidential records: shred documents
• Deletion of Computer Records
• Transmission of records to an external body
• Cloud storage
138
The table below contains the retention period that we have assigned to each type of record.
This will be adhered to wherever possible, although it is recognised that there may be
exceptional circumstances which require documents to be kept for either shorter or longer
periods.
Exceptional circumstances should be reported to John Lee without delay.
Date created: 9 May 2018
Appendix 1: Document retention schedule
Type of record Retention period Where is it Reason Method
Employment records: stored? of
deletion
PAYE records 3 years from end Archive Legal Shred /
delete
of fiscal year room Legal, possible from
discrimination hard
Unsuccessful 6 months after last Archive challenge drive /
candidates Legal possible claim cloud
action room
Shred
Accident report 3 years after last Archive
forms action room Shred
Employment
records: 6 years after last Archive Financial / insurance Shred
redundancy, equal action room
opportunities;
health & welfare Archive
records room
Tagtronics
Employees that left Delete Sage Payment of wages Shred /
the business: immediately after Online Legal delete
emergency making final Banking from IT
contacts and bank salary payment systems
account details Sage and
online
Pay & tax: pay Directors banking
office
deductions, tax 6 years after last
Directors
forms, payroll, action office
loans
Records of formal 6 years after last Staff performance
disciplinary actions action appraisal
in employee file
Shred
Records of formal
grievances in 6 years after last Employment contract
employee file action
Commercial contracts:
Framework 6 years after last Directors Evidence of Shred
Agreement with Shred
LCC action office achievement for
future tender’s
Contracts signed 6 years after last Directors applications
Legal
139
as for provision of action office
services
Sage IT
Purchase orders 3 years after last system Collection of Shred /
and invoices action outstanding debts delete
and from IT
systems
Tax and Accounting Records: Shred /
delete
Tax returns 6 years from end Directors Audit from IT
of fiscal year Office systems
Accounting & 6 years from end Archive Shred
financial of fiscal year
management room Audit Shred
information
Accountants Shred
Mailing lists 1 year after last Archive To notify customers Shred
action room and staff of business Shred
IT system changes
Shred
Operational records: Shred
Shred /
Keep asset and delete
from IT
depreciation systems
Shred
Vehicles records for 6 Directors Tax
years after end of Office Shred
financial year to Outlook
Archive
which they relate file
Fire Risk Retain until Directors Health and safety
Office compliance
Assessments superseded IT systems / Operational
web site governance
Policies/Procedures 7 years
Complaints & 8 years from end Directors Evidence against
safeguarding of fiscal year Office future action
allegations
Care Plans & 8 years after Archive CQC regulation
Service User cessation of room
information service
10 years after last Directors Protection against
Insurance action Office future claims
schedules
Employer’s liability Life of company Admin office Protection against
insurance future claims
certificates Archive emails
Email records: after 1 year IT systems Operational records
and correspondence
Email
correspondence
140
Website Privacy Policy
This Privacy Statement applies to your use of the web site of All About You. Information
technology continues to present new and exciting opportunities. However, many people are
concerned about how their personal information will be used. We recognise that our users
may have concerns about their privacy and confidentiality whilst online. We are committed
to ensuring the privacy of our users whilst using our web site.
The following Privacy Statement has been published to provide a clear and concise outline
of how and when personal information is collected, stored and distributed by All About You.
This Privacy Statement covers personal information collected via the All About You web
site.
Personal Information Collected
The nature of personal information collected and maintained by All About You includes
information gained for those seeking care at home, or a franchise business opportunity or
recruitment opportunity with All About You. For statistical purposes we collect information
on: web site activity such as the number of users who visit the web sites; the date and time
of visits; the number of pages viewed; navigation patterns; what country and what systems
users have used to access the sites; and, when entering our web sites from another
website; the address of that website through the use of ‘cookies’. This information on its
own does not identify an individual but it does provide All About You with statistics that we
can use to analyse and improve our web site. We do not collect information about anyone’s
political or religious beliefs, ethnic background or sexual preferences.
Use and Disclosure of Personal Information
Unless you have instructed us not to do so, personal information may be shared within the
All About You company, where it will remain confidential and only be used for the purpose
as you already intended. All About You undertakes not to sell, rent or trade your personal
information.
We will not disclose information about you unless the disclosure is: Required by law, is
authorised by law or you have consented to our disclosing the information about you.
As with most business organisations, All About You relies on third party suppliers to
conduct specialised activities such as mail-outs, credit checks and the provision of internet
services and the processing of specialised media and direct mail activity. These suppliers
act on behalf of All About You and do not facilitate their own commercial objectives whilst
processing your personal information. While personal information may be provided to these
suppliers to enable them to perform their agreed tasks, such information remains the
property of All About You at all times and the supplier organisations involved are bound by
specific confidentiality and non-disclosure agreements.
Website enquiries
If you contact the All About You website with an enquiry, such as a question about our
content, you may be contacted to provide feedback on how we managed your enquiry. You
will be asked for your consent when you submit your data to us.
We will hold the information you provide us for as long as necessary to support the service
we are providing you, for example so we can continue to provide assistance or resolve an
ongoing issue.
141
If no communication has been made in over 12 months and the information is not required
to resolve an ongoing issue, then all communication and any personal information will be
deleted. Non-personal information, such as how long your enquiry was open for or the part
of the website you were using, will remain. This is to allow for reporting over a period
greater than 12 months.
Information is kept for 12 months to allow for trend analysis, identifying reoccurring issues
and understanding common issues.
Exceptions include those currently following the complaints process, or when consent to
keep information for longer has been obtained. Additionally, if we have determined that the
information supplied contains personal information that we do not need to hold to provide
assistance, we will endeavour to remove this information sooner.
Personal Information Security
All About You is committed to keeping secure the data you provide us and we will take all
reasonable precautions to protect your personally identifiable information from loss, misuse
or alteration.
Your information: what, why and where we use it
All About You collects information when you use our website and services. That information
can include, for example, your contact details, how you’re using our services, your location
or your preferences.
We mostly use your data to keep you connected to our network and manage your account.
We also use your data to improve our services and to comply with some legal obligations.
Your marketing preferences
If you’ve chosen to receive marketing messages from us, we’ll use your data to bring you
more of the things you’re interested in.
Your data and third parties
We use selected third parties to help deliver services to our customers and to support our
business. And sometimes we are legally required to give information to certain authorised
agencies. But we won’t share your data with any third parties for marketing purposes,
unless you’ve told us it’s ok to do so.
Your rights
You have some important rights that determine how and whether we use your data. For
example, you can decide you don’t want to be sent marketing messages and you’re entitled
to receive a copy of your data.
Your privacy is extremely important to us. So, if you think we’re not handling your data
properly we want you to tell us. And after that, if you feel that we aren’t getting it right, you
can complain to the Information Commissioner.
Cookies
A ‘cookie’ is a packet of information that allows the server (the computer that houses the
web site) to identify and interact more effectively with your computer. A different
identification number is sent each time you use our web site. Cookies do not identify
individual users, although they do identify a user’s browser type and your Internet Service
142
Provider (ISP). To evaluate the effectiveness of our web sites appeal and user-friendliness,
we may use third parties to collect statistical data. No personal data will be collected on
these occasions. You can configure your browser to accept all cookies, reject all cookies, or
notify you when a cookie is sent. Please refer to your browser instructions or help screens
to learn more about these functions. At the end of your interaction with our web site, you
can have your computer ensure that the cookie is deleted. This means it no longer exists on
your computer and therefore it cannot be used for further identification or access to your
computer. We use the following cookies:
• Strictly necessary cookies. These are cookies that are required for the operation of
our website. They include, for example, cookies that enable you to log into secure
areas of our website, use a shopping cart or make use of e-billing services.
• Analytical/performance cookies. They allow us to recognise and count the number
of visitors and to see how visitors move around our website when they are using it.
This helps us to improve the way our website works, for example, by ensuring that
users are finding what they are looking for easily.
• Functionality cookies. These are used to recognise you when you return to our
website. This enables us to personalise our content for you, greet you by name and
remember your preferences (for example, your choice of language or region).
• Targeting cookies. These cookies record your visit to our website, the pages you
have visited and the links you have followed. We will use this information to make
our website and the advertising displayed on it more relevant to your interests.
Changes to this Statement
All About You may make changes to this Privacy Statement from time to time for any
reason. We will publish those changes on our web sites. This Privacy Statement was last
updated on 7 January 2020.
Contact us about Privacy
If you would like further information regarding this Privacy Statement or if you think we have
breached any aspect of this Privacy Statement or if you would like to see our Privacy
Policy, please contact us by writing to the address below:
Information Governance Lead
About You Care Services Limited
12 Sovereign Court
Poulton Le Fylde
Lancashire
FY6 8JX
Tel: 01253 899982
143
GDPR: Privilege Access Agreement; System Administrators
Privilege Access Agreement;
System Administrators
Introduction
Privileged access enables an individual to take actions which may affect computing
systems, network communication, or the accounts, files, data, or processes of other users.
Privileged access is typically granted to system administrators, network administrators, staff
performing computing account administration, or other such employees whose job duties
require special privileges over a computing system or network.
Individuals with privileged access must respect the rights of the system users, respect the
integrity of the systems and related physical resources, and comply with any relevant laws
or regulations. Individuals also have an obligation to keep themselves informed regarding
any procedures, business practices, and operational guidelines pertaining to the activities of
their local department.
General Provisions
1. Privileged access is granted only to authorised individuals. Privileged access shall be
granted to individuals only after they have read and signed this Agreement.
2. Privileged access may be used only to perform assigned job duties.
3. If methods other than using privileged access will accomplish an action, those other
methods must be used unless the burden of time or other resources required clearly
justifies using privileged access.
4. Privileged access may be used to perform standard system-related duties only on
machines and networks whose responsibility is part of assigned job duties. Examples
include:
o installing system software;
o relocating individuals' files from critically overloaded locations;
o performing repairs required to return a system to normal function, such as fixing
files or file processes, or killing runaway processes;
5. Running security checking programs;
6. Monitoring the system to ensure reliability and security.
7. Privileged access may be used to grant, change, or deny resources, access, or privilege
to another individual only for authorised account management activities or under
exceptional circumstances. Such actions must follow any existing organisational
guidelines and procedures.
144
• Individuals with privileged access shall take necessary precautions to protect the
confidentiality of information encountered in the performance of their duties.
• If, during the performance of their duties, individuals with privileged access
inadvertently see information indicating serious misuse, they are advised to consult
with the Data Protection Officer.
AGREEMENT
I have read this Privileged Access Agreement and I agree to comply with the provisions of this
Privileged Access Agreement.
Signature _______________________________ Date
_______________________________
Print Name
_______________________________
Region:
-------------------------------------------------------------
Systems or Resources Approved for Privileged Access:
______________________________________________________________
______________________________________________________________
______________________________________________________________
______________________________________________________________
145
SOCIAL MEDIA POLICY
weblogs Social media is an interactive online media that allows users to communicate
being instantly with each other or to share data in a public forum. It includes social
exhaustive. and business networking websites such as Facebook, MySpace, Bebo,
Twitter and LinkedIn. Social media also covers video and image sharing
websites such as YouTube and Flickr, as well as personal
(“blogs”). This is a constantly changing area with new websites
launched on a regular basis and therefore this list is not
This policy applies in relation to any social media that employees may use.
Use of social media at work
Limited social media use at work
Employees are only permitted to log on to social media websites or to keep a personal
weblog (“blog”) using the Company’s IT systems and equipment outside their normal
working hours (for example, during lunch breaks or before the working day has started or
after the working day has finished) and this must not under any circumstances interfere with
their job duties or have a detrimental effect on their productivity. This includes laptop and
hand-held computers or devices distributed by the Company for work purposes. The
Company nevertheless reserves the right to restrict access to any of these types of
websites at any time. Where employees have their own computers or devices, such as
laptops and hand-held devices, again they must limit their use of social media on their own
equipment to outside their normal working hours, such as during breaks.
However, employees may be asked to contribute to the Company’s own social media
activities during normal working hours, for example by writing Company blogs or newsfeeds
or managing a Facebook account or running an official Twitter or LinkedIn account for the
Company. Employees must be aware at all times, that while contributing to the Company’s
social media activities, they are representing the Company.
Company’s social media activities
Where employees are authorised to contribute to the Company’s own social media
activities as part of their job duties, for example for marketing, promotional and recruitment
purposes, they must adhere to the following rules:
Use the same safeguards as they would with any other type of communication about the
Company that is in the public arena.
Ensure that any communication has a purpose and a benefit for the Company.
Obtain permission from their line manager before embarking on a public campaign using
social media.
Request their line manager to check and approve content before it is published online.
Follow any additional guidelines given by the Company from time to time.
The social media rules set out below also apply as appropriate.
146
Social media rules
The Company recognises that many employees make use of social media in a personal
capacity outside the workplace and outside normal working hours. While they are not
acting on behalf of the Company in these circumstances, employees must be aware that
they can still cause damage to the Company if they are recognised online as being one of
its employees. Therefore, it is important that the Company has strict social media rules in
place to protect its position.
When logging on to and using social media websites and blogs at any time, including
personal use on non-Company computers outside the workplace and outside normal
working hours, employees must not:
Other than in relation to the Company’s own social media activities or other than where
expressly permitted by the Company for business networking websites such as LinkedIn,
write about their work for the Company – and, in postings that could be linked to the
Company, they must also ensure that any personal views expressed are clearly stated to
be theirs alone and do not represent those of the Company.
Conduct themselves in a way that is potentially detrimental to the Company or brings the
Company or its employees, Service Users, customers, contractors or suppliers into
disrepute, for example by posting images or video clips that are inappropriate or links to
inappropriate website content.
Other than in relation to the Company’s own social media activities or other than where
expressly permitted by the Company for business networking websites such as LinkedIn,
use their work e-mail address when registering on such sites or provide any link to the
Company’s website.
Allow their interaction on these websites or blogs to damage working relationships with or
between employees and Service Users, customers, contractors or suppliers of the
Company, for example by criticising or arguing with such persons.
Include personal information or data about the Company’s employees, Service Users,
customers, contractors or suppliers without their express consent (an employee may still be
liable even if employees, Service Users, customers, contractors or suppliers are not
expressly named in the websites or blogs as long as the Company reasonably believes
they are identifiable) – this could constitute a breach of the Data Protection legislation which
is a criminal offence.
Make any derogatory, offensive, adverse, discriminatory, untrue, negative, critical or
defamatory comments about the Company, its employees, Service Users, customers,
contractors or suppliers, or any comments which might reasonably be considered to insult,
damage or impugn the Company’s or their reputation or character (an employee may still
be liable even if the Company, its employees, Service users, customers, contractors or
suppliers are not expressly named in the websites or blogs as long as the Company
reasonably believes they are identifiable).
Make any comments about the Company’s employees that could constitute unlawful
discrimination, harassment or cyber-bullying contrary to the Equality Act 2010 or post any
images or video clips that are discriminatory or which may constitute unlawful harassment
or cyber-bullying – employees can be personally liable for their actions under the
legislation.
Disclose any trade secrets or confidential, proprietary or sensitive information belonging to
the Company, its employees, Service Users, customers, contractors or suppliers or any
information which could be used by one or more of the Company’s competitors, for example
information about the Company’s work, its products and services, technical developments,
deals that it is doing, future business plans and staff morale.
147
Breach copyright or any other proprietary interest belonging to the Company, for example,
using someone else’s images or written content without permission or failing to give
acknowledgement where permission has been given to reproduce particular work – if
employees wish to post images, photographs or videos of their work colleagues or Service
Users, customers, contractors or suppliers on their online profile, they should first obtain the
other party’s express permission to do so.
Employees must remove any offending content immediately if they are asked to do so by
the Company.
Work and business contacts made during the course of employment through social media
websites and which are added to personal social networking accounts amount to
confidential information belonging to the Company and accordingly the Company may ask
for them to be surrendered on termination of employment.
Employees should remember that social media websites are a public forum, even if they
have set their account privacy settings at a restricted access or “friends only” level, and
therefore they should not assume that their entries on any website will remain private or
confidential.
Employees must also be security conscious when using social media websites and should
take appropriate steps to protect themselves from identity theft, for example by setting their
privacy settings at a high level and restricting the amount of personal information they give
out, such as date and place of birth, schools attended, family names and favourite football
team. This information may form the basis of security questions and/or passwords on other
websites, such as online banking.
Should employees observe inaccurate information about the Company on any web sources
of information, they should report this to their line manager in the first instance.
Social media references
Where employees (or ex-employees) have set up personal profiles on business networking
websites such as LinkedIn, these websites may include the facility for the user to request
their contacts or other users to provide them with open recommendations, endorsements or
references which are then published on their personal profile web pages for other contacts
or connections, or prospective contacts or connections, to read. As these could potentially
be construed as open references given on behalf of the Company, employees are
prohibited from providing these types of recommendations, endorsements or references
online to or for the benefit of other employees or ex-employees without the prior permission
of their line manager.
If these types of recommendations, endorsements or references are requested online by
Service Users, customers, contractors, suppliers or other Company-related business
connections, employees should refer such requests to their line managers.
Social media monitoring
The Company reserves the right to monitor employees’ use of social media on the internet,
both during routine audits of the computer system and in specific cases where a problem
relating to excessive or unauthorised use is suspected. The purposes for such monitoring
are to:
148
Promote productivity and efficiency.
Ensure the security of the system and its effective operation.
Ensure there is no unauthorised use of the Company’s time, for example to check that an
employee has not been spending an excessive amount of time using social media websites
for non-work related activity when they should be working.
Ensure that inappropriate, restricted or blocked websites are not being accessed by
employees.
Ensure that all employees are being treated with respect and dignity at work, by discovering
and eliminating any material that is capable of amounting to harassment contrary to the
Equality Act 2010.
Ensure there is no breach of commercial confidentiality.
The Company reserves the right to restrict, deny or remove internet access, or access to
particular social media websites, to or from any employee.
Contravention of Social Media policy
Failure to comply with any of the requirements of this policy is a disciplinary offence and
may result in disciplinary action being taken under the Company’s disciplinary procedure.
Depending on the seriousness of the offence, it may amount to gross misconduct and could
result in the employee’s summary dismissal.
The Company will process the personal data collected in connection with the operation of
the social media policy in accordance with its data protection policy and any internal privacy
notices in force at the relevant time. Inappropriate access or disclosure of personal data will
constitute a data breach and should be reported immediately to the Company’s Data
Protection Officer in accordance with the Company’s data protection policy. Reported data
breaches will be investigated and may lead to sanctions under the Company’s disciplinary
procedure.
149
WhatsApp Rules for Use
We have several WhatsApp groups running throughout the company and
they prove to be a very useful tool for communication. However, due to
Data Protection Regulations there are rules that we must all observe
when handling confidential information. Whilst some may feel certain rules
are obvious, they are in place to protect the privacy of service users and
to prevent their personal information being disclosed to others. Therefore,
it is essential when using WhatsApp that you observe the follow rules:
Rule 1 Use the Official company WhatsApp for work
Use only the official company WhatsApp group to make notifications and communications.
It is also useful to remember that you should not be discussing work related issues on your
personal social media platforms. For further information about Data protection and
compliance please refer to the company handbook.
The Official Company Groups are groups are related to the care teams operating across
the company, they are
1) Morecambe Notifications 4) Over Wyre Notifications
2) Garstang Notifications 5) Kirkham Notifications
3) Cleveleys, Fleetwood & Poulton 6) St Anne’s Notifications
Rule 2
Please remember service user’s personal details are private and confidential therefore any
information you hold about them should not be disclosed to your friends or family,
information should only be shared with work colleagues, the service user’s family and other
professionals such as their Doctors, District nurses and Social Workers.
Rule 3 Anonymise Service Users Names
Do not identify Service users by name, please use their title, initials, if there is more than
one person in the same are with the same initial then please put their postcode after their
initial separating with a forward slash e.g.
Mrs Ann Jones who lives in Morecambe would be referred to as: MrsAJ
Mr John Smith who lives in Garstang can be referred to as: MrJS / PR3 1JJ
Mrs John Smith who lives in Fleetwood MrJS / FY7 7ND
The concern is not high-tech hackers, in fact, WhatsApp’s end-to-end encryption is almost
impenetrable. But as a professional carer using WhatsApp, all you have to do is leave your
phone unlocked in someone’s house, press the wrong button, or even have someone
reading it over your shoulder and you could unwittingly compromise your Service Users
security. WhatsApp doesn’t require a separate password, so an unlocked phone left
unattended is an easy target for a motivated intruder.
Using the above method to anonymise service user names will sufficiently protect their
identity.
Rule 4 Anonymise all photographs
If you use an image you must anonymise the image, i.e. do not disclose the person’s name,
you must also ask the permission of the person before taking the picture. Without the
consent of the service user your will be acting illegally, and this could lead to disciplinary
action.
150
The words you are searching are inside this book. To get more targeted content, please make full-text search by clicking here.
Hand Book PDF V2.18
Discover the best professional documents and content resources in AnyFlip Document Base.
Search