Hengoed Park - Pioneering care for people with complex mental health needs
THE HENGOED CARE

Privacy Notice

1. Introduction

This is Hengoed Park’s Privacy Notice.

As part of the service we offer, we are required to process personal data about our staff, residents and, in some instances, the friends, relatives or visitors of our residents and staff. “Processing” can mean collecting, recording, organising, storing, sharing or destroying data.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

We are registered with the Information Commissioner’s office (ICO) as a data controller and process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Our ICO registration reference is: ZA390344

If you have any concerns or questions, please contact us by any of the methods below:

Post: Hengoed Park Residential Home, Hengoed, Oswestry, Shropshire, SY10 7EE

Telephone: 01691 650 454

Email: info@hengoedpark.com

2. Residents

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We process the following types of data:

  • Your basic details and contact information e.g. your name, address, date of birth, next of kin details, NHS/HSC/CHI number, National Insurance number, Photographs,
  • Your financial details e.g. details of how you pay us for your care or your funding arrangements. Information about income and financial needs for funding or personal budget support.
  • Records of meetings and decisions pertaining to you.
  • CCTV and audio footage

We also record the following data which is classified as “special category”:

  • Health and social care data about you, which might include both your physical and mental health data (including medical condition, allergies, medical requirements and medical history)
  • Information about your care needs (including disabilities, home conditions, medication and dietary requirements and general care provision)
  • Test results (including psychological evaluations, scans, bloods, x rays, tissue tests and genetic tests.)
  • Safeguarding information
  • Criminal offence data
  • We may also record data about your race, ethnic origin, sexual orientation or religion.

Why do we have this data?

We need this data so that we can provide high-quality care and support and for safeguarding or public protection reasons. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

  • We have a legal obligation to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.
  • We have to collect or use the information so we can enter or carry out a contract with you.

We process your special category data because:

  • It is necessary due to social security and social protection law (generally this would be in safeguarding instances);
  • It is necessary for us to provide and manage social care services;
  • We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Common law duty of confidentiality

In our use of health and care information, we satisfy the common law duty of confidentiality because:

  • You have provided us with your consent (either implicitly to provide you with care, or explicitly for other uses)
  • We have a legal requirement to collect, share and use the data to support service delivery
  • The public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime).
  • Vital interest to collect or use information needed when someone’s physical or mental health or wellbeing is at urgent or serious risk.
  • We have a legitimate interest in processing your data to support legitimate interests such as safeguarding, health and safety, security and the effective management and delivery of the service.

Where do we process your data?

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representative(s);
  2. Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.

Third parties are organisations we might lawfully share your data with. These include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals;
  • The Local Authority or council;
  • Your family or friends – with your permission;
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
  • The police or other law enforcement agencies if we have to by law or court order.

We use the following data processors for the following reasons:

  • Log my Care- This data processor does the following activities for us: This is a digital care planning and recording system used mainly in UK health and social care settings. As a data processor, it records and manages care information on behalf of the data controller (Hengoed Park).
  • Access Emar – This data processor does the following activities for us: the eMAR system collects, stores, and manages medication-related data on behalf of a data controller (Hengoed Park) and helps staff safely administer medicines.
  • Access Compliance – This data processor does the following activities for us: manages compliance, governance, and quality assurance data.
  • Hik Connect- This data processor does the following activities for us: Hik-Connect Software, available on PC and mobile devices, helps Hengoed Park effectively operate and manage security devices (CCTV & Audio footage) remotely.
  • Entry sign – This data processor does the following activities for us: Staff, residents and visitor sign in management system.
  • Ring Doorbell – This data processor does the following activities for us: helps Hengoed Park effectively operate and manage security devices (CCTV & Audio footage) remotely.

This list may not be exhaustive.

Personal data will only be disclosed on a confidential basis. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.

3. National Data Opt Out

We review our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies. If any data processing falls within scope of the National Data Opt-Out we use MESH to check if any of our residents have opted out of their data being used for this purpose.

At this time, we do not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/

4. Staff

What staff do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:

  • Your basic details and contact information e.g. your name, address, email, date of birth, National Insurance number, gender, photograph (for apps), copies of photo ID, copies of proof of address documents, marital status, employment history (e.g. job application, employment references), education history (e.g. qualifications), right to work information, performance records (e.g reviews, disciplinary records, complaints or disciplinary action) and next of kin details;
  • Your financial details e.g. details so that we can pay you (job role, employment contract), overtime or other payments claimed, leave (sick leave, holidays or special leave), pension maternity, paternity and adoption leave, bank details, payroll records, tax status
  • Your training records.
  • CCTV footage or other recordings

We also record the following data which is classified as “special category”:

  • Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/paternity pay, general health and wellbeing forms, Occupational health referrals and reports, accident at work records, access needs or reasonable adjustments, protected characteristics
  • We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion.
  • As part of your application you will be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We may hold information criminal convictions and offences.

Why do we have this data?

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

  • We have a legal obligation under UK employment law;
  • We are required to do so in our performance of a public task;
  • We have a legitimate interest in processing your data – for example, we provide data about your training to Skills for Care’s Adult Workforce Data Set, this allows Skills for Care to produce reports about workforce planning.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We process your special category data because:

  • We have a legal obligation: We process staff health data to comply with our legal obligations as an employer, including health and safety regulations and reporting requirements.
  • Employment obligations: Health data is processed where necessary to manage employment, sickness, and workplace accommodations. DBS information is processed as necessary for our obligations as an employer, including safeguarding vulnerable adults and children.
  • Occupational health purposes: Health information may be processed by occupational health professionals to assess fitness for work, provide support, or manage workplace risks.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

As your employer we need specific data. This is collected from or shared with:

  1. You or your legal representative(s);
  2. Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.

Third parties are organisations we have a legal reason to share your data with. These include:

  • Her Majesty’s Revenue and Customs (HMRC);
  • Our pension and healthcare schemes; Smart Pension
  • Our external payroll provider; Iris
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC;
  • The police or other law enforcement agencies if we have to by law or court order.
  • The DBS Service; Partners in Care is a Registered Umbrella Organisation with the Disclosure and Barring Service. They process online DBS applications and Adult First Checks on behalf of Hengoed Park.

We use the following data processors for the following reasons:

  • Log my Care – This data processor does the following activities for us: This is a digital care planning and recording system used mainly in UK health and social care settings. As a data processor, it records and manages care information on behalf of the data controller (Hengoed Park); some basic employee data is required for the system to operate effectively.
  • Partners in Care – Partners in Care is a Registered Umbrella Organisation with the Disclosure and Barring Service (DBS). They process online DBS Applications and Adult First Checks on behalf of Hengoed Park.
  • Iris Payroll – This data processor does the following activities for us: They process Hengoed Park’s payroll information
  • Find My Shift – This data processor does the following activities for us: This system stores our HR and rota management records
  • Your Hippo – This data processor does the following activities for us: Stores employee data relating to training
  • Log my Care – This data processor does the following activities for us: This manages our care records; some employee data is required for the system to operate effectively.
  • Indeed – This data processor does the following activities for us: This manages our recruitment activities/management.
  • Breathe HR – This data processor does the following activities for us: It processes and stores all employee (workforce) data on behalf of the employer, who remains the data controller.
  • Hik Connect – This data processor does the following activities for us: Hik-Connect Software, available on PC and mobile devices, helps Hengoed Park effectively operate and manage security devices (CCTV & Audio footage) remotely.
  • Ring Doorbell – This data processor does the following activities for us: helps Hengoed Park effectively operate and manage security devices (CCTV & Audio footage) remotely.

This list may not be exhaustive.

Personal data will only be disclosed on a confidential basis. When we share data with an external third party; these operations are governed by a Data Processing Agreement (DPA) and we perform regular due diligence on any external companies we work with to ensure that high levels of data integrity are maintained.

5. Friends/Relatives/Visitors

What data do we have?

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

  • Your basic details and contact information e.g. your name, address, vehicle registration
  • Photograph
  • CCTV and audio footage

Why do we have this data?

By law, we need to have a lawful basis for processing your personal data.

We process your data because:

  • We have a legal obligation under the Health and Safety at Work Act. We are required to maintain records for safety, safeguarding, and regulatory compliance.
  • We have a legitimate interest in processing your data to ensure the security of residents, staff, and visitors and maintain orderly operations of the care home.
  • Where consent is provided voluntarily for communications or updates.

Where do we process your data?

So that we can provide high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representative(s);
  2. Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms, via apps.

Third parties are organisations we have a legal reason to share your data with. These may include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals;
  • The Local Authority;

The police or other law enforcement agencies if we have to by law or court order.

6. How do we store your personal information?

Your information is securely stored for the time periods specified in the Records Management Code of Practice. We will then dispose of the information as recommended by the Records Management Code for example we will:

  • Securely dispose of your information by shredding paper records, or wiping hard drives/apps to legal standards of destruction.
  • Archive your information onsite at Hengoed Park under secure conditions.

Our Website

By accessing or using our website, you consent to the terms and practices described below.

Information We Collect:

We may collect both personally identifiable information (PII) and non-personally identifiable information (Non-PII) from visitors to our website. The types of information we collect may include, but are not limited to:

  • Name, Contact information (e.g., email address, phone number), Address, Date of birth, Health-related information (only when voluntarily provided)
  • IP address, Browser type and version, Operating system, Date and time of access, Pages visited, Referring URL

Use of Information:

We will use the information collected for the following purposes:

  • Providing our services and maintaining your care plan.
  • Contacting you in response to inquiries or requests.
  • Sending important notifications, such as changes in services or policies.
  • Improving our website and services based on feedback and usage patterns.
  • Complying with legal obligations.

Disclosure of Information:

We will not sell, rent, or lease your personal information to third parties. However, we may disclose your information in the following circumstances:

  • With your consent or as otherwise required to provide our services.
  • To our trusted third-party service providers who assist us in operating our website and services.
  • To comply with legal obligations, such as responding to court orders or lawful government requests.
  • In connection with the sale, merger, or acquisition of all or part of our company.

Cookies and Tracking Technologies:

We use cookies and similar tracking technologies to enhance your experience on our website. These technologies may collect Non-PII about your browsing behaviour. You can choose to disable cookies through your browser settings, but please note that this may affect certain website features.

These cookies are set by Google Analytics to collect information such as :

  • How visitors arrive at our website
  • Pages visited and time spent on the website
  • Interactions with website features

This information collected is aggregated and anonymous, and is used solely to improve the performance and usability of our website.

Third-Party Websites:

Our website may contain links to third-party websites. We do not have control over the privacy practices of these websites and are not responsible for their content or actions. We encourage you to review the privacy policies of these third-party websites before providing any personal information.

Your Rights

The data that we keep about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:

  1. You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service;
  2. You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request;
  3. You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. We retain our data in line with the Information Governance Alliance’s guidelines.
  4. You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
  5. You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
  6. If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.

You may need to provide adequate information for our staff to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.

If you would like to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

https://ico.org.uk/global/contact-us/

Changes to This Privacy Notice

We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.

Any changes will be made available on this privacy policy page of our website.

Scroll to Top