01252282110 care@poseidon-gp.com

DATA POLICY

When Poseidon Care processes your personal data, it is required to comply with the Data Protection Act 2018 (“DPA”) and the UK GDPR (the DPA and UK GDPR are together referred to as the “Data Protection Legislation”). Poseidon Care may collect different types of personal data directly from or about you depending on the activities or services we are offering and that you are taking part in or using.

This can include your name, address, telephone number, email, date of birth, data relating to your personal and caring situations, religion, medical and immigration checks data (if pertinent to the activities or services). We may also process your personal data to respond to any queries or comments you submit to us and to correspond with you on a day-to-day basis. You may provide us with any or all of this data online, at an event, on paper or over the phone through a job application form, a sign-up form (if requesting information or asking to be put on a mailing list), or by registering for and/or attending an event.

Everything we do with your personal data counts as processing it – including collecting, storing, amending, transferring, and deleting it. We are, therefore, required to comply with the Data Protection Legislation to make sure that your information is properly protected and used appropriately.

This privacy policy provides information about the personal data we process, why we process it and how we process it.

What personal data do we process about you?

We may need personal data from you to be able to provide services to you, to meet our legal obligations, to enter into a contract with you and/or to provide you with all the information you need. If we do not receive the personal data from you, we may be unable to fulfil our obligations to you.

We process most of your information on the grounds of consent from you, legitimate interests (such as a business relationship with you or the company for which you work and fulfilment of our contract with you (where you are an individual), to determine whether or not we have a suitable vacancy for you, protection of the vital interests of a Data Subject or, in the case of special categories of data, processing for the provision of health or social care or treatment or the management of health or social care systems or services.

The Organisation will require written consent from the subject individual in order for personal data to be collected and processed. In this respect it will be taken that consent is implied through the following:

  • Service Users – by the service user accepting the Contract for Care, which is signed by the service user or authorized representative. In order for the Organisation to develop an appropriate Plan of Care personal details must be divulged and kept on record.
  • Employees – by completing the Job Application Form at onset of employment, and where the employee has not registered an objection to their data being used.

If we obtain consent from you to the processing of your personal data, you can withdraw your consent at any time. This will not affect the lawfulness of any processing we carried out prior to you withdrawing your consent.

More information about the personal data we process is set out below:

[Service Users]

[Personal data that we may process about you (depending on the extent of the information you have provided to us) includes:

  • Identity data such as your first name, middle names, last name, marital status, title, date of birth and gender
  • Contact data such as your address, email address and telephone numbers
  • Financial data including your bank account and payment card details
  • Special categories of data including information about your medical background and health and diversity/equality
  • Information such as your race and ethnicity 

[Candidates]

[Personal data that we are likely to process about you includes:

  • Identity data such as your first name, middle names, last name, marital status, title, date of birth and gender
  • Contact data such as your postal address, email address and telephone numbers
  • Background data such as your education, career background and work experience
  • Medical and immigration checks data (if pertinent to the activities or services)
  • Personal information such as your skills and qualities
  • Any other information that you include on any CV, application form or covering letter you send to

If this information includes special categories of data we will process that information on the grounds of consent as explained above, because you have chosen to provide it to us.

Who will receive your personal data?

We only transfer your personal data to the extent we need to. Recipients of your personal data may include:

  • Company Officers
  • Service Affiliates

who are all required to comply with the Data Protection Act 2018 and the International GDPR.

We do not transfer your personal data outside of the EEA.

How long will we keep your personal data?

[Candidates]

We will retain your personal data for the period of your employment with us and for 1 year from the date on which your employment ends. We may need to retain some documents for other purposes (for example, to comply with legislation on preventing illegal working) and for longer periods of time.

The advised retention period for application forms and interview notes for unsuccessful applicants is one year. Unsuccessful candidates may submit discrimination claims within six months; however this time limit has been known to be extended to one year.

[Service Users]

Service users’ records are kept for a period of 3 years after termination / completion of the Contract for Care. These records will be kept in a secure location at the Organisation’s offices and in such manner as to prevent deterioration or spoilage.

We must ensure we meet any legal requirements set for record keeping. Your information will be kept securely at all times.

Following the end of the relevant retention period, your files and the personal data covered by the retention period will be permanently deleted or destroyed. 

What are your rights?

You benefit from a number of rights in respect of the personal data we hold about you. We have summarised the rights which may be available to you below, depending on the grounds on which we process your data. More information is available from the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide- to-the-general-data-protection-regulation-gdpr/individual-rights/). These rights apply for the period in which we process your data.

Access to your data

You have the right to ask us to confirm that we process your personal data, as well as having the right to request access to/copies of your personal data. You can also ask us to provide a range of information, although most of that information corresponds to the information set out in this privacy policy.

We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.

We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we will let you know.

Rectification of your data

If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we do not feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your request.

Right to be forgotten

In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:

  • Where we no longer need your personal data for the purpose for which we collected it
  • Where we have collected your personal data on the grounds of consent and you withdraw that consent
  • Where you object to the processing and we do not have any overriding legitimate interests to continue processing the data
  • Where we have unlawfully processed your personal data (i.e. we have failed to comply with UK GDPR); and
  • Where the personal data has to be deleted to comply with a legal obligation

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.

Right to restrict processing

In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we do not have to delete it. This right is available to you:

  • If you believe the personal data we hold is not accurate – we will cease processing it until we can verify its accuracy
  • If you have objected to us processing the data – we will cease processing it until we have determined whether our legitimate interests override your objection
  • If the processing is unlawful; or
  • If we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim 

Data portability

You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data controller. This right only applies to personal data you provide to us:

  • Where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and
  • Where we carry out the processing by automated means

We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.

Use of Personal Devices (BYOD) and Data Protection
As part of our commitment to protecting personal data and ensuring compliance with the General Data Protection Regulation (GDPR), our organization allows employees to use their personal devices, such as smartphones, tablets, and laptops, for work purposes. This practice is governed by our Bring Your Own Device (BYOD) policy, which is designed to ensure the security and privacy of all personal data processed on such devices.

1. Scope of the BYOD Policy

Our BYOD policy applies to all employees, contractors, and third-party service providers who access company data and systems using personal devices. This policy ensures that all devices used for work purposes are subject to the same data protection and security standards as company-owned devices.

2. Data Security Measures

To safeguard the confidentiality, integrity, and availability of personal data processed on personal devices, we implement the following measures:

  • Device Encryption: All personal devices used for work must have encryption enabled to protect stored and transmitted data.
  • Strong Authentication: Devices must be protected with strong passwords, and access to work systems requires multi-factor authentication.
  • Regular Updates: Employees are required to ensure that their devices are up-to-date with the latest security patches and software updates.
  • Remote Wipe Capability: In the event of device loss, theft, or an employee’s departure, we reserve the right to remotely wipe work-related data from the device to prevent unauthorized access.

3. Data Minimization and Access Controls

In accordance with the GDPR’s data minimization principle, only the minimum amount of personal data necessary for work purposes will be processed on personal devices. Access to sensitive data and systems is restricted based on job role and responsibility, and personal devices will only be allowed to access approved systems and applications.

4. Monitoring and Auditing

To ensure compliance with our BYOD policy, we may periodically monitor the use of personal devices that access our data or systems. Monitoring will be done in a way that respects the privacy of employees while ensuring that security standards are maintained. Regular audits may also be conducted to assess compliance with security requirements.

5. Reporting and Incident Management

In the event of a data breach or suspected security incident involving a personal device, employees must immediately report the incident to our Data Protection Officer (DPO). We follow a strict protocol for investigating, mitigating, and notifying any data breaches in line with GDPR requirements, including notifying affected individuals and the relevant supervisory authority if necessary.

6. Termination and Device Disposal

When an employee leaves the company or ceases to use their personal device for work purposes, all company data must be removed from the device. This may include the deletion of work-related applications and files, or, if necessary, the remote wiping of the device to ensure that no sensitive data remains.

7. Employee Responsibilities

Employees are responsible for the following:

Keeping their personal devices secure and in compliance with the BYOD policy.
Reporting any loss or breach of the device immediately.
Ensuring that personal data processed on the device is handled in accordance with our data protection policies and GDPR requirements.

Right to object

You are entitled to object to us processing your personal data:

  • If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority
  • For direct marketing purposes (including profiling); and/or
  • For the purposes of scientific or historical research and statistics

In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling, legitimate grounds which override your interests, rights and freedoms or the processing is for the establishment, exercise or defence of legal claims.

Automated decision making

Automated decision making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late a certain number of times (without any input from HR, for example).

We do not carry out any automated decision making using your personal data.

Your right to complain about our processing

If you think we have processed your personal data unlawfully or that we have not complied with UK GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website: https://ico.org.uk/concerns/.

Any questions?

If you have any questions or would like more information about the ways in which we process your data, please contact [Mina Kovacevic/Head of Data Management/mk@poseidonhumancapital.com].

 

Note: All Poseidon Care Policies are reviewed annually, more frequently, or as necessary