Privacy Notice – Customer
It is important that you read this privacy notice carefully, together with any other similar or additional information that SLC Care Ltd T/A Healthcare Matters (‘the Company’) may give you about how it collects and uses your personal data. The Company takes the security and privacy of your personal data seriously and it has a duty to notify you of the information contained in this privacy notice. This privacy notice explains how the Company will hold and process your personal data and about your rights.
When the Company processes your personal data, it is acting as a ‘data controller’. This means that it determines the purpose and means of the processing of your personal data. The Company’s contact details are Healthcare House, High Street, Pentre Broughton, Wrexham, LL11 6AG (‘Head Office’). Telephone 01978 758111. Email email@example.com.
The Company’s Data Protection Officer is Lynda Spiby, who can be contacted at the Company’s Head Office. Telephone 01978 758111. Email firstname.lastname@example.org.
It is important that the personal data the Company holds about you is accurate and up to date. If applicable, please keep the Company informed if your personal data changes.
You should direct any questions in relation to this privacy notice or data protection to a Director or the Company’s Data Protection Officer.
This privacy notice does not give you any contractual rights and can be amended by the Company at any time. It is intended that this privacy notice is fully compliant with the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) (or such other legislation that may replace or amend the 2018 Act and GDPR). If any conflict arises between those laws and this privacy notice, the Company intends to comply with the 2018 Act and the GDPR.
THE PERSONAL DATA WE COLLECT AND WHERE IT COMES FROM
‘Personal data’ means information which relates to a living person who can be identified from that data on its own, or when taken together with other information which is likely to come into our possession. It includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
We will collect and use the following types of personal data about you (where applicable):
- your contact details such as name, address, email address, telephone number etc;
- funding information;
- card payment details;
- contact details of somebody acting on your behalf and their relationship to you;
- details of any health/social care professionals and/or organisations or other professionals and/or organisations relevant to your care and support;
- images from the Company’s CCTV if you visit the Company’s premises;
- audio recordings of telephone conversations with you which take place via the Company’s telephone system;
- information about your health (a special category of data); and
- any other category of personal data which we may notify you of from time to time.
We may obtain your personal data from you or from somewhere else such as somebody acting on your behalf, a health/social care professional and/or organisation or any other professional and/or organisation, a provider of healthcare products and/or services, a funding organisation, a charity, or it could be created by us.
HOW WE PROCESS YOUR PERSONAL DATA
We may use your personal data (including special categories of personal data) for the following reasons (where applicable):
managing our relationship with you; determining which products and/or services we can offer; providing our products and/or services to you; for administration and accounts purposes; carrying out any contracts between us; marketing; dealing with any enquires, compliments, concerns and complaints; liaising with whoever is acting on your behalf; liaising with health/social care professionals and/or organisations or other professionals and/or organisations involved/previously involved in your care and support; liaising with funding organisations, liaising with charities; enabling us to meet any legal and other regulatory obligations imposed on us; providing information to regulatory authorities or statutory bodies, and our legal or other professional advisers including insurers; retaining a record of our dealings; establishing quality, training and compliance with our obligations and best practice; complying with health and safety law and other laws which affect us; monitoring and protecting the security of the Company, of you, our other staff, customers and third parties if you visit and have permission to be our premises; running our business and planning for the future; for Company operations; maintaining safety; safeguarding; preventing and detecting fraud or other criminal offences; defending the Company in respect of any investigation or litigation and complying with any court or tribunal orders for disclosure; audit usage of our website; to conduct data analytics studies to review and better understand how we provide our products and services; and for any other reason which we may notify you of from time to time.
THE LEGAL BASIS FOR PROCESSING YOUR PERSONAL DATA
We must have a legal basis to process your personal data (including special categories of personal data). In most cases, the legal basis can be any of the following (where applicable):
- to carry out a contract between us or taking steps to enter into a contract with you;
- to comply with any legal obligation;
- to protect your vital interests or those of another data subject;
- it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us;
- for our legitimate interests (or for the legitimate interests of someone else) if it is necessary. Our legitimate interests include, for example carrying out Company business; Company operations; monitoring and protecting the security of the Company, its property and individuals who have permission to be on Company property; preventing and/or detecting crime; maintaining health and safety; safeguarding; compliance; marketing. However, we can only do this if your interests and rights do not override ours (or theirs). You have the right to challenge our legitimate interests and request that we stop this processing. See details of your rights below.
By law we must treat special categories of personal data with even more care and must have an additional reason for processing this type of data. The additional reason can include any of the following (where applicable):
- where processing is necessary for carrying out rights and obligations under social protection law;
- where it is necessary to protect your vital interests or those of another person where you/they are physically or legally incapable of giving consent;
- where you have made the data public;
- where processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; and
- where processing is necessary for the provision of health or social care or treatment or the management of health or social care systems and services.
Consent is another legal basis for processing personal data (explicit consent is required in the case of processing a special category of personal data). In most situations we will not rely on your consent as a legal basis to process your personal data (including special categories of personal data). If we ask for your consent then we will explain the reason for our request. You do not need to consent and can withdraw your consent later if you choose by contacting a Director or the Company’s Data Protection Officer. If we are relying on consent to process your personal data and you decide to withdraw it, this will not affect the lawfulness of any processing we have carried out that was based on your consent before you withdrew it. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.
If you choose not to provide us with certain personal data, you should be aware that we may not be able to meet our legal obligations and duties such as if you do not provide us with your contact details we will not be able to deal with your VAT exemption application (if applicable). It may also stop us from entering into a contract to provide you with products and/or services or carrying out certain parts of a contract between us if, for example, we do not know about your health data.
We do not take automated decisions about using your personal data or profiling in relation to you.
SHARING YOUR PERSONAL DATA
Sometimes we might share your personal data with third parties for us to take steps to enter into an agreement with you, for us to assess whether can provide you with our products and services, for us to provide you with our products and/or services and for our legitimate interests. We may also share your personal data if the law or a public authority says that we must do so, if we need to comply with a legal or regulatory obligation and if we need to in order to establish, exercise or defend our legal rights. Where such sharing is necessary, we will comply with the requirements of the 2018 Act, the GDPR and our legal obligations.
We do not send your personal data outside the European Economic Area (‘the EEA’). If this changes you will be notified of this and the measures which are in place to protect the security of your data will be explained.
HOW LONG WE KEEP YOUR PERSONAL DATA FOR
We will only hold your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, accounting or reporting requirements. To determine the appropriate retention period for personal data, we shall consider:
the amount, nature, and sensitivity of the personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; whether the law, our regulatory obligations, accounting or any reporting requirements require us to continue to process your personal data; if we need to keep your personal data in relation to establishing, exercising or defending a legal claim; whether we have any other need to continue to process your personal data; and the potential risk of harm from unauthorised use or disclosure of your personal data.
HOW WE KEEP YOUR PERSONAL DATA SAFE
We will take appropriate measures to secure your personal data and protect it against unauthorised or unlawful processing, as well as against its accidental loss, destruction or damage.
YOUR DATA SUBJECT RIGHTS
You have the following rights to your personal data:
- the right to request a copy of the personal data that we hold (this is commonly referred to as ‘subject access’);
- the right to ask us to rectify information you think is inaccurate or incomplete;
- the right to ask us to erase your personal data (this is known as ‘the right to be forgotten’).
- the right to ask us to restrict the processing of your personal data;
- the right to object to particular ways (one example of this is where your personal data is being processed for direct marketing purposes) in which we are using your personal data;
- the right to receive your personal data in a structured commonly-used and machine-readable format and to transfer that personal data to another data controller (this is known as ‘the right to data portability’);
- with some exceptions, you have the right not to be subjected to automated decision-making.
Your ability to exercise these rights will depend upon a number of factors and in some circumstances, we may not be able to comply with your request, for example, if we have legitimate grounds for not doing so or where the right does not apply to the particular data we hold on you etc.
You are not required to pay any charge for exercising your rights. However, in certain circumstances we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive.
We have one month to respond to you, unless there are specific circumstances in which we can extend the time to respond.
We may need to request specific information from you (or somebody on your behalf) to help us confirm your identity when you wish or somebody on your behalf wishes to exercise any of your rights.
If you have any questions concerning your rights or should you wish to exercise any of your rights, please contact a Director or the Company’s Data Protection Officer.
You have the right to complain to the Information Commissioner’s Office (ICO). You can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the website (www.ico.org.uk). This website has further information on your rights and our obligations. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact a Director or the Company’s Data Protection Officer in the first instance.