People & Planet & Privacy
ReDress’s Privacy Notice, Policy & Procedures February 2020
Review Date April 2021 - Responsibility of Juli Pops, Director
This Policy should be read in conjunction with
ReDress’s How We….Ensure Confidentiality Policy and Procedures
All Team Members have easy access to this Policy which is kept in the Safeguarding File in the office and can also be found on the wall in the main Group Member training area. All Team Members are trained in this Policy as part of Induction Training. Annual documented training of this Policy is mandatory for all Team Members. All Team Members have confirmed that they have read, understood and will comply with this policy by signing their annual Statement of Terms & Conditions of Employment.
The document “How We…..Welcome Group Members” outlines all the Policies and Procedures that are used to introduce Group Members to ReDress, this includes People & Planet & Privacy Notice. “How We…..Welcome Group Members” provides Group Members with copies of Policies or informs the Group Member that they can be found on the wall in the main Group Member training area. In addition, a verbal explanation tailored to the needs of the Individual is provided. ReDress provides, documents and evaluates annual training updates of all Policies, including this Policy, with Group Members. Group Members are encouraged to share all ReDress’s Policies, Procedures and Practices with Families, Carers and Friends. ReDress’s “How’s it Goin’?” review form is sent bi-annually to Families and Carers with an invitation to come into ReDress to view and discuss anything relating to ReDress’s Policies, Procedures and Practices.
Sources used in compiling this Notice.
Information Commissioner’s Office
Northumberland County Council Privacy Notice
Northumbria Healthcare NHS Foundation Trust Your Health and Social Care Record
The GDPR sets out seven key principles:
Lawfulness, fairness and transparency
Integrity and confidentiality (security)
These principles lie at the heart of our approach to processing personal data. The General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018) regulate the “processing” of personal data in whatever format including Group Member identifiable information. Processing refers to anything done with the information including its collection, use, disclosure and destruction. The DPA obliges organisations to inform the Information Commissioner that personal information is being processed and to provide data subjects with access to their personal information. The Act requires organisations to detail the purposes for which personal information is used (by data users), and use of data beyond that specified in the registration is unlawful. These notifications must be regularly reviewed and any changes made within 28 days of the date on which the entry became inaccurate or incomplete. An annual fee is paid to the Information Commissioner’s Office (ICO) to maintain notification on the ICO register.
This notice explains why we ask for your personal information, how that information will be used and how we share your information. Information may be collected via a paper or online form, by telephone, email, or by a member of our staff, or passed on to us by people involved in Care, such as Carers and Care Managers. Information may be written (manual records), or held on a computer (electronic records). Please read the following carefully to understand how we will treat your personal information, as by using our services you are accepting and consenting to the practices described in this policy.
Why do we collect information from you
We need to collect and hold information about you, in order to:
● deliver ReDress services
● confirm your identity to provide some services
● contact you by post, email or telephone
● understand your needs to provide the services that you request
● update our records
● help us to review how we are performing in delivering services to you and identify any changes in ReDress services
● ensure that we meet our legal obligations
We may not be able to provide you with a product or service unless we have enough information about you, or your permission to use that information.
What information can we collect from you
We may collect and process the following information about you.
Information you give us. You may give us information about you by filling in forms or by corresponding with us by phone, email or otherwise. This includes information you provide when you subscribe to and use our services etc. We process information which may include:
● Personal details such as name, date of birth, address
● Family details, contact details, including details of carers if applicable
● Lifestyle and social circumstances
● Goods and services
● Financial details
● Employment and education and training details
● Visual images, personal appearance and behaviour
● Case file information
● Incident and accident details, membership details
● Accommodation and housing travel, movement details
● Opinions of the data controller with regard to the data subject
The first principle requires we process all personal data lawfully, fairly and in a transparent manner. Processing is only lawful if you have a lawful basis under Article 6 for this type of data.
Our lawful basis for processing your personal data is that we have a legitimate interest and a contractual obligation.
We also process sensitive classes of information that may include:
● physical or mental health details
● trade union membership
● religious or other beliefs of a similar nature
● lifestyle and social circumstances sexual life
● medical details, health data, immigration status
To process this special category data, we need to identify both a lawful basis for processing, Article 6, and a special category condition for processing in compliance with Article 9.
Our lawful basis for processing your personal data is that we have a legitimate interest and a contractual obligation to provide you and other members of our organisation with a safe environment. We comply with Article 9(2a) of the GDPR in that we ask for explicit consent for the processing of this special category data.
In some circumstances we also process personal data that includes information relating to criminal convictions and offences. This also requires a higher level of protection.
To process data about criminal convictions, criminal offences or related security measures, we need both a lawful basis for processing, Article 6, and a separate condition for processing this data in compliance with Article 10.
For criminal records history, we process it on the basis of legal obligations and a legitimate interest, as working with vulnerable adults is a regulated activity. We comply with Article 10 which says: “Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.” This processing is necessary for the purposes of performing or exercising obligations or rights of the controller. In addition “this condition is met if the processing is necessary for health or social care purposes. (2) In this paragraph “health or social care purposes” means the purposes of— (a) preventive or occupational medicine, (b) the assessment of the working capacity of an employee, (c) medical diagnosis, (d) the provision of health care or treatment, (e) the provision of social care, or (f) the management of health care systems or services or social care systems or services”.
More information regarding criminal convictions can be found in the following document: ReDress Criminal Records and Disclosure & Barring Policy, Procedures and Practices
We also work closely with others and may receive information about you from them. These partners will include, but are not limited to, Carers and Care Managers, Northumberland County Council and Northumbria Healthcare NHS Foundation Trust.
How we use your information
By using our services you consent that we may use your personal information (which may sometimes include sensitive personal information, i.e. medical information etc.) that we collect from you, or from a third party, in accordance with this notice.
Information which you provide us with will be kept securely and will only be used for the purposes stated when the information is collected. For example:
● to progress the service you requested
● to allow us to be able to communicate and provide services appropriate
to your needs
● to ensure that we meet our legal obligations
● to process financial transactions
● where necessary, to protect individuals from harm or injury; and
In order to provide you with a good service or investigate complaints, we may use and pass on the information we hold about you to other people and organisations that provide that service, for example to Carers and Care Managers, Northumberland County Council and Northumbria Healthcare NHS Foundation Trust. Information will only be shared with them if they have genuine need for it and where possible we will ask for your consent for this, an example of our Consent to Share Information Agreement can be found in Appendix A of our Confidentiality Policy. These external professional organisations are obliged to keep your details secure, and use them only to fulfil your request or deliver the service. We are the controller of the information collected by us and we will only provide personal information to an external organisation or individual for the purposes set out above or in order to help prevent, risk of harm to an individual, crime, including fraud, or if required to do so by law. The only exception to this would be in cases where there is a legal obligation to disclose, or where disclosing the information is necessary or in the public interest. ReDress’s Confidentiality Policy contains further details regarding Information Sharing.
At no time will your information be passed to organisations or individuals external to us for marketing or sales purposes or for any commercial use without your prior express consent.
Information you give us during telephone calls may be processed. If this occurs, it would be to enable us to act upon your wishes or to investigate incidents or complaints.
If you email us we may keep a record of your contact, your email address and the content of the email for our record keeping and to enable us to act upon your wishes or to investigate incidents or complaints. However, this information will not be kept longer than necessary and in line with our data retention policies.
Facebook/Twitter – Direct Marketing
ReDress does not engage in Direct Marketing and if we do, explicit consent will be sought. We have a Facebook page, a Twitter account and an Ebay account.
We advertise products and services on these pages. Individuals are free to like/follow/join or interact with these web pages. If you join one of the social media pages, please note that the provider of the social media platform(s) have their own privacy policies and that ReDress Limited does not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data on ReDress’s social media pages.
Our website redressltd.co.uk does not store or capture personal information when you access it as a visitor. We advertise products and services on our website.
Our systems will only capture and record personal information if you;
● subscribe to or apply for services that require personal information
● contact us and leave your details for us to respond.
Our website uses cookie technology for analytical purposes, and to personalise the user experience of the site. A cookie is a string of information that is sent by a website and stored on your hard drive or temporarily in your device’s memory. This helps us to provide you with a good service when you browse our website and also allows us to improve our site. No personal information is collected this way. Please note that this notice only covers the ReDress website maintained by us, and does not cover other websites linked from our site.
You can use your web browser to:
delete all cookies;
block all cookies;
allow all cookies;
block third-party cookies;
clear all cookies when you close the browser;
open a 'private browsing' / 'incognito' session, which allows you to browse the internet without storing local data; and
install add-ons and plug-ins to extend browser functionality.
Our website is hosted by Wix and the following link gives a detailed explanation about cookies and Wix websites.
Visual images of people are taken and used by ReDress for various purposes, including but not limited to, marketing, information leaflets, advertising and the recording of Group Members’ achievements and training. Some of these may be posted to our Facebook page and/or Twitter account and/or website. They are always taken and stored on ReDress’s camera and computer systems. Personal devices are never used to take images of people at ReDress. All people at ReDress can decline having their image taken or posted and all Group Members must give explicit signed consent for photo’s to be taken and published. ReDress’s Policy, How We..Monitor Piccies, must be followed. Any requests for this data to be removed will be acted upon immediately. This does not include visual images posted on our social media platforms by customers or others as this is entirely their choice and outside of ReDress’s control.
How we will protect your information
Our aim is not to be intrusive, and we won't ask irrelevant or unnecessary questions. The information you provide will be subject to rigorous measures and procedures to make sure it can't be seen, accessed or disclosed to anyone who shouldn't see it.
Information Security and Transmission of Information
The following information and ReDress’s How We….Ensure Confidentiality Policy gives further details regarding Information Governance, Data Protection, Information Security and Freedom of Information. These define our commitments and responsibilities to your privacy and cover a range of information and technology security areas. We provide mandatory annual training to all ReDress staff that handle personal information. We treat it as a disciplinary matter if they misuse or do not look after your personal information properly. We will not keep your information longer than it is needed or where the law states how long this should be kept. We will dispose of paper records and delete any electronic personal information in a secure way.
In order to ensure the confidentiality of identifiable information, systems and procedures are in place to control access to such information. Such controls are essential to ensure that only authorised persons have:
• physical access to computer hardware and equipment and access to computer system utilities capable of overriding system and access controls e.g. IT administrator rights.
• access to either electronic or paper records containing confidential information about individuals.
Personal information that ReDress stores is generally forwarded to ReDress in written format by Group Members, Care Managers or Carers. A Personal Information Form is completed by Group Members and updated annually. These, and all other paper-based confidential information, such as incident reports, are stored in a locked cabinet and accessible only by authorised Team Members. All personal information must be stored securely and not left in view of others. No records are left unattended or in a manner where they may be seen by unauthorised persons. All confidential information is securely locked away outside of working hours.
ReDress computer systems are password protected and accessible only by authorised Team Members. The Internet router has firewall protection and the computer systems have software, installed to protect against virus attacks and hacking into the computer. These systems are fully compliant with the General Data Protection Regulation 2018. PC display screens and monitors are kept facing away from walkways and are not in public areas. Access to shared drives is monitored by ReDress Management and password protected. No external device or equipment, including discs, USB drives and other data storage devices, are run on or connected to ReDress systems without the prior notification and approval of ReDress Management. As we use cloud storage system on our computers personal data information may be classed as being stored outside the European Economic Area. We use Knowhow Cloud storage system, which is fully GDPR compliant and appropriate measures are put in place to keep your Personal Data secure.
We will not keep your information longer than it is needed or where the law states how long this should be kept. We will keep your Personal Information for as long as we need it for the purposes set out above, and so this period will vary depending on your interactions with us and the nature of the Personal Information. For example, where you have bought merchandise from us, we will keep a record of your purchase for the period necessary for invoicing, tax and warranty purposes. We may also keep a record of correspondence with you (for example if you have made a complaint) for as long as is necessary to protect us from a legal claim. Where we no longer have a need to keep your information, we delete or anonymise the relevant information. We will dispose of paper records and delete any electronic personal information in a secure way. Documents that are no longer required are shredded.
Data Protection laws give you a number of rights, as follows:
1. To be informed why, where and how we use your information.
2. To ask for access to your information
3. To ask for information to be corrected if inaccurate or incomplete.
4. To ask for your information to be deleted or removed where there is no need for us to continue processing it.
5. To ask us to restrict the use of your information.
6. To ask us to copy or transfer your information from one IT system to another in a safe and secure way, without impacting the quality of the information.
7. To object to how your information is used.
8. To challenge any decisions made without human intervention (automated decision making).
9. To lodge a complaint with the Information Commissioner’s Office whose contact details are below.
10. If our processing is based upon your consent, to withdraw your consent.
You have the right to ask us to stop using your personal data in relation to any of our services. However, this may cause delays or prevent us delivering a service to you. Where possible we will seek to comply with your request but we may be required to hold or process information to comply with a legal requirement. We aim to ensure that the information we hold about you is accurate and up to date. However, there may be situations where you find the information we hold is no longer accurate and you have the right to have this corrected. You also have the right to request a copy of the information that we hold about you (Subject Access Request).
If you would like exercise the above rights or request a copy of some or all of your personal information, please contact;
Tel: 01670 828383
We will respond to a request promptly and in any event within 28 calendar days of receiving it. Please note that some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request. Please note that whilst the majority of requests will not invoke a charge, a reasonable fee for administrative costs associated with the request may be charged if the request is ‘manifestly unfounded or excessive’.
You also have the right to complain to the Information Commissioner’s Office if you are unhappy with the way we process your data. Details can be found on the ICO website, or you may write to the ICO at the following address:
Information Commissioner's Office
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number