This policy was formulated in 2018 in line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
This policy forms part of Hexagon Care Service’s Privacy Compliance Framework (PCF)
At Hexagon Care Services (HCS), we are committed to protecting and respecting the privacy of all service users, staff, and any other person whose data we process in any way shape or form.
This Policy explains when and why we collect personal and special categories of information (data) about people who use our services, work for, or with us.
Personal information is not collected if you use our website, however some statistical information is collected about our website users through the use of ‘cookies’, please see section 10 for full details about this.
Any questions regarding this Policy and our privacy practices should be sent by email to firstname.lastname@example.org, or by writing to us at Hexagon Care Services, Unit 1 Tustin Court, Preston, Lancashire, PR2 2YQ. Alternatively, you can contact us by phone on 0333 600 6600.
2. Who are we?
Hexagon Care look after and provide education to some of the most vulnerable and complex children within our society. As a company we also provide services to vulnerable adults ensuring they can live safely with support in the community. We are a national organisation with over fifty individual services employing over five hundred staff. We work in partnership with a myriad of local authorities and specialist agencies nationally.
3. Collecting personally identifiable information
We obtain personal information (data) and also special categories of data (health information etc.) about our service users at the point of referral, this is to meet legal obligations outlined in the Children’s Homes Regulations 2015, to enter into a contract with a local authority, and to protect the vital interests of the service user whether child or adult. If the referral does not result in a placement being offered then this data is deleted permanently.
If a placement is offered, and we begin to provide services, then we continue to process this information for all the reasons identified in the above paragraph, and obviously to provide health and social care services to the service user. The legal justification for this collection is compliant with articles 6 and 9 of the General Data Protection Regulation (GDPR).This information in only retained for a period of time identified in the Children’s Homes Regulations 2015.
Personal and special categories of information (data) is collected pertaining to our staff at the point of application for employment and then on an ongoing basis throughout any term of this employment. This is necessary to perform a contract with our staff, to meet legal obligations (such as for tax HMRC purposes), to exercise specific rights of the organisation in the field of employment, and to assess the working capacity of employees. This collection and processing is again justified in article 6 and 9 of GDPR.
If you are a visitor to one of our services we will keep a brief record of that visit. This is to meet a legal requirement.
4. Privacy Notices
Whenever we collect information from anyone we always, at the time the information is requested, provide them with the information below, this is called a privacy notice.
Who we are and our contact details;
The contact details of our Data Protection Officer;
The purposes of the collection/processing as well as the legal basis for the processing;
The recipients or categories of recipients of the personal data, if any;
The period for which the personal data will be stored and how you can access our full Retention and Disposal Schedule (this tells you the specific timescale for every single piece of information in the entire organisation).
Your right to request from the us access to and rectification or erasure of personal data or restriction of processing, or to object to processing as well as the right to data portability;
If we require your consent to process information that you can withdraw consent at any time and how to do so.
Your right to lodge a complaint with the Information Commissioners Office and how to contact them;
Whether giving us information is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide this;
The existence of automated decision-making (which we do not use anyway)
5. Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. Any sensitive information is encrypted and protected. We have a policy dedicated to the security of your information, and all our staff are trained on how to implement this policy on a day to day basis. If you would like to see this policy then please feel free to contact the Data Protection Officer using the details contained within this policy.
6. How long do we keep information for?
Whether a staff member or service user we only keep the information for as long as we need it legitimately. It will then be disposed of/destroyed permanently.
For service users most information is returned to the placing authority at the point of discharge. Some other basic information is stored for 15 years post discharge to meet legal requirements. This information is archived.
If you are a staff member the organisation will hold your personal data for the duration of your employment in order to meet its obligations under your employment contract. Some of your personal data will be retained for a set period of time after the end of your employment with the organisation, after which time it will be destroyed. Personal data retained after the end of your employment will only be done so where one of the following applies:
1) You have given your clear consent for us to retain and process your personal data for a specific purpose.
2) The retention of your personal data is necessary for a contract you have with the organisation.
3) The retention of your personal data is necessary for the organisation to comply with the law.
4) The retention of your personal data is necessary to protect someone’s life.
5) The retention of your personal data is necessary for the organisation to perform a task in the public interest or for the organisation’s official functions, and the task or function has a clear basis in law.
6) The retention of your personal data is necessary for the organisation’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The specific periods for which your data is held after the end of your employment are detailed in the organisation’s Retention and Disposable Schedule which tells you how long we keep every single piece of information for. These are readily available to all HCS staff, and can be accessed by others if required by contacting Hexagon Care Service Data Protection Officer using the contact details provided in this policy.
7. Who has access to your information?
Only people within our organisation that have a definite need to have information about our staff and or service users will do so. We will never share your information with third parties for marketing purposes.
Service Providers working on our behalf
We may pass your information to some of our service providers, IT providers, private payroll companies etc.). However, when we use these organisations, we disclose only the personal information that is necessary to deliver our services or employment obligations to our employees and we have a contract in place that requires them to keep your information secure and not to use it for any purpose that we do not specify in our contract with them. We will never let them share your information for marketing purposes. Please be reassured that we will not release your information to anyone else unless we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
8. How you can access and update your information
The accuracy of your information is important to us. We request that all staff contact Human Resources (HR) if and when any details change to ensure accuracy. This is specified in our staff handbook and our Privacy Notices.
9. Your rights
As a company we are committed to facilitating your rights wherever possible. We are transparent and accountable in this and all other areas of compliance with Data Protection Legislation (General Data Protection Regulation – GDPR). You have the following rights:
The right to be informed – this means that you must be told what information we are using, why and for what purpose;
The right of access – you have the right to see what information of yours is being processed if you request it, unless otherwise stipulated in law;
The right of rectification – if your data is wrong, it must be corrected;
The right to erasure – you can demand that all data of yours is erased unless we have legal justification to retain it;
The right to restrict processing – you can demand that we stop using your data unless we have a legitimate legal basis for continuing to do so;
The right to data portability – you can decide to move your data to another processor and we have to provide them with all your data so you can do this. This however only relates to data collected by automated means. This would rarely be applicable within HCS;
The right to object – you can object to the use of your data and we must stop using it unless we have an overriding legitimate reason to continue.
Rights in relation to automated decision making or profiling – you can demand that automated decisions about you are reviewed by a human. At HCS we do not use automated decision making anyway.
10. Use of ‘cookies’
A cookie is a small file of letters and numbers that we place on your computer; our website uses up to 5 different cookies. These cookies allow us to distinguish you from other users of our website, which helps us to provide you with a better experience when you browse our site.
The cookies we use are session cookies and analytical cookies.
These cookies allow us to ensure that our site functions correctly and operates efficiently when you use it. Session cookies expire once you have closed our website and are not stored once your visit has ended, they are generally not considered to be invasive of your privacy.
This type of cookie allows us to recognise and count the number of visitors to our site and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example by ensuring that users are finding what they are looking for easily. Please see our Cookie Use Information on our website for further information.
It is possible to stop your browser and/or mobile device accepting cookies either generally or from specific websites. However, you may find that some aspects of our website stop working or work less well if you do this. For this reason, we do not recommend turning cookies off when using our website.
All modern browsers allow you to change your cookie settings. These settings will typically be found in the ‘options’ or ‘preferences’ menu of your browser. In order to understand these settings, you should use the ‘Help’ option in your browser for more details.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Our site uses Googles universal analytics code which supports data collection without browser cookies, this means that data can be collected even if cookies are cleared or disabled. To opt out of being tracked by Google Analytics across all websites please visit https://tools.google.com/dlpage/gaoptout
11. Links to other websites
In addition, if you linked to our website from a third party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of that third party site.
12. Transferring your information outside of Europe
We will not transfer your information outside of the European Economic Area.
Review of this Policy
We keep this Policy under regular review. This Policy was last updated in July 2020.