WHO ARE CAREFIRST CARE SERVICES LTD IN TERMS OF DATA CONTROLLERS AND PROCESSORS?
Carefirst Care Services LTD provide social care staffing, training and board room hire to businesses in England. To offer these services, we must store and process data for operational, marketing, legislative, compliance and contractual requirements.
THE PRIVACY NOTICE
This privacy notice explains how Carefirst Care Services LTD collect/receives data, how we process any data we collect/receive, who we collect/receive this data from, why we collect/receive the data, and what happens to the data. Our privacy notice also details your rights and how we manage subject access requests and your right of erasure. This privacy notice details how we comply with our legal obligations under the General Data Protection Regulation 2018. Your privacy is important to Carefirst Care Services LTD and we are committed to protecting and safeguarding data privacy rights.
WHO DOES THIS PRIVACY NOTICE APPLY TO?
This policy applies to customers, prospective customers, previous customers, care staff, support staff, nursing staff, branch staff, website and company social media users, branch and field based staff, suppliers of products/suppliers.
CANDIDATE AND WORKER DATA, WHAT WE COLLECT AND WHY?
Any applicant that applies for a role at Carefirst Care Services is entered onto a secure company database of candidates. This includes any information that has been offered to us on their CV. Applications made to Carefirst Care Services can be by telephone, website, third party job board or recommendation. Additionally, we may store and contact any CV that is made available to us through a third-party job board website that complies with the General Data Protection Regulation 2018. Information that is stored on our candidate database is: Name, Address, National insurance number, Date of Birth, Health Declaration, Driving License Information, Previous Work History, Education Dates, Telephone number(s), email address(s) and signature. This is the only information stored on the company database at either application, engagement or post engagement status.
Prior to an interview taking place, an application needs to be completed and proof of identity, right to work in the UK and proof of address must be copied, and stored with the application form for industry compliance and regulation. Our application form collects the following information: Name, Address, National Insurance Number, Education History, Current and previous employment, Reference contact information, Next of kin contact information and Criminal record information. The proof of identity needs to be either a Passport and/or Birth Certificate and/or Driving license. The proof of right to work in the UK needs to be: Passport or EU Identity Card. A VISA is necessary if the applicant is not an EU citizen. A marriage certificate, decree absolute or name change document will need to be copied and stored with the application form to substantiate any name changes. The proof of address needs to be a utility bill, bank statement or a driving license and there must be two different company issue proofs of address.
A Disclosure and Barring Service (DBS) application must be made on behalf of the applicant to risk assess the individual working with vulnerable people. This is industry regulation and is essential. To process a DBS application, we only use the information provided on the application form, and the proofs of ID, right to work and address’s that are taken before, after or during interview.
References must be taken from those named on your application form to assess your suitability to work within the role that you have applied for. These are kept in your personnel file and you have the right to access these should you wish to.
All the data is stored in individual personnel files that are inside a locked cupboard. This is inside the local branch which is a building that is locked and alarmed with CCTV.
Upon leaving any engagement with Carefirst Care Services, your personnel file is scanned onto our encrypted secure cloud system and archived for 6 years. Once scanned, the documentation is securely shredded for which a certificate is given for proof of being securely destroyed.
AGENCY AND TRAINING CUSTOMER DATA
To market our services to individuals employed within a company we only store first name, last name, role, work address and work email address. This is so that we can effectively offer our services to businesses that may be of interest. These details are stored in a secure Customer Relationship Management (CRM) software. We regularly update this information to ensure that our marketing strategy remains effective. For those that wish for us to not enlist their information only the company’s public information shall be held such as: Company name, Address, generic email address and telephone number.
For any customer that uses our services, we collect the following data:
Company name, Company address, Signed terms of business, Responsible person’s name and email address for: Invoicing, Payroll, Training, Shift cover, Deputy Manager, General Manager, Clinical Care Lead, Nurse in charge and Team Leader. Some of which, only one or some are applicable. This information is to enable us to offer and provide the most effective service(s) to our customer. Service reviews are completed periodically which only collects the name of the individual that has taken part in the review with a Carefirst Care Services member of staff. The company information is stored securely in our CRM software. The terms of business and service reviews are stored on our encrypted online cloud storage in the customer’s individual folder.
Any customer that has not used our services for a period of 6 months remain active on our CRM and online storage system. We will remove anyone that requests their right to erasure. Where we regularly update our relevant customer information, we will delete and remove anyone that no longer works in the company and update our records accordingly. This is so that we can offer the most effective marketing process to our customers for when they need to use our services.
TRAINING ATTENDEE DATA
Each training attendee must sign in on an attendance record for certification, proof of training and compliance purposes. We require the attendees first name, last name and signature. For some courses, a practical record document must be completed in addition to the attendance record and this document collects the name and signature of the attendee. This is stored with the attendance record.
For some course compliance such as moving and positioning, a health and safety declaration document may need to be completed. The data that we collect on this document is: First name, Last Name and Signature.
All training courses will have one or more accompanying worksheets/workbooks to complete. Each will must have the attendees first and last name for identification purposes.
For training expiration reminders and marketing, we collect an email address from the attendee. This information is stored on our CRM and training database. If opted in, we will send them a training course expiration reminder to rebook to remain compliant email. This email will also contain the next available course for them to book onto. From time to time, we will also send out marketing information of available courses, and company update information.
All training records until an invoice is paid for remains the property of Carefirst Care Services. The training records are stored in a secure cabinet within the local office that is secure and alarmed with CCTV. Once a training invoice is paid, Carefirst Care Services send out the training documentation to the individual that booked the training for the attendees. This is sent out by royal mail. For compliance and proof of training, Carefirst Care Services must retain copies of the attendance records, health declarations and practical session record only. These are stored in a paper archive system inside a locked cabinet within a secure and alarmed building with CCTV.
WHAT DATA CHANGES AND HOW DO WE MAINTAIN ACCURATE DATA?
Peoples job roles change from time to time. We must ensure that we obtain the right contact information for our prospective customers to market our services effectively. Carefirst Care Services always initially use public information to contact relevant business to ascertain contact with relevant unknown individuals to see if our services would be of interest. At a point that they may be of interest and someone opts in to our marketing information and/or communications. They will be able to offer us consent to communicate with them. From time to time, we will contact businesses with the relevant information to ensure the data that we hold is correct.
If someone has moved on and are no longer within the role we are confirming, their details will be deleted and we will if the individual so wishes, update the records.
We call the updating and maintenance of such records, customer reconciliation. Should anyone wish to be removed from our database, they have the rights as set our under the ‘your rights’ sub heading.
We need a small amount of information from our suppliers to ensure that things run smoothly. We need contact details of relevant individuals at your organisation so that we can communicate with you. We also need further information such as bank details to pay you for the services that you provide. Should you decline to provide us with such data, we may not be able to fulfil contractual requirements, and in some cases, may not be able to continue our relationship.
WHAT WEBSITE DATA DO WE COLLECT?
What we collect and why: We use traffic log cookies to identify which pages are being used. This helps us to analyse data about web page traffic and improve our website by tailoring it to customer needs. We only use this information for statistical analysis. Following this, the is removed from the system. Cookies help us to provide you with a better website experience by monitoring the pages that you do not find useful. A cookie does not in any way give us access to your computer or personal information other than the data that you choose to share with us. You can choose to either accept or decline cookies. Our website does have a banner where you will be able to choose whether to accept or decline the cookies. If you accept, you will not be asked again for another 30 days unless you delete the cookies from your browser. If you do choose to decline cookies, this may prevent you from the advantage of our full website as some elements of our site do require cookies to be accepted.
HOW DO WE STORE DATA AND WHERE?
All our offices of Carefirst Care Services LTD are securely locked and alarmed with CCTV. Upon entering a Carefirst Care Services office building. You understand that CCTV is being recorded for the safety of the business.
Paper documentation is stored in locked cabinets
Computer based files and scanned documentation are stored in our online cloud which is password protected and encrypted.
Our telephones containing any contact information are password protected with a weekly encrypted back up.
Our computers, laptops and iPads are all password protected with anti-viral software.
Otherwise, all our business operation is carried out using online systems that are all password protected and encrypted where possible.
Our rota system is a password protected online secure rostering system.
Our recruitment system is a password protected online secure recruitment system.
Our Customer Relationship Management (CRM) is a password protected online secure CRM system.
Our Payroll system is a password protected online secure payroll system.
Our invoice systems are all password protected and online secure payroll systems.
Our marketing system for storing subscribed email addresses is a online secure marketing and CRM system.
Any documentation from these online systems will be stored within filing cabinets in the relevant Carefirst Care Services LTD branch. Alternatively, they will be securely shredded by our paper shredding provider.
HOW LONG DO WE KEEP DATA?
We store all data for 6 years. This is to meet industry regulation and law. We are required to store data for compliance and/or tax purposes. Carefirst Care Services can securely shred data or delete any data before 6 years at the request of the individual the data concerns. However, we do need to keep a record of the request and an archive entry.
HOW DO WE DISPOSE OF YOUR DATA?
All paper data is shredded via a secure shredding company of which a certificate is given as a proof of being destroyed securely. All online data is securely deleted or destroyed.
HOW CAN YOU ACCESS THE DATA WE HOLD FOR YOU?
If we hold any of your data, you still have various rights in relation to it and you can contact your local branch in writing. This is called a Subject Access Request. You will find the local branch contact details in the ‘contact information’ section at the bottom of this privacy notice. We will endeavour to deal with your request without delay in accordance with the applicable laws. Please note, we may keep a record of your communications to assist us to resolve any issues that you raise.
To comply with your Subject Access Request, we will need you to verify your identity and ask for more information about your request. We may decline your request where we are legally permitted to do so.
HOW CAN YOU AMEND YOUR DATA?
You can contact your local branch by phone, email or writing to update and amend any data that we hold for you using the contact information below on this notice.
HOW CAN YOU OBJECT?
We will only use data if we deem it to be necessary for our legitimate interests. However, if you do not agree, you have the right to object. You will need to contact your local branch in writing to withdraw your consent. We will respond to you in writing within 30 days. Please note that in some cases, we may be allowed to extend this period.
HOW CAN YOU WITHDRAW CONSENT?
We will gain consent to communicate with you, however, if you wish to, you may withdraw this consent. You can do so at any time. However, please note that if you engage with Carefirst Care Services this is likely to end our relationship.
HOW CAN YOU EXERCISE YOUR RIGHT TO ERASURE?
In some cases, you have the right to erasure. You can raise a request to erase your personal data. You will need to raise this request in writing using the contact information at the end of this notice. We will respond to your request within 30 days by writing. Please note that we may be allowed to extend this period in some cases. There are some limited conditions where we are unable to erase personal data and that is under Health and Safety and HMRC requirements. If we do agree to your request, we will erase your data but assume that you would prefer us to keep a note of your first and last name on a register of individuals who would prefer to not be contacted. This way, we will minimise the chances of you being contacted in the future. If you prefer us not to do this, you are free to notify us.
HOW CAN WE PORT YOUR DATA?
Should you wish to, we are able to assist you in porting your data to another data controller. We can supply you with your data so that you are able to offer this to another data controller.
HOW CAN YOU COMPLAIN?
You have the right to lodge a complaint with your local Carefirst Care Services branch in writing. Alternatively, you have the right to lodge it with the Information Commissioning Office. You will find the relevant contact information at the end of this notice.
The right to access any data that we hold of you through a data subject access request
The right to erasure
The right to be informed
The right to restrict processing
The right to rectification
The right to object
The right to data portability
The right not to be subject to automated decision making and profiling.
Carefirst Care Services – Colchester
25 Cansend Road
Tel: 01206 585195
Carefirst Care Services – Ipswich
Delta 8, West Road
Tel: 01473 353503
Information Commissioners Office
Tel: 0303 123 1113 or 01625 545745