Effective Date: 20/06/2022
Version 1.0

Introduction

Autograph Care (referred to as “We, “Our” or “Us”) is committed to protecting the privacy and security of your personal data. We have developed this privacy notice to inform you of the data we collect, what we do with your data, what we do to keep it secure as well as the Rights you have over your personal data.

Throughout this notice we refer to data protection legislation which includes the UK GDPR and other laws mandating data protection including (but not limited to) the Privacy Electronic Communication Regulations (PECR) 2011. This also includes any replacement legislation which may come into effect from time to time.

Autograph Care is a data controller as we have determined the purposes of why personal data should be collected and processed, and this notice is designed to ensure viewers of this notice are well informed of our data processing activities.
This privacy notice also applies to members of our group organisation which includes:

• Walton Manor Care Home
• Monson Care Home
• Inwood House Care Home
• Stoneswood Retirement Home

Each member of our group organisation is considered a separate data controller and not joint controllers with each other or with Autograph Care head office.

As we are based and headquartered in the United Kingdom (UK), we are registered with the Information Commissioners Office (the ICO) with registration number ZA577342.

You contact our head office using the following details:

Post:

c/o Browne Jacobson
Victoria House
Victoria Square
Birmingham
B2 4BU

Care enquiries: 0121 222 9574
Care questions: enquiries@autograph.care

Careers line 0121 222 9576
Careers email careers@autograph.care

We have also appointed an external data protection officer (DPO) and their details are as follows:

Evalian Limited
West Lodge
Leylands Business Park
Colden Common
Hampshire
SO21 1TH
United Kingdom

Email: dpo@autographcare.co.uk
Phone: +44 (0)333 050 0111
Website: www.evalian.com

Lawful Basis for Data Processing

The UK GDPR requires Autograph Care to identify appropriate lawful bases to process personal data. The lawful basis we rely on as a data controller are detailed below with brief examples for when they may apply:

Consent For opting into marketing communications and newsletters
Contractual Obligation To take steps into entering and concluding contracts of employment or residential care homes
Legal Obligation Where needed for tax reasons such as HMRC purposes
Vital Interests To ensure we know about medical conditions of our residents should they require medical attention
Legitimate Interests To help answer any questions or concerns that may be sent to us from individuals who we may have no prior existing relationship with

There may be instances of where we may need to process certain categories of data referred to as Special Category Personal Data. These may include personal data related to health, race, and ethnicity as examples, but were identified and needed, we will ensure we consult our DPO to ensure the relevant special conditions are applied and documented where needed.

Personal Data Collected

Due to the nature of our business and data processing activities we would collect and process various categories of personal data from various data subjects, which includes our residents and employees. The below gives examples of different categories of personal data collected and processed:

• Names (including maiden name)
• Contact and address details
• Financial details
• Health information (mental and physical)
• Family details (e.g., next of kin)
• Care home requirements
• Photographic images
• GP/health care provider details
• Dates of Birth
• Sexual orientation
• Race and Ethnicity
• Recruitment data
• DBS check data

The above list is representative and non-exhaustive.

We collect personal data through several means. Examples can include:

• When you complete any online forms
• When a file is created as a resident or employee
• Give us feedback (e.g., complaint or compliments)
• CCTV images
• Through health professionals, including GPs, hospitals, pharmacies, and chiropodists
• From local authorities
• Social care services
• Disclosure and barring services
• Friends and relatives

The above list is representative and non-exhaustive.

How We Use Personal Data

We may use personal data for various activities which can include the following activities:

• To onboard you as a new Resident and verify your identity
• To provide health and social care to our Residents
• Administer medication, provide ongoing care, develop and maintain a Resident ‘Care Plan’,
• Provide (and receive information) third party medical professionals where necessary
• To support equality in service provision from ethnic origin and race data
• To investigate claims or allegations made by Residents and others
• To carry out an assessment of a Resident in respect of decision-making capacity and mobility
• To enable personalised service delivery and to support equality in service provision from ethnic origin data
• To safeguard all of our Residents and our property (which includes CCTV)
• To report to third parties (including local authorities, health professionals, and Resident Contacts) on the wellbeing of Residents
• To monitor website usage
• To process job applications
• Action any data subject right requests
• Process payments or collect any monies owed
• Seek your views or comments on the services we provide
• Notify you of changes to our services
• Handle an enquiry or complaint you have made
• Sending marketing communications and other company updates

The above list is non-exhaustive and representative. For more information to how we use personal data for specific activities you can contact us as detailed above.

Residents and Relationships

We understand that residents in our care homes may form close bonds with other residents. Whilst we encourage our residents to form bonds with each other we understand this can form relationships including same sex relations. We have implemented a Sexuality and Relationship policy to ensure couples from all sexual orientations are cared for and respected in line with our legal obligations under the Equality Act 2010.

Recruitment and Criminal Data Processing

From time to time we may advertise job vacancies on our website for our care homes or head office when they arise. When we receive candidate information, we may receive personal data such as your name, CV information and other information which may be used to help your application to stand out (e.g. licences or certifications). We will be sure to only retain candidate data for as long as reasonably necessary which is typically 6 months if a candidate is unsuccessful.

Recruitment is dealt with internally and by our head office staff in conjunction with the relevant care home (if applicable). No third parties are used as part of this process and personal data of applications is not shared or transferred outside the UK.

All our roles within Autograph Care require background checks. Some roles may require a basic check and some roles may require an enhanced check, but this is dependant if they are applying for a role which requires care to our residents. More information to this can be found in our recruitment privacy notice.

Children’s Data

Our services are not specifically designed for children and for those under the age of 18. If we do become aware of anyone using our services who may be under 18 we will take all reasonable steps to ensure we do not process their data any further and will communicate this to them directly.

Data Sharing

Due to the nature of our business, there may be at times we are required to share data with other departments and members of our organisation. Examples of when we may need to share data can include for residential care home purposes, recruitment purposes, IT concerns, and any questions or concerns regarding data protection received from other departments.

As mentioned above we may need to share personal data (including special category personal data) of our residents with third parties which can include the following (but not limited to) examples:

• Our third-party IT support providers
• Healthcare providers, local authorities, and emergency services (including the Police if necessary)
• HMRC, Care Quality Commission or other regulatory parties
• External lawyers (including third party lawyers), accountants, auditors, or insurers
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as we currently do, which can also extend to consents for marketing communications

Where we may need to share data with any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation or (ii) to exercise, establish or defend our legal rights.

National Opt-Outs

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.

International Data Transfers

There may be instances where we may need to transfer your data outside the UK. We may need to share your data with companies who are in the European Economic Area (The EU member states, Norway, Iceland, and Liechtenstein), in an adequate listed country or in other third countries who may not have similar data protection laws to the UK. If we need to transfer your information outside the UK, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this notice.

Cookies

We use cookies on our websites. More information to how we use cookies can be found in our cookie notices where you can also change your consent.

Third-Party Links

The website may include links to third-party websites. We are not responsible for these websites and how these websites process and collect any of your personal data along with their privacy notice. Should you access third-party websites via links on our website we recommend you read the relevant privacy notice.

Marketing Communications

We would like to send you marketing news and updates regarding our company, products and services should you like to receive them. In order to send you these communications we would require your consent, and you can always change your preferences (i.e. opt out) by clicking on the relevant unsubscribe link at the bottom of the email. You also have the ability to opt out by contacting us over phone or email should you chose to do so.

Automated Decision-Making and Profiling

We do not conduct any automated decision making and profiling within our organisation.

Data Retention

As a data controller we will retain personal data for as long as necessary in line with various requirements, such as for example, best practice recommendations (e.g., ICO recommendations), relevant guidelines (e.g. CQC guidance) or for as long as mandated under specific legislation (e.g. HMRC requirements). We will also determine appropriate retention periods based on our legitimate interests where identified.

Our retention periods include as examples:

Residents: data used for the provision of our service to Residents and kept with Residents’ ‘Care Plan’ is kept for seven years after the Resident has left our care.

Resident Contacts: data used for the provision of our service to Residents is kept for seven years after the relevant Resident has left the organisation. As personal data collected from friends, relatives and visitors is kept with the relevant resident’s ‘Care Plan’, the eight -year retention period applies to data collected from friends, relatives, and visitors.

When data is needed to be deleted, we will either delete manually or anonymise it if deletion is not possible.

Data Security

We have certifications with security frameworks such as Cyber Essentials and Cyber Essentials Plus, and copies of these certificates are available upon request. We also review our certifications annually.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

If we become aware of any loss, misuse, alteration of personal data we will work closely with our IT team, DPO and other parties as necessary to investigate the incident at hand. We have put into place the relevant procedure and policies in place to investigate, mitigate and report (when needed to relevant parties) such instances.

Data Protection Rights

If you are based in the UK, you have several Rights to how an organisation processes your personal data. The Rights are as follows:

• Right to be informed
• Right to access data
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to objection
• Right to portability
• Right not to subject to automated decision making and profiling

If you would like to exercise any of the above Rights, you can do so by sending us a written request to our email address mentioned above.

Concerns and Complaints

We understand you may have concerns and complaints to this notice and any aspects to how we process personal data. If you would like to contact us directly to talk to us about a concern or to raise a complaint, you can do so by using our contact details above.

You can also submit a complaint directly to the Information Commissioners Office (the ICO), the UK supervisory authority for data protection in the UK, via this link https://ico.org.uk/make-a-complaint/.

Review and Updates

We will review this notice and make changes to it from time to time. We recommend that you check this notice to see where changes have been made and to ensure you are able to review updated information at all times.