Data Protection and Privacy
General Data Protection Regulations (GDPR):
Your privacy and the protection of your personal/company information is important to us.
Data Protection law changed on 25th May 2018 and this policy sets out most of your rights under the new laws and explains how we collect, use, store and protect data and personal/company information.
This policy applies to Service Users (and their representatives), Employees, Suppliers, Local Authority and all others.
We may update this policy again as necessary.
Connective Care Education are required at all times to comply with legislation to ensure all data and information it holds is protected. All methods and mechanisms which are used to store, retrieve and/or disseminate data must also satisfy the requirements of the General Data Protection Regulations and all processes and procedures should be carried out in line with professional best practice and legislation.
The organisation understands that, according to the GDPR, data should:
- Be obtained fairly and lawfully.
- Be held for specified and lawful purposes.
- Be processed in accordance with the person’s rights under the GDPR.
- Be adequate, relevant and not excessive in relation to that purpose.
- Be kept accurate and up to date.
- Not be kept for longer than is necessary for its given purpose.
- Be subject to appropriate safeguards against unauthorised use, loss or damage.
- Be transferred outside the European Economic Area only if the recipient country has adequate data protection.
- Only be used for Marketing purposes in line with company policy.
- Only be shared in line with company policy.
Connective Care Education is required at all times to comply with the GDPR to ensure all data and information it requests, and holds is protected. All methods and mechanisms which are used to store, retrieve and/or disseminate data must also satisfy the requirements of the GDPR and all processes and procedures should be carried out in line with professional best practice.
No Employee, Service User, Service User Representative, Supplier etc are to share or provide any others personal or company data without permission from the company. All requests for data or information should be passed to the Data Protection Officer.
What information we collect about you:
The personal or company information you provide us with (name, email address, address and telephone number, bank details etc) will be used to pay you, send details of your pay ie. pay advice/payslip etc, communicate with or contact you to talk to you about any Connective Care Education or services you request/provide.
We collect this information when you fill in forms on our website or at events, office based inductions, service user inductions/reviews, supervisions, supply invoices or when you communicate with us by post, phone or email including when you request services, request information to be sent to you or subscribe to our social media.
We may need to collect additional information in relation to employment law, legal requirements or to provide the services you have requested from us and to carry out our obligations arising from any contracts between you and us. This may also mean sending your details to third party service such as Locality Authority, Safeguarding etc. Our legal basis for collecting this information and sharing it in this way is to enter into a contract with you.
In relation to application forms for employment we will keep these only for an acceptable timeframe and in line with legislatory guidance – also in case a suitable vacancy arises within 3 months of application.
How we use your information for marketing purposes:
We may wish to send you news about the industry and about our items and services which may be of interest to you. This may be by post, telephone, email and text message. We will not use your personal or company information for these purposes, unless you have given your consent by ticking the appropriate boxes on the form we use to collect your personal information.
If you have consented to receive marketing information but later change your mind, you have a right to opt out any time. This can be done at any time by notifying us by email.
If you no longer wish to be contacted for marketing purposes by telephone, text message letter or email, please contact us in writing at Connective Care Education, 13 -14 Centre Court, Treforest Industrial Estate, Pontypridd, CF7 5YR.
Our emails may contain tracking facilities within the email. Your activity may be tracked and stored in a secure database for future analysis and evaluation. Such tracked activity may include: the opening of emails, the clicking of links within the email, dates and frequency of activity. Our legal basis for processing this data in this way is for our legitimate business interests as this information is used to refine future email campaigns, supply you with more relevant content based around their activity and provide you with you company/payroll data.
How long we keep your information:
We will not retain your personal or company information for longer than is necessary to provide our items or services and we will remove it from our system once our items and services are complete. An exception will be if we are required to do so for legal or regulatory requirements.
If you consent to marketing, your information will be used for marketing purposes and will be kept on our systems until you notify us that you no longer wish to receive this information and unsubscribe.
A log of the care/service enquiries will be kept for business analysis, but no personal data will be stored after one month.
Details of employment enquiries will be kept for business analysis, but no personal data will be stored after 3 months or as per employment law/other regulations specify.
How we store and transfer your information:
All personal or company information we collect is processed by our staff. For the purposes of IT hosting, maintenance and marketing this information is located on servers within the U.K and America and may be transferred to and stored outside the European Economic Area. By submitting your data, you agree to this transfer, storing and processing.
We are committed to ensuring that your information is kept secure. We maintain strict security standards and procedures to prevent unauthorised access to your data. We have put in place a variety of physical, electronic and managerial procedures to protect the security of your data. Our staff and any third-party suppliers are supplied with and required to adhere to our privacy standards.
We only retain records for 5 years after end of service or employment and then destroy.
Who we share your information with:
We will not share or sell your information for marketing purposes with other companies.
We may need to share your information with third party services and product providers so that we can provide the items and services requested from us to carry out our obligations arising from any contracts between you and us.
We may also share your name and email information with other parties in relation to employment and service provision who are all subject to all entities which require them to process your data only in accordance with legislation.
We may disclose your personal information to other third parties in the following situations:
- if Connective Care Education is sold to a third party, in which case personal or company data held by us about you will be one of the transferred assets.
- if we are under a duty to disclose or share your personal or company data to comply with any legal/health and safety obligation.
- if we are under a duty to disclose or share your personal or company data to comply with requests from Local Authority, Police, Safeguarding/POVA teams, HMRC, Works and Pensions, ICO etc
By submitting your data, you agree to this transfer and processing of your data.
Your rights and how you can access or change your information:
You have the right to request a copy or request correction and/or deletion of your personal or company information.
If you would like to access your personal or company data held by us or want to correct or remove information you think is inaccurate, please write to us at Connective Care Education, 13 – 14 Centre Court, Treforest Industrial Estate, Pontypridd, CF37 5YR.
We will process your request no later than 20 days after you ask us.
We will then evoke though the appropriate procedure/forms for action.
Our website and your information:
External links: Our website contains links to and from other third-party websites or social media sites. We cannot be held responsible for the security of these sites and we advise users to read the privacy policies of other websites before registering any personal data.
Enquiry form data: The online enquiry form requires a user to enter personal information to allow us to contact you about the items and or services you requested. This information is stored in a secure database and not in a cookie. It is not readable by other websites. The transmission of information via the internet is never 100% secure. We will do our best to protect your personal or company information, but we cannot guarantee the security of your information transmitted from our website via our forms. Any transmission is done at your own risk.
The following is provided for guidance to enable adherence to the security and protection of data and the handling of related media:
- Data, information and media must only be accessed, processed and transmitted as and when required by authorised persons for Connective Care Education business purposes and must not be accessed, viewed or processed in any way for casual or personal use.
- Formal Information Sharing/Exchange policies and procedures must exist across all Connective Care Education departments where information sharing, and exchange is required or occurs between Connective Care Education and any external partner or organisation.
- Connective Care Education where possible provides a process by which requests may be made to the IT Service Desk for data which needs to be encrypted on portable media such as laptops, memory sticks and DVDs/CDs. This will ensure that the security and integrity of data being delivered/transported to other Connective Care Education locations, external organistions and partner agencies is maintained and cannot be intercepted/amended. Encryption levels of data on such media must be a minimum of 128bit AES – in line with Connective Care Education Encryption Policy. Sensitive and personal/company data must not be faxed to an unsecured location under any circumstances. All requests for encrypted media must be requested via the IT Service Desk.
- Where in place Formal Information Sharing/Exchange agreements should (where appropriate) detail the responsibilities, technical and procedural control standards, liabilities and any special controls that may be required in order to ensure the secure information exchange through all communication methods.
- All information assets should (where appropriate) be classified and appropriately marked to determine the level of security protection (including backup, storage, encryption, maintenance, records and audit requirements) they are afforded based on risk assessments.
- Paper files, removable media and other records or documents containing personal, company or sensitive information and data must be kept in secure environments in line with Connective Care Education Tidy Desk Policy and not removed, transmitted, transferred or copied in any form (including physical transfer or electronic communications method) that, if loss or interception occurs, introduces an unacceptable risk of disclosure, theft, or damage of data and information.
- If media contains sensitive or person identifiable information and data you cannot physically secure your workspace or area, you must store any such media securely within a locked cupboard, drawer, office or other securely ‘locked’ environment.
- The use of courier contractors to transfer information/media is restricted to organisations and agencies with which Connective Care Education has formal contractual agreements.
- Personal or sensitive information and data held on, or transmitted between, electronic systems and the systems themselves, are protected by the implementation of procedural and technical controls that reduce risks of interception, unauthorised disclosure, loss or unauthorised alteration to acceptable levels.
- Person identifiable or sensitive information and data is not transmitted via electronic messaging services including email unless appropriately protected and with the approval of IT Manager. The transmission of person identifiable or sensitive information by SMS text and Instant Messaging services is not permitted under any circumstances.
- The retention of information must be defined by retention policies which meet the requirements of Connective Care Education, contract or UK legislation and appropriate procedures must be implemented to ensure that information is held securely and is safely retrievable on request.
- Sensitive or personal information and data held on any media must be physically destroyed when due for disposal or no longer required. Procedures for identifying media that requires secure disposal must be implemented and an audit trail of any media passed to external organisations must be maintained. Where specialised disposal techniques are required, media must only be passed to reputable organisations dealing with secure disposal of information with whom Connective Care Education has formal contractual agreements. Backup data/media no longer required must be disposed of securely and with due environmental consideration (WEEE Directive).
- All sensitive and person identifiable information and data stored on portable media must be Connective Care Education supplied media and encrypted in line with Connective Care Education Encryption.
- If any data is held on a mobile device, the device must be secured with pin/password.
By receiving or providing services or being an employee, you are agreeing to this policy and its contents.
How to contact us:
If you are not happy with how we collect and use your data, we would be grateful if you contact us first so that we can try to resolve it for you. If you aren’t satisfied with our response you have the right to complain directly to the Information Commissioner’s Office at this link https://ico.org.uk/make-a-complaint/.
General information about data protection or accessing data and guidance about what to do can also be viewed here https://ico.org.uk/your-data-matters/your-right-to-get-copies-of-your-data/.
If you no longer wish to be contacted for marketing purposes by telephone, text message letter, or email, if you would like to access your personal or company data held by us or want to correct or remove information you think is inaccurate please contact us in writing at Connective Care Education, 13 -14 Centre Court, Treforest Industrial Estate, Pontypridd, CF37 5YR, or email at firstname.lastname@example.org
Our Data Protection Officer is Paul Rees (Managing Director)