Data Protection & GDPR Policy
The company is fully committed complying with the General Data Protection Regulations 2018 (GDPR). GDPR applies to all organisations that control or process data relating to their employees, as well as to others including customers, contractors and clients. It sets out principles which should be followed by those who control and process data; it gives new and extended rights to those whose data is being processed.
To this end, the company adheres to the six principles of data protection, as set out in the Article 5 of the GDPR.
- Data must be processed lawfully, fairly and in a transparent manner in relation to individuals.
- Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
- Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
These principles must be followed at all times when processing or using personal information. Therefore, through appropriate management and strict application of criteria and controls, the company will:
- Observe fully the conditions regarding the fair collection and use of information including the giving of consent.
- Meet its legal obligations to specify the purposes for which information is used.
- Collect and process appropriate information only to the extent that it is needed to fulfil our operational needs or to comply with any legal requirements.
- Ensure the quality of information used.
- Ensure that the information is held for no longer than is necessary.
- Ensure that the rights of people about whom information is held can be fully exercised under the GDPR (ie the right to be informed that processing is being undertaken, to access one’s personal information; to prevent processing in certain circumstances, and to correct, rectify, block or erase information that is regarded as incorrect).
- Take appropriate technical and organisational security measures to safeguard personal information.
- Publicise and abide by individuals’ right to appeal or complain to the supervisory authority (the Information Commissioner’s Office (ICO)) in the event that agreement cannot be reached in a dispute regarding data protection.
- Ensure that personal information is not transferred abroad without suitable safeguards.
Status of this Policy
The Policy does not form part of the formal contract of employment for staff but it is a condition of employment that staff will abide by the rules and policies made by the company from time to time. Any failure to follow the GDPR Policy may lead, therefore, to disciplinary proceedings
Data Protection Officer & Data Controller Our Data Protection Officer and Data Controller is Mike Barbier, Operations Manager. Any member of staff, or other individual who considers that the policy has not been followed in respect of personal data about himself or herself should raise the matter with the above named person.
Lawful Basis For Controlling & Processing Data (Article 6 of the GDPR)
Employees – Contract
Service Users Contract & Special Category Data*
Under Article 9 of the GDPR, HASCS must set out its reasons for keeping special category data. With regard to service users, HASCS, as a complex care provider is required to process data in relation to the physical and mental health of its service users and to keep daily records of any care rendered by its employees to ensure the health, wellbeing and safety of those service users and to comply with its responsibilities under the CQC regulations
Who we Share Your Data With
1. Checking that any information that they provide to the company in connection with their employment is accurate and up to date.
2. Informing the company of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently. The company cannot be held responsible for any errors unless the employee has informed it of such changes.
Data Security Breaches
Reporting Unauthorised Disclosures
Subject Access Requests (SAR)