Employee Privacy Promise
Complete Care Agency Ltd is registered with the Information Commissioners Office (ICO) under the provisions of the Data Protection Act 1998. The Company takes its responsibilities under the Act very seriously. This policy and procedures provides details of how Complete Care Agency collects and uses information about you.
For more general information about how we use your information, please refer to our Company Website – https://completecareagency.co.uk/
We ask that you read this document carefully, as it contains important information on how and why we collect, store, use and share personal information, your rights in relation to your personal information; and on how to contact us and other organisations in the event you have a complaint.
You may also be interested in our;
In order to identify, select, train and recruit new employees we collect and process personal information about you.
Personal information means any information about you from which you can be identified, but it does not include information where your identity has been removed (anonymous data).
As the ‘controller’ of personal information, we are responsible for how that data is managed. The General Data Protection Regulation (GDPR), which applies in the United Kingdom and across the European Union, sets out our obligations to you and your rights in respect of how we manage your personal information.
As the ‘controller’ of your personal information, we will ensure that the personal information we hold about you is:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes;
- Relevant to the purposes we have told you about and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the purposes we have told you about;
- Kept securely.
This document provides the information as required by GDPR under your right to be informed.
Security of data
- All employees are responsible for ensuring that any personal data which they hold is kept securely and not disclosed to any unauthorised third party;
- All personal data should be accessible only to those who need to use it.
All personal data must be kept:
- In a lockable room with limited and controlled access;
- In a locked drawer or filing cabinet.
- If data is electronic, then it should be stored on Network servers and not on local systems and have suitable security access levels applied;
- Particular care should be taken of portable IT equipment, etc which should be password protected to prevent unauthorised access;
- Where highly sensitive data is by necessity stored on memory sticks, these must be protected by Advanced Encryption Standard encryption and passwords must be strictly controlled
- Special categories of personal data should not be kept on memory sticks or routinely taken from Complete Care Agency on any form of removable media.
- Personal data held on removable media such as CD/DVD media must be disposed of in accordance with the Information Security Policy;
- Care should be taken to ensure that PC monitors and Mobile Device Screens are not visible except to authorised employees and that computer passwords are kept confidential;
- PCs, Mobile Phones, Laptops and other mobile devices should not be left unattended without password protected screen savers and manual records should not be left where they can be accessed by unauthorised personnel;
- Employees are to operate a “clear desk” policy when finishing work each day;
- No confidential papers should be left on desks under any circumstances, nor should any personal information of service users or employees be displayed on notice boards within the offices;
- Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be disposed of as “confidential waste”. All disposal of IT equipment will be managed by Thomas Ellis in conjunction with Anthony Ellis;
- This policy also applies to employees who process personal data outside Complete Care Agency premises, such as when working from home;
- Employees should take particular care when processing personal data at home or in other locations. Any loss of data from either Complete Care Agency premises or off site must be reported to the HR Manager.
- Under no circumstances should data belonging to the Complete Care Agency IT system be emailed to a private email account.
Responsibilities of Management and Data Users
All management and data users have a responsibility to ensure compliance with the GDPR, the DPA and this policy, and to develop and encourage good information handling practices within their areas of responsibility. All users of personal data within Complete Care Agency have a responsibility to ensure that they process the data in accordance with the Principles and the other conditions set down in the legislation.
Personal data we process
In our role as an employer, and because of the nature of our business, we process a number of different categories of data from our employees during and after your working relationship with us. This includes:
What information does the Company collect?
- Your name, address and contact details, including email address and telephone number, date of birth and gender;
- The terms and conditions of your employment;
- Details of your qualifications, skills, experience and employment history, including start and end dates, with previous employers and with the organisation;
- Information about your remuneration, including entitlement to benefits such as pensions, statutory maternity pay (SMP), statutory sick pay (SSP), bonus or insurance cover;
- Details of your bank account and national insurance number;
- Information about your marital status, next of kin, dependants and emergency contacts;
- Information about your nationality and entitlement to work in the UK;
- Details of your schedule (days of work and working hours) and attendance at work;
- Details of periods of leave taken by you, including holiday, sickness absence, family leave and the reasons for the leave;
- Details of any disciplinary or grievance procedures in which you have been involved, including any warnings issued to you and related correspondence;
- Assessments of your performance, including appraisals, performance reviews, performance improvement plans and related correspondence;
We may also collect, store and use the following “special categories” of more sensitive personal information including:
- Information about medical or health conditions, including whether or not you have a disability for which the Company needs to make reasonable adjustments; and;
- Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief.
Purposes of processing your personal information
In order to employ and support you during your employment with Complete Care Agency we will process personal data.
|Purpose of processing||Examples|
|Maintaining employee files||• Records of recruitment with Complete Care Agency including application forms, CV’s, interview assessments and references;|
• To maintain accurate and up to date personal details;
• Managing training and development needs, delivering or arranging training and assessing competencies;
• To receive and record records of absence;
• To record performance management activities;
• To record and manage statutory meetings including communication with our employees (including disciplinary or grievance and investigations);
• To process and maintain up to date criminal conviction and caution information (CRB checks), where relevant to your role;
• To receive and process records of resignation from employment with Complete Care Agency.
|Finance and Payroll||• To record and process payroll for employees, including tax, NI, Pension, SSP, SMP and any bonus allowances;|
• To record and process expense payments for employees.
|Provision of service||• Providing access to company equipment and facilities (including phones, IT equipment) and;|
• To issue and renew ID badges to all relevant employees;
• The provision of care (including covering placements, communication, annual leave and shift rostering records, training and competency assessment, reporting incidents);
• The provision of service (including arranging travel and accommodation, records, communication).
|Investigations and regulatory compliance||• To receive, record and process notifications, accidents and incidents as required with the appropriate external regulators (including RIDDOR, CQC, CIW);|
• To receive, record and investigate complaints received about the service;
• To monitor and ensure compliance with National Minimum Wage Standards;
• To register a manager or location and to make changes to registered managers or locations with our regulators;
• To receive, record and process insurance claims;
|Reporting and business analysis||• To conduct and support internal and external audits;|
• To monitor and report on the performance of the business and compliance;
• To send, receive and analyse employee feedback.
Who has access to your personal data
In order to operate our business and run our recruitment we rely on third parties to provide specialist support to us. To provide this support they will have access to, or a duty of care over your personal information. These third parties are:
- IT and telecoms support companies – to ensure the safe, secure and resilient operation of our IT infrastructure including computers, servers, phones and mobile devices;
- Software support companies – to provide specialist support and resolve issues with the software that we run, for example the systems we use to store and manage your recruitment progression
- Communication service providers – such as Royal Mail and network providers;
- Relevant authorities/organisations – such as the DVLA, HMRC, CQC or CIW and Skills for Care;
- Service providers – occupational health, insurance companies and training providers.
We will share relevant information within Complete Care Agency during and after your employment where this is necessary, and in line with our purpose for processing.
Due to the nature of our business and the service we provide we may share minimal personal data with our customers to enable the safe and effective delivery of care, for example we may share your name with a customer who you have agreed to work with.
We will not share, sell or trade your personal information with any other third party without your consent, unless there is a legal reason to do so.
All your personal data is stored and processed on systems that are within the European Economic Area (EEA) and offer the same level of legal protection and rights over your data.
In certain situations, we transfer your personal information to the following countries which are located outside the European Economic Area (EEA):
- A country where you are resident or located in temporarily
This will be for the purposes of communicating with you about your employment and the services we provide while you are outside of the UK.
This international transfer is under Article 49(1)(b) – the transfer is necessary for the performance of a contract between the data subject and the controller. Such countries do not have the same data protection laws as the United Kingdom and EEA. Any transfer of your personal information will be subject to appropriate or suitable relevant safeguards that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.
Transfers of Personal Data Outside the EEA
Personal data can only be transferred out of the European Economic Area when there are safeguards in place to ensure an adequate level of protection for the data. For transfers of personal data to a receiving party in the United States of America, the Privacy Shield Agreement between the European Union and the United States of America provides sufficient protection. Before transferring data, the Privacy Shield website should be consulted to determine whether the receiving party is on the Privacy Shield List. Staff involved in transferring personal data to other countries must ensure that an appropriate safeguard is in place before agreeing to any such transfer.
Retention and disposal
Complete Care Agency discourages the retention of personal data for any longer than necessary. Considerable amounts of data are collected, and some data will be kept for longer periods than others, however every effort should be made to review the need to keep it and safely dispose of data as soon as possible.
- Management and data processors, will regularly review the data they will dispose of in accordance with data auditing procedures;
- Complete Care Agency will comply with external guide lines on the retention of records where appropriate;
- Personal data will be disposed in a way that protects the rights and privacy of data subjects (e.g. disposal as confidential waste, deletion from IT systems and backups).
- Under the GDPR images captured through CCTV are classed as personal data;
- Where CCTV is in use, images will be treated as “data” in the same manner as paper or computer based information. The main purpose of collecting data from CCTV cameras is the protection of Company employees, service users and the public, the prevention of crime or anti-social behaviour and to safeguard Company property;
- Data from CCTV cameras may be used as evidence during criminal or other legal proceedings and may be passed to other agencies within the scope of our Registration with the Information Commissioner;
- The number and type of cameras will also be carefully considered. Customers, visitors and employees should not feel uncomfortable by the presence of CCTV and it will not be used to monitor private areas such as inside a service users home;
- CCTV signage will be in place where CCTV is present;
- Consultation will include discussing if there are alternative options, any underlying reasons why the need for CCTV has arisen, the number and positioning of cameras, secure image recording and storage facilities, who has access to recorded images and whether the system is temporary, permanent or subject to a period of review;
- The appropriate member of Senior Management Team will be responsible for ensuring that those on site are aware of our Policy, the proper use of the system and how to respond to requests for access to recorded data.
Monitoring and Recording
- CCTV systems in use at Complete Care Agency will not be monitored on a constant basis;
- Management may check the system from time to time, however access will be restricted to ensure the maximum privacy for that personal data;
- Management should not use the system for monitoring movements of people in and around the office;
- The CCTV monitor should not be in a position where images can be seen by members of the public;
- If a meeting is being conducted in an office where CCTV is monitored, the CCTV monitor should be switched off if there is a risk that unauthorised people would be able to view images on screen;
- Images will be recorded on a time loop;
- This means that recorded images are not kept indefinitely and will be recorded over on a 14-day period;
- The length of time images are stored before being overwritten should be known to m management responsible for monitoring the system in order to respond to enquiries;
- Recorded images will be kept securely and management should access these for specific purposes only related to the use of CCTV, i.e. crime prevention/detection or dealing with anti-social behaviour;
- CCTV images are the property of Complete Care Agency.
Legal basis for processing
We rely on the following grounds within the GDPR:
- Article 6(1)(b) – processing is necessary for the performance of our contracts to provide individuals with care and support services and you with employment;
- Article 6(1)(c) – processing is necessary for us to demonstrate compliance with the law or regulatory frameworks;
- Article 6(1)(f) – in pursuit of legitimate interests;
- To analyse and report on the performance and compliance of the business;
- Providing access to company equipment, vehicles and facilities (including phone, vehicles, software and applications);
- To send, receive and analyse employee feedback.
GDPR recognises that additional care is required when processing special category (sensitive) data such as your health. We process this under the following grounds within GDPR:
- Article 9(2)(h) – Provision of health or social care or management of health or social care systems or services;
- Article 9(2)(b) – Legal obligations under employment or social benefit law;
- Article 9(2)(f) – Establishment, exercise or defence of legal claims or court.
- If the Company discovers that there has been a breach of personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner within 72 hours of discovery. The Company will record all data breaches regardless of their effect;
- If the breach is likely to result in a high risk to the rights and freedoms of individuals, it will tell affected individuals that there has been a breach and provide them with information about its likely consequences and the mitigation measures it has taken.
Under the GDPR you have important rights free of charge. In summary, those include rights to:
- Fair processing of information and transparency over how we use your use personal information;
- Access to your personal information and to certain other supplementary information that this Privacy Promise is designed to address;
- Require us to correct any mistakes in your information which we hold;
- Require the erasure (i.e. deletion) of personal information concerning you, in certain situations. Please note that if you ask us to delete any of your personal information which we believe is necessary for us to comply with our contractual or legal obligations, this may affect our ability to provide employment or to fulfil our contractual duties with you;
- Receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations;
- Object at any time to processing of personal information concerning you for direct marketing;
- Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you;
- Object in certain other situations to our continued processing of your personal information;
- Otherwise restrict our processing of your personal information in certain circumstances;
- Claim compensation for damages caused by our breach of any data protection laws.
Subject access requests
- Individuals have the right to make a subject access request. If an individual makes a subject access request, the Company will tell him/her:
- Whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
- To whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- For how long his/her personal data is stored (or how that period is decided);
- His/her rights to rectification or erasure of data, or to restrict or object to processing;
- His/her right to complain to the Information Commissioner if he/she thinks the organisation has failed to comply with his/her data protection rights; and
- Whether or not the organisation carries out automated decision-making and the logic involved in any such decision-making.
- The organisation will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.
- If the individual wants additional copies, the organisation will charge a fee, which will be based on the administrative cost to the organisation of providing the additional copies.
To make a subject access request, the individual should send the request to firstname.lastname@example.org or use the Company’s form for making a subject access request. In some cases, the Company may need to ask for proof of identification before the request can be processed. The organisation will inform the individual if it needs to verify his/her identity and the documents it requires.
The Company will normally respond to a request within a period of one month from the date it is received. In some cases, such as where the Company processes large amounts of the individual’s data, it may respond within three months of the date the request is received. The Company will write to the individual within one month of receiving the original request to tell him/her if this is the case.
If a subject access request is manifestly unfounded or excessive, the Company is not obliged to comply with it. Alternatively, the Company can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which the Company has already responded. If an individual submits a request that is unfounded or excessive, the Company will notify him/her that this is the case and whether or not it will respond to it.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us. Under certain circumstances, by law you have the right to:
- Access and obtain a copy of your data on request;
- Require the Company to change incorrect or incomplete data;
- Require the Company to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing; and
- Object to the processing of your data where the Company is relying on its legitimate interests as the legal ground for processing;
- Request the transfer of your personal information to another party;
If you would like to exercise any of these rights, please contact the HR department.
If you believe that the Company has not complied with your data protection rights, you can complain to the Information Commissioner.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the GDPR.
Keeping your personal information secure
The confidentiality and security of your information is of paramount importance to us. We have appropriate organisational and technical security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
Right to complain
If at any time you feel that we have failed to safeguard your information appropriately you have the right to complain. In the first instance we would ask you to contact us and allow us to investigate and identify any issues you have by contacting us below.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information. The GDPR also gives you right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at ico.org.uk/concerns/ or by phoning 0303 123 1113.
You can contact us by;
Post; 1 Airport West, First Floor, Lancaster Way,Leeds LS19 7ZA
Telephone; 0333 200 0441
If you would like to exercise any of those rights, please:
- Contact us using the details above – making clear that you wish to exercise one of your privacy rights;
- Let us have enough information to identify you (e.g. your name and address);
- Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill);
- Let us know the information to which your request relates, including any account or reference numbers, if you have them.
Review of this Policy;
Date: 19 February 2019
This policy will be reviewed every 3 years, or earlier as required.