Privacy Policy

Introduction

This policy was last updated on 22 July 2019.

The Orders of St John Care Trust (OSJCT) requires and collects personal information to help the Trust care for residents, their families and loved ones, employees and volunteers. We use your data in line with data protection law, including the General Data Protection Regulations (GDPR), and the Data Protection Act 2018 (DPA). Personal information is any information that identifies a living individual. This privacy policy explains what information we intend to use, how we use it, the legal reasons for using your information, and your rights under the law. When we refer to “we,” “our,” or “us” in this policy, we are referring to The Orders of St John Care Trust.

The Trust is dedicated to making sure that personal information is used properly according to the law and that confidential information entrusted to us is safe. The Trust has appointed an Information Governance Officer (IGO) and their job is to help safeguard the way your information is used and uphold your information rights. If you have any concerns or questions about how your information is being used, the IGO would like to hear from you and can be contacted on the details below:

Email: informationgovernance@osjct.co.uk
Telephone: 01993 323 253
Information Governance Officer
Operations Centre
1 Des Roches Square
Witney
Oxfordshire
OX28 4BE

You also have the right to contact the Information Commissioner’s Office (ICO) if you have a complaint about the way your information is being used. The ICO can be contacted on the details below:

Email: casework@ico.org.uk
Telephone: 0303 123 1113
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

For Residents & Extra Care Housing (ECH) Clients

What information do you collect and use?

We use your personal information so that we can provide care services to you and we collect only enough information to allow us to provide you with the best possible care. We do this to fulfil our contract to care for you.

The information we collect from you includes:

• Information that identifies you, basic details such as name, gender, address, and contact details

• Medical and health information, including notes, images, and reports about your health and any treatment and care you have received or need in the future

• Financial information including bank details, billing details and savings

• Details of contact we have had with you to provide quotes for the cost of a care contract

• Information on your beliefs and associations, including religious and philosophical beliefs, and associations with clubs and societies

• Information about your language

• Information about your ethnicity

• Details of your residency status

• Information about any criminal activity

• Your image including photograph

We may also collect personal information about you from other people and organisations, such as:

• Medical and health information from health and social care organisations and professionals, including medical notes and reports about your health and any treatment and care you have received or need

• Social care and safeguarding reports, assessments and referrals

• If you are an ECH client we receive housing applications from the housing provider

Do you share my information?

We share your personal information under certain circumstances. When we do share information, we use as little as possible and on a need to know basis

• If you require regular or emergency medical treatment we will share your personal information to enable healthcare providers, such as hospitals and GPs, to care for you

• We will share information about you with friends and family, where you have indicated that you are happy for that information to be shared

• If you are funded by a local authority, we share your information with them

• We share your information with our legal representatives if we need to reclaim money owed to us to pay for your care

How do you use the information you collect?

We use your information to give you the best care possible. This includes:

• Using your identity to be able to know who you are, this helps us make sure you receive the right care

• Healthcare information, which helps us make sure you receive the right care, such as medication, as well as getting you to your hospital and GP appointments

• Using financial information to make sure that the Trust is paid for the care that it provides

• Understanding your beliefs, to help us get you to clubs and activities

• Details of your residency status, which helps us know if you have a right to live in the UK

• Customer surveys and feedback help us to improve the care that we provide to you

• Using information to protect you from individuals who wish to harm you

• Understanding your language information helps us to communicate effectively with you

• Handling concerns and complaints about the care we provide.

• Investigating incidents

• Using your image to identify you

• Sharing your photograph in marketing materials and publications, where you have provided consent

How long do you keep my information for?

The Trust keeps your personal information during your stay with us so that we can care for you. We also retain the information when you leave our care, for an appropriate time. Our ‘retention schedule’ helps us determine how long to keep records for, in line with guidance from NHS Digital. Information in care records is kept for at least 8 years after we last provide care to you.

We keep your information in case our records are requested by a future care provider, to audit the quality of the care we provide to our residents, and to defend ourselves against legal claims. We may keep anonymised information for longer than 8 years. Anonymised information cannot identify you. It helps us better understand how we care for our residents across the Trust.

For more information on retaining personal information for marketing and publishing, please see our Marketing, Market Research and Events section.

How do you comply with the law?

There are several reasons that the Trust can legally use your information:

• You, an appointed representative, or a local authority has signed a contract with us to care for you. The information entrusted to us helps us to fulfil that contract and take the best care of you. Without this information the Trust cannot care for you

• We have a legitimate interest in collecting information about ethnicity to help monitor equality of treatment across our organisation. There is a public interest in knowing if individuals belonging to ethnic groups are treated better or worse than others

• The Trust collects information about your residence or immigration status because there is a public interest in maintaining effective immigration controls

• We use information about your religious and philosophical associations and beliefs to provide you with the best care. Religious and philosophical beliefs impact the way in which individuals wish to be treated, treatment they may not wish to receive, and end of life care

• We rely on your consent for using your image for marketing and publishing purposes

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention Period

Identity (name, D.O.B, contact details), photograph

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

8 years after discharge or last use of record

Medical & healthcare information

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

Processing is necessary for health or social care purposes.

GDPR Article 9(2)(h)

DPA Schedule 1, paragraph 2

 

8 years after discharge or last use of record

Financial information

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

6 years after the end of the financial year the record corresponds to

Details of information such as quotes and referrals

Processing is necessary in order to take steps to enter into a contract

GDPR Article 6(1)(b)

N/a

N/a

6 months after enquiry received

Religious and philosophical beliefs

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

Processing is necessary for health or social care purposes.

GDPR Article 9(2)(h)

DPA Schedule 1, paragraph 2

 

8 years after discharge or last use of record

Residency or immigration status

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

 

Processing is necessary for reasons of substantial public interest.

 

Processing is necessary for the maintenance of effective immigration controls and the investigation or detection of activities that would undermine the maintenance of effective immigration control.

GDPR Article 9(2)(g)

DPA Schedule 2, paragraph 4(a)(b)

8 years after discharge or last use of record

Criminal activity

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

Processing is necessary for preventing and detecting unlawful acts, for protecting the public against dishonesty, and for complying with regulatory agencies in investigating unlawful acts and dishonesty

GDPR Article 10

DPA Schedule 1, paragraph 10,11,

 

8 years after discharge or last use of record

Information from customer surveys

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

2 years after feedback received

Language

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

8 years after discharge or last use of record

Ethnicity

Legitimate interest

GDPR Article 6(1)(f)

Processing is necessary for reasons of substantial public interest.

Processing is necessary for identifying and reviewing existence of equality of treatment between groups of people

GDPR Article 9(2)(g)

DPA Schedule 1, paragraph 8

 

8 years after discharge or last use of record

For Employees & Contractors (Including Applicants)

What information do you collect and use?

We use your personal information to fulfil our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the work place. We do this because you have entered into a contract with the Trust.

We collect information from you, as well as creating information once you have been successful in a job application, this includes:

• Information that identifies you, basic details such as name, gender, date of birth, address, telephone number, email address and other contact details

• Information that tells us your ethnicity, age, race

• Information the Trust creates that identifies you, such as employee reference, pay rates, payroll number and job role

• Financial information including bank account, pension details and national insurance number

• Computer records, including email and browser history relating to your work

• Any professional registration status or qualifications, such as nursing registration and validation

• Information declaring unspent criminal convictions

• Information relating to leave, including annual leave, maternity, paternity, adoption, and shared parental leave.

• Medical and health information, including sick leave, allergies or occupational health requirements

• Images and photographs

• Fingerprint data is collected and used as a unique identifier for the Trust’s e-rostering system. This only applies to employees working in our care homes and ECH schemes.

We may also collect personal information about you from other people and organisations, such as:

• Criminal record check conducted by the Disclosure & Barring Service (DBS)

• We request confidential references from referees that you have given to us, which contain information about you

• Receive from HMRC such as tax codes

• Our finance team receive information from the courts if you have an been issues attachment of earnings order (AEO) by the courts

Do you share my information?

We share your personal information under certain circumstances. When we do share information, we use as little as possible, and on a need to know basis.

• If you require emergency medical treatment we will share your personal information with health professionals to ensure you receive appropriate treatment

• We share your information with HMRC to ensure that you are taxed correctly

• If you have asked us to, we will share your information with our pension providers, reward partners

• If you have asked us to, we will share your personal details, including details of your earnings, length of service, employment status, etc. with appropriate organisations for personal applications such as mortgages or rental agreements

• If you are a member of a regulatory body such as the NMC, we will share your information with them to ensure that you are registered, monitor your need to revalidate, and report misconduct

• If you have consented, we will share you photograph in marketing materials and publications

• If you have been issued with an attachment of earnings order (AEO), we will inform the Centralised Attachment of Earning Payment (CAPS) office

• The Trust uses a third party to store and host data. They do not have access to the data unless granted by the Trust.

How do you use the information you collect?

We use your personal information so to fulfil our obligations to you as an employer, to ensure you are paid for your work, and that you are protected in the work place. This includes:

• Using financial information to make sure you are paid and taxed correctly

• Ensuring that you are a registered professional where that is a requirement for your role

• Using your information to manage your performance in fulfilling your contract with us

• Understanding how we can support you if you have a disability or impairment

• Ensuring that you are employed in a suitable environment

• Assessing if you may present any risk to other individuals

• Understanding the diversity of our workforce and complying with equality and diversity legislation

• Ensuring that you receive adequate training for your role

• Using your information to keep our residents and employees safe from dishonesty and harm

• Using your image for sharing news about the care we provide and for marketing purposes

• Handling concerns and complaints about the care we provide

• Investigating incidents

• If you have consented, we will share you photograph in marketing materials and publications

• If you have been issued with an attachment of earnings order (AEO), we will make relevant deductions from your pay

How long do you keep my information for?

The Trust keeps your personal information during your employment and we also retain the information when you leave the Trust for an appropriate time. Our ‘retention schedule’ helps us determine how long to keep records for. Employee information is kept for at least 3 years after you stop working for us. If you apply for a job with us and are unfortunately unsuccessful, we will erase your information within 6 months of the close of the recruitment process.

We keep your information to audit the quality of the care we provide to our residents and to defend ourselves against legal claims. We may keep anonymised information for longer than 6 years. Anonymised information cannot identify you and helps us better understand the colleagues that we have employed.

For more information on retaining personal information for marketing and publishing, please see our Marketing, Market Research, and Events section.

How do you comply with the law?

We can legally use your information for several reasons:

• You have a signed a contract of employment with us and we use the information to fulfil that contract

• We can share your information with healthcare professionals in emergency situations where your life is at risk

• We can use healthcare information for occupational medical care, and to assess your working capacity

• We have a legitimate interest to monitor and review the diversity of our workforce to help us promote equality and diversity across the Trust and use your information to do this

• We can use and share your information to prevent and detect crime, assist law enforcement agencies, and protect other individuals from dishonesty.

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

nformation used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention period

Contract information

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

6 years after employee leaves

Identity (name, D.O.B, contact details)

Processing is necessary in order to take steps to enter into a contract, and for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

3 years after employee leaves

 

6 months after an unsuccessful application

Medical & healthcare information, including sick leave

Processing is necessary for the performance of a contract

 

GDPR Article 6(1)(b)(d)

Processing is necessary for health or social care purposes, in particular, the purposes of occupational and preventative medicine, and the assessment of an employee’s working capacity

 

GDPR Article 9(2)(h)

DPA Schedule 1, paragraph 2(2)(a)(b)

 

6 years after employee leaves

Medical & healthcare information

Processing is necessary to protect the data subject’s vital interests

GDPR Article 6(1)(d)

Processing is necessary to protect the data subject’s vital interests

GDPR Article 9(2)(c)

 

3 years after employee leaves

Financial information

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

6 years after the close of each financial year

Qualifications, work history, professional registrations

Processing is necessary in order to take steps to enter into a contract, and for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

3 years after employee leaves

Residency or immigration status

Processing is necessary for the compliance with a legal obligation to which the data controller is subject

GDPR Article 6(1)(b)

Immigration Act 2006

Processing is necessary for the maintenance of effective immigration controls and the investigation or detection of activities that would undermine the maintenance of effective immigration control.

GDPR Article 9(2)(g)

DPA Schedule 2, paragraph  4(a)(b)

 

3 years after employee leaves

Criminal convictions and offences

Processing is necessary in order to take steps to enter into a contract, and for the performance of a contract

GDPR Article 6(1)(b)

Processing is necessary for preventing and detecting unlawful acts, for protecting the public against dishonesty, and for complying with regulatory agencies in investigating unlawful acts and dishonesty

GDPR Article 10

DPA Schedule 1, paragraph 10,11.

 

3 years after employee leaves

Ethnicity, racial, and language information

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

GDPR Article 6(1)(f)

Processing is necessary for reasons of substantial public interest.

Processing is necessary for identifying and reviewing existence of equality of treatment between groups of people

GDPR Article 9(2)(c)(h)(g)

DPA Schedule 1, paragraph 8,9

 

3 years after employee leaves

Photograph

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

3 years after employee leaves

Annual, maternity, paternity, and shared parental leave

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

N/a

N/a

3 years after employee leaves

Fingerprint data

Processing is necessary for the performance of a contract

GDPR Article 6(1)(b)

Processing is necessary for the performance of a contract

GDPR Article (9)(2)(b)

For Volunteers (Including Work Experience)

What information do you collect and use?

We use your personal information so to fulfil our obligations to you as volunteers, and to maintain the privacy and confidentiality of our residents and employees. We do this because you have entered into a volunteer agreement with the Trust.

We collect information from you which includes:

• Information that identifies you, basic details such as name, date of birth, address, telephone number, email address and other contact details

• Information that tells us your ethnicity, age, and gender

• Financial information including bank account

• Interests and preferences

• Information declaring unspent criminal convictions

• Medical and health information

• We will publish your image, if you are happy for us to do so

We may also collect personal information about you from other people and organisations, such as:

• Criminal record check conducted by the Disclosure & Barring Service (DBS)

• We request confidential references from referees that you have given to us, which contain information about you

Do you share my information?

We share your personal information under certain circumstances. When we do share information, we use as little as possible, and on a need to know basis.

• The Trust uses an online system to manage volunteer data. Volunteers have access to their profile to amend or change their data at any time.

• If you require emergency medical treatment we will share your personal information with health professionals to ensure you receive appropriate treatment

• We will publish your image, if you are happy for us to do so

How do you use the information you collect?

We use your personal information so that we can make sure we protect you in your place of volunteering and to make the most of the volunteering partnership. This includes:

• Understanding how we can support you if you have a disability or impairment

• Ensuring we offer you volunteering in a place that is suitable for you

• Understanding the diversity of our volunteers

• Ensuring that you receive adequate training for your role

• Using your interests and preferences information to find the right volunteering opportunity for you

• Using your information to keep our residents and employees safe from dishonesty and harm

• We will publish your image, if you are happy for us to do so

• Handling concerns and complaints about the care we provide

• Investigating incidents

How long do you keep my information for?

The Trust keeps your personal information during the time you volunteer with us, we also retain the information when you leave the Trust. Our ‘retention schedule’ helps us determine how long to keep records for. We keep your information in to understand the quality of the care we provide to our residents and to defend ourselves against legal claims. In all cases we will only hold on to the minimum information we need to meet our regulatory and legal requirements.

We may keep anonymised information for longer than 3 years after you last volunteered with us. Anonymised information cannot identify you, and helps us better understand who has volunteered for us

For more information on keeping personal information for marketing and publishing, please see our Marketing, Market Research and Events section.

How do you comply with the law?

We can legally use your information for several reasons:

• You have consented for us to use your information and have access to the data to amend or change it at any time

• We can share your information with healthcare professionals in emergency situations where your life is at risk

• We have a legitimate interest in using your information to monitor and review the diversity of our team to help us promote equality and diversity across the Trust

• We have a legitimate interest in knowing any information that helps to prevent and detect crime. We can use and share this information to prevent and detect crime, assist law enforcement agencies, and protect other individuals from dishonesty

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

 

Identity (name, D.O.B, contact details)

Consent

GDPR Article 6(1)(a)

N/a

N/a

3 years after volunteer leaves

Medical & healthcare information

Consent

GDPR Article 6(1)(a)

Consent

 

GDPR Article 9(2)(a)

3 years after volunteer leaves

Medical & healthcare information

Processing is necessary to protect the information subject’s vital interests

GDPR Article 6(1)(d)

Processing is necessary to protect the information subject’s vital interests

GDPR Article 9(2)(c)

 

3 years after volunteer leaves

Criminal convictions and offences

Legitimate interest

GDPR Article 6(1)(f)

Processing is necessary for preventing and detecting unlawful acts, for protecting the public against dishonesty, and for complying with regulatory agencies in investigating unlawful acts and dishonesty

GDPR Article 10

DPA Schedule 1, paragraph 10,11.

 

3 years after volunteer leaves

Ethnicity, racial, and language

Consent

GDPR Article 6(1)(a)

Processing is necessary for reasons of substantial public interest.

Processing is necessary for identifying and reviewing existence of equality of treatment between groups of people

GDPR Article 9(2)(a)

 

3 years after volunteer leaves

For Guardians, Relatives, and Friends

What information do you collect and use?

We use your personal information so that we can understand if there are legal guardians, relatives and friends, who they are, who to contact in an emergency situation, and our residents’ visitor preferences.

We collect information from you, we also collect information from our residents or employees, this includes:

• Information that identifies you, basic details such as name, date of birth, address, telephone number, email address and other contact details

• Information about legal guardianship of a resident

• Information about the legal guardianship of a volunteer, if the volunteer is under 18

Do you share my information?

We share your personal information under certain circumstances. When we do share information, we use as little as possible, and on a need to know basis.

• If you require emergency medical treatment we will share your personal information with health professionals to ensure you receive appropriate treatment.

• We will publish your image, if you are happy for us to do so.

How do you use the information you collect?

We use your personal information so to fulfil our obligations to our residents This includes:

• Using your information to keep our residents and employees safe from dishonesty and harm

• Ensuring that the relatives of relatives and employees are contacted in emergency situations or if there changes in the health of a resident

• Keeping a record of any individuals who are permitted access to the confidential health information about our residents

How long do you keep my information for?

The Trust keeps your personal information within the care record of the resident it relates to. We keep your information for 6 years from your last contact with us. If you require emergency medical treatment we will keep this information for 6 years after the last recorded event. We keep your information in to audit the quality of the care we provide to our residents, and to defend ourselves against legal claims. In all cases we will only hold on to the minimum information we need to meet our regulatory and legal requirements.

For more information on retaining personal information for marketing and publishing, please see our Marketing, Market Research and Events section.

How do you comply with the law?

We can legally use your information for several reasons:

• We have a legitimate interest in protecting the privacy of our residents, and protecting them from dishonesty and harm.

• We can share your information with healthcare professionals in emergency situations where your life is at risk

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention Schedule

Identity (name, D.O.B, contact details)

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

GDPR Article 6(1)(f)

 

 

6 years

Healthcare information

Processing is necessary in order to protect the vital interests of the data subject

GDPR Article 6(1)(d)

Processing is necessary in order to protect the vital interests of the data subject

GDPR Article 9(2)(c)

6 years from when the record is last used

For Suppliers

What information do you collect and use?

We use your personal information as part of procurement of services and supplies.

We collect information from all supplier employees we come into contact with, which includes:

• Information that identifies you, basic details such as name, address, telephone number, email address and other contact details

• If you are a sole trader, we collect financial information including bank account information which identifies you as an individual

Do you share my information?

If you are seeking to enter into a contract with us, and are not a sole trader, we do not intend to share any of your personal information. If you are a sole trader we will share financial information with our bank.

How do you use the information you collect?

We use your information when you submit pre-qualifying questionnaires (PQQ), and contracts to supply goods or services. If you are a sole trader we use your information to pay you for your services.

How long do you keep my information for?

The Trust keeps your personal information relating to contracts for a limited time. We retain personal information relating to suppliers for 6 years following the end of the contract, or services delivered. We keep your information to monitor the performance of contracts and to defend ourselves against legal claims.

How do you comply with the law?

We are able to legally use your information for several reasons:

• You have a signed a contract with us and we use the information to fulfil that contract

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These condition are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention period

Identity (name, contact details)

Processing is necessary in order to take steps to enter into a contract, and the performance of a contract

GDPR Article 6(1)(b)

 

 

6 years after contract period is complete or services/goods have been delivered

For Enquiries & Complaints

What information do you collect and use?

You may contact the Trust seeking information about housing vacancies, or information about the care that is available in different care homes that we conduct. You may also contact us as a member of the public with a complaint regarding the Trust’s conduct or the conduct of an employee.

We collect information from you which includes:

• Information that identifies you, basic details such as name, date of birth, address, telephone number, email address and other contact details

• Information about your complaint

Do you share my information?

We do not intend to share any of your personal information.

How do you use the information you collect?

We use your information to answer your questions to the best of our ability, and communicate with you. If you consent to marketing, we will use your information to send you marketing materials about the services we provide.

How long do you keep my information for?

The Trust keeps your personal information relating to contracts for a limited time. We keep information relating to enquiries for 1 year after the enquiry is made. We keep information relating to complaints for 6 years following the closure of the complaint. We keep your information to defend ourselves against legal claims.

How do you comply with the law?

We can legally use your information for several reasons:

• If you are enquiring about housing vacancies, we use your information because you have sought to enter into a contract with us

• If you make an enquiry unrelated to vacancies, we have a legitimate interest in using the information to respond to your enquiry

• If you have raised a complaint with us, we have a legitimate interest in processing your information so that we can investigate your concerns and respond to your complaint

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention period

Identity (name, D.O.B, contact details) for enquiries into vacancies

Processing is necessary for the purposes of entering into a contract

GDPR Article 6(1)(b)

 

 

6 months following receipt of an enquiry

Identity (name, D.O.B, contact details) for enquiries

Legitimate interest

GDPR Article 6(1)(f)

 

 

 

6 months following receipt of an enquiry

Identity (name, D.O.B, contact details) for complaints

Legitimate interest

GDPR Article 6(1)(f)

 

 

6 years from the close of the complaint

Information Collected by Our Website

What information do you collect and use?

When you visit our website (www.osjct.co.uk) our servers automatically record information, including information that your web browser sends whenever you visit a website. We have use cookies, you can find out more about cookies here.

We collect information from you which may include:

• Your internet protocol (IP) address

• The date and time of your web site visit

• Language preferences

• Cookie information

• The device you are using to access our website including what type of device it is

• What operating system you are using

• Device settings

• Application IDs

• Unique device identifiers

Whether we collect some or all this information often depends on what type of device you are using and its settings.

Do you share my information?

We use Google Analytics, a web analytics service provided by Google, Inc. ("Google"). The information generated about your use of our website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our website, compiling reports on website activity for website operators and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. Google will not associate your IP address with any other data held by Google. Further information about Google’s privacy policy may be obtained from http://www.google.com/privacy.html.

How do you use the information you collect?

We use this information to prevent and detect crime and dishonesty, we also use your information to analyse trends in the pages on our website that are accessed, and improve your website experience. The number of employees with access to this personal information is very limited. Personal information is used anonymously for statistical purposes.

How long do you keep my information for?

The Trust keeps your personal information indefinitely, except cookie data which we will retain only for so long as we have your consent.

How do you comply with the law?

We can legally use your information because we have a legitimate interest, which is to help us prevent and detect crime or dishonesty, such as a cyber-attack. We also have a legitimate interest in knowing which parts of our website individuals are accessing, to help us understand what services individuals are interest in. We rely on consent for the use of cookies and you can find more information in our cookie policy.

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention period

IP address, your device ID

Legitimate interest

GDPR Article 6(1)(f)

 

 

Please see our cookie policy

Cookie information

Consent

GDPR Article 6(1)(a)

 

 

Please see our cookie policy

Marketing, Market Research, & Events

What information do you collect and use?

We collect and use your personal information for use in marketing of the care the Trust provides. We also use the information to publish news stories about the work that we do.

We collect information from you which may include:

• Information that identifies you, basic details such as name, date of birth, address, telephone number, and email address

• Photograph

• Feedback

Do you share my information?

Where you have consented, your information (such as a photograph) can be shared to individuals who receive marketing materials or publications, and you will receive marketing materials or publications where you have agreed to receive them.

How do you use the information you collect?

Where you have provided consent, we will:

• Send you service related information via post, email, or text

• Send you newsletters and magazines via post, email, or text

• Invite you to events that we host

• Use your image or feedback in publications and marketing materials about the Trust

• Ask for your feedback about services we provide

• Use your feedback to analyse trends, identify business opportunities, and improve the care we provide

How long do you keep my information for?

We rely on your consent to process this information, and will hold it only for as long as you consent to. Should you wish to withdraw consent at any time, for some or all of the information and if you wish us to erase the information please contact us as soon as possible. If you have subscribed to a e-newsletter, please click the unsubscribe button on the email.

As well as the right to withdraw consent, you also have the additional right to ask for the information to be erased. If the information has been published in the public domain we will remove the information from our website. Where it is reasonably possible for us to do so, we will inform other organisations who are processing that information (such as a shared news story).

How do you comply with the law?

We can legally use your information for two reasons:

• You have provided consent for us to share your personal information for marketing purposes and publishing news stories

• You have provided consent for us to send you marketing materials

I want to know the legal fine print

All organisations must have a legal condition for processing personal information. Some personal information contains sensitive information, this is called special category data. If organisations use special category information they must have a second legal condition. The first legal condition is usually from a piece of EU legislation called the General Data Protection Regulation 2016 (GDPR). The second legal condition may also be from the GDPR, but may be from the Data Protection Act 2018 (DPA), in cases where the GDPR delegates legislative power to EU member states. When the UK leaves the EU, the GDPR will be incorporated into UK law through the EU Withdrawal Bill. These conditions are set out in the table below, along with the specific retention periods.

Information used

Legal condition for using information

Legislative references

Second legal condition for using information (where required)

Legislative references

Retention period

Identity (name, D.O.B, contact details)

Consent

GDPR Article 6(1)(a)

N/a

N/a

Cease processing when consent withdrawn.

Photograph (non-employee)

Consent

GDPR Article 6(1)(a)

N/a

N/a

Cease processing when consent withdrawn or individual dies.

Photograph (employee)

Consent

GDPR Article 6(1)(a)

N/A

N/a

Cease processing when consent withdrawn or employee leaves.

Legal and Regulatory Obligations

We may receive requests for information from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence. When we receive these requests we will inform you as soon as possible. There are circumstances in which we cannot inform you that information is used or shared, because it may prejudice the work of law enforcement agencies and other organisations.

We may be required to use and keep personal information for legal reasons, such as the prevention, detection, or investigation of crime or fraud. We may also use personal information to meet our internal and external audit requirements, and information security purposes.

Security

We are committed to keeping your personal information secure. We have put in place physical, electronic and operational procedures intended to safeguard and secure the information we collect. All OSJCT employees have a legal duty to respect the confidentiality of your information, and access to your confidential information is restricted only to those who have a reasonable need to access it.

We do not hold any information outside the EU.

When using an OSJCT website, you will notice that the URL starts with HTTPS and you see a locked/green padlock symbol. This means that your information will be encrypted in transit when it is sent from your computer to our server. However, we cannot ensure the security of your information when it is being transmitted to our website or other digital sites from other pages. All transmission of personal information and other information is done at your own risk.

Information submitted to OSJCT through a website is normally unprotected until it reaches us. In addition, users are also requested not to send confidential details or credit card numbers, for example, by email.

We are continuously implementing and updating administrative, technical, and physical security measures to help protect unauthorised access, loss, destruction or alteration of information and information.

Your rights

Under the General Data Protection Regulation, individuals (data subjects) have a number of rights which are detailed below. Some of these only apply in specific circumstances and are qualified in several respects by exemptions in information protection legislation. We will advise you in our response to your request if we are relying on any such exemptions.

Access to personal information

You have a right to request a copy of the personal information that we hold about you. Should you wish to make such a request, you can contact the Information Governance Officer at informationgovernance@osjct.co.uk. You should include adequate information to identify yourself and such other relevant information that will reasonably assist us in fulfilling your request. Your request will be dealt with as soon as possible.

Right to rectification (correction)

You can request us to rectify and correct any personal information that we are processing about you which is incorrect. We provide you with account settings and tools to access the information associated with your account.

Right to withdraw consent

Where we have relied upon your consent to process your personal information, you have the right to withdraw that consent. To opt out of marketing, you can use the unsubscribe link found in the email marketing communication you receive from us. For other marketing preferences you can contact us, providing details of services or marketing that you wish to opt-out.

Right of erasure (right to be forgotten)

You can request us to erase your personal information under certain circumstances. This right only applies in certain circumstances, it is not a guaranteed or absolute right.

Right to data portability

This right allows you to obtain your personal information in an electronic format, where you have provided information to us with your consent, or where the information was necessary for us to provide you with our services or employment. You can request that the information be given in a format which enables you to transfer that personal information to another organisation. You may have the right to have your personal information transferred by us directly to the other organisation, if this is technically feasible.

Right to restrict processing of personal information

You have the right in certain circumstances to request that we suspend our processing of any or all your personal information. Where we suspend our processing of your personal information we will still be permitted to store your personal information, but any other processing of this information will require your consent, subject to certain exemptions. This could restrict the ability of the Trust to care for residents and pay employees.

Right to object to processing of personal information

You have the right to object to our use of your personal information which is used where we feel that we have legitimate interest. However, we may continue to process your personal information, despite your objection, where there are compelling legitimate grounds to do so or we need to process your personal information in connection with any legal claims.

Rights relating to automated decision making and profiling

You have the right not to be subject to a decision which is based solely on automated processing (without human involvement) where that decision produces a legal effect or otherwise significantly affects you. This right means you can request that we involve one of our employees or representatives in the decision-making process.

Changes to our Privacy Policy

This copy of the policy was last updated on 22 July 2019. We review and update this privacy policy regularly. The latest copy of this policy can be found on our website, www.osjct.co.uk. If we make changes to this Privacy Policy, we will post the revised Privacy Policy in the news section of our website and update the “Last Updated” date at the top of this Privacy Policy.

 

Artboard 2

Join our mailing list

Your Name
We will use this information provided above to contact you in the future. For further details on how your data is used and stored, please see our privacy policy.