This privacy notice sets out how we use the personal and sensitive data we collect and store relating to people we support and our workforce (this includes people we employ directly and contract to work with us). Our Data Protection Team, which includes our Senior Information Risk Owner, Caldicott Guardian and Compliance Officer, inform, advise and monitor our compliance with General Data Protection Regulations and the Data Protection Act (1998). You can contact our Data Protection Team by emailing DataProtection@grayhealthcare.com.
Personal data is any information which identifies an individual person. This data may identify someone on its own (such as someone’s name) or may be used to identify someone when combined with other information (such as an someone’s initials and their date of birth).
Sensitive data is information that relates to someone’s characteristics or personal circumstances. In GDPR this is referred to Special Categories. This may include a someone’s health information, salary, political views, philosophical views, sexuality or home address (this is not an exhaustive list).
The data we collect may fall into a number of different categories. We do not collect data on all these categories, for example, we will collect different data for people we support compared with people we employ. The categories of information we process include:
This list is not exhaustive, to access the current list of categories of information we process (data asset register) please contact DataProtection@grayhealthcare.com.
The information we collect and store helps identify how well we are performing and how we can improve the services we provide. We use data to:
Under the General Data Protection Regulation (GDPR), the legal bases we rely on for processing personal and sensitive information for general purposes are:
We collect personal and sensitive information via written communication (emails, forms, applications, referrals etc) and discussions and meetings (assessments, observations etc).
Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this.
We hold data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please email DataProtection@grayhealthcare.com
We will only share information with organisations as part of our lawful basis as set out above and only done so when it is relevant and necessary. We will anonymise data where we need to ensure we do not directly or indirectly share information that is not relevant or necessary. Some examples of organisation we routinely share information with is:
Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please email the Data Protection Team at DataProtection@grayhealthcare.com
You also have the right to:
If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at https://ico.org.uk/concerns/
Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the Data Protection Team at DataProtection@grayhealthcare.com
We review our Privacy Notice on an annual basis, unless we need to do this sooner. This version was last updated on 15th April 2019.
If you would like to discuss anything in this privacy notice, please contact:
Data Protection Team or DataProtection@grayhealthcare.com
Gray Healthcare Limited
2000 Vortex Court