Privacy policy

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services. This notice is layered so that you can select the reason we process your personal information and see what we do with it. Please click on the heading below to access the part of the document that you are looking for.

1.    Privacy Notice Overview

2.    General information

2.1      Data Controllers contact details

2.2      Data Processors

2.3      Data Protection Officer’s contact details

2.4      How do we get information

2.5      How you can contact us

2.6      Kent County Council Privacy Notices

2.7      Legal Obligation

2.8      Links to other websites

2.9      Managing service user contact

2.10    Personal information we collect and use

2.11    Request a service adjustment

2.12    Safeguarding

2.13    Sharing your information

2.14    Visitors to our website

2.15    Visitors to our offices

2.16    Your data protection rights

2.17    Your right to complain

3.    Reason for contacting us

3.1      Apply for a job, apprenticeship or to volunteer

3.2      Attend an event, workshop, presentation or support group                                            

3.3      Contact Us

3.4      Information, advice, guidance and support

3.5      Make a complaint

3.6      Make an enquiry

3.7      Make an information request

3.8      Request our publications

3.9      Responding to our consultation requests and surveys

3.10    Subscribe to our newsletter

4.    Referrals

4.1      Refer a Carer to our service

4.2      Refer yourself to our service

5.    Retention Period

  1. Privacy Notice Overview

Our contact details

Name:            Data Protection Lead

Address:        80 Middle Street, Deal, Kent CT14 6HL

Phone:           01304 364 637

E-mail:            dataprotection@carersek.org.uk

What type of information we have

We currently collect and process the following information:

  • personal identifiers, contacts and characteristics such as your name, address, telephone number, date of birth, national insurance number.
  • contact details for members of your family and support network.
  • information about your finances, e.g. bank details, income, benefits.
  • information about your racial or ethnic origin, religious or philosophical belief and your sexual orientation.
  • information about health conditions including mental health or disabilities that may apply to you and the person for whom you care.
  • information about you and your circumstances such as your hours of caring, residency, employment.
  • information about relevant health and safety concerns.
  • information about your needs and wishes.
  • website user / visitor statistics.

The amount and types of information that we collect depends on the level of service and support that you seek from us.

How we get the information and why we have it

Most of the personal information we process is provided to us directly by you by consent for one or more of the following reasons:

(a)       The provision of information, advice, guidance and support.

(b)       Carers Assessments.

(c)       Employment including apprenticeships.

(d)       Volunteering.

We also receive personal information indirectly, from the following sources in the following scenarios:

The local authority; statutory services; charitable, community interest and voluntary organisations; commissioned services; social services and the health service who may refer you to us for the services that we provide above, with your consent.

The information supplied will include some or all of the types of information we have above depending on the information that you have chosen to supply.

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, the lawful bases we rely on for processing this information are:

(a)         Your consent (which you can remove at any time by writing to us at Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL, calling us on 01304 364 637 or emailing us at support@carersek.org.uk).

(b)       We have a contractual obligation.

(c)       We have a legal obligation.

(d)       We have a vital interest.

(f)        We have a legitimate interest.

What we do with the information we have

We use the information that you have given us in order to:

  • provide you with information, advice, guidance, support, assessments and reviews.
  • signpost you to services that may be of interest to you.
  • refer you to services that can support you and to seek your views.
  • monitor training and quality.
  • provide management information for service performance monitoring and development.

We may share this information (but not for marketing purposes) with:

  • advocates, deputies, legal powers of attorney.
  • Connect Well East Kent (CWEK).
  • central and local government.
  • the Department for Work and Pensions (DWP).
  • external providers.
  • family members and Carers.
  • housing associations and landlords.
  • internal teams, such as social care teams and finance.
  • Kent County Council (KCC)
  • Kent Integrated Data Set (KID).
  • Kent and Medway Safeguarding Adults Board (KMSAB).
  • Kent Safeguarding Children Board (KSCB).
  • legal representatives, such as solicitors.
  • National Health Services (NHS) providers, such as GPs, specialist providers and hospitals.
  • other professionals such as community, health and social care professionals.
  • partner agencies, such as volunteer and statutory organisations.
  • Social Enterprise Kent (SEK).
  • Social Services.
  • Statutory Services.

How we store your information

Your information is securely stored at our business premises (including premises such as accountants for the purposes of audit and return), and on EU / UK computer servers.

We keep the following for up to:

  • recorded phone calls up to 7 months. This may be longer if evidential.
  • application forms and interview notes for unsuccessful job applicants up 3 years.
  • health and safety, statutory maternity, sick, and minimum wage pay records up to 7 years.
  • financial records unless itemised separately and personal information up to 7 years after cessation with service / employment.
  • invoices (capital items) up to 11 years.
  • leases up to 13 years after liabilities have ceased
  • public liability information, employment liability information, accident records, staff application forms, DBS certificate number and date, DBS correspondence and signed statements regarding involvement with investigations into vulnerable adults up to 51 years (insurance requirement).
  • organisation charts are retained permanently for commercial reasons.
  • records for key senior executives are retained permanently for historical reasons.

We will then dispose of your information by shredding physical items such as paper and secure permanent deletion of computer records.

Your data protection rights

Under data protection law, you have rights including:

  • Your right of access – You have the right to ask us for copies of your personal information.
  • Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.
  • Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL, call us on 01304 364 637 or email us at dataprotection@carerek.org.uk if you wish to make a request.

If you are unhappy with the way we collect, process or store your data

In the first instance, please contact our Data Protection Lead in writing as follows:

By email:        dataprotection@carersek.org.uk

By post:          Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL

If you are dissatisfied with the outcome of your initial contact, please raise an appeal

to our Chief Executive Officer (CEO) in writing as follows:

By email:        ceo@carersek.org.uk

By post:          Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL

Data processors

Your data is normally processed within the UK but may on occasion be processed outside of the UK. All processing is secure and agreements exist between us and the data processors to safeguard and secure your information. All non UK processing may take place within the European Union, or outside of the European Union. Processing outside of the European union, for example North America, is covered by the country being a “third country” and the data processor being part of the EU-US Privacy Shield scheme as required by the GDPR.

How to complain

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

  1. General information

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.

This notice is layered. So, if you wish, you can easily select the reason we process your personal information and see what we do with it.

We’ll tell you:

  • why we are able to process your information;
  • what purpose we are processing it for;
  • whether you have to provide it to us;
  • how long we store it for;
  • whether there are other recipients of your personal information;
  • whether we intend to transfer it to another country; and
  • whether we do automated decision-making or profiling.

The first part of the notice is information we need to tell everybody.

2.1      Data Controllers contact details

Carers’ Support East Kent is the controller for the personal information we process, unless otherwise stated.

There are many ways you can contact us, including by phone, email, and post.

Our postal address and registered office:

Carers’ Support East Kent
80 Middle Street
Deal
Kent CT14 6HL

Call: 01304 364 637 / Email dataprotection@carersek.org.uk

2.2      Data processors

Your data is normally processed within the UK but may on occasion be processed outside of the UK. All processing is secure and agreements exist between us and the data processors to safeguard and secure your information. All non UK processing may take place within the European Union, or outside of the European Union. Processing outside of the European union, for example North America, is covered by the country being a “third country” and the data processor being part of the EU-US Privacy Shield scheme as required by the GDPR.

2.3      Data Protection Officer’s contact details

We do not have a data protection officer, but our data protection lead is Colin Simpson.

You can contact by email to dataprotection@carersek.org.uk

or by post to:

Carers’ Support East Kent

80 Middle Street

Deal

Kent CT14 6HL

Please mark the envelope “Data Protection Lead”.

2.4      How do we get information?

Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have contacted us.
  • You have referred yourself to us.
  • You have made a complaint or enquiry to us.
  • You have made an information request to us.
  • You wish to attend, or have attended, an event.
  • You subscribe to our e-newsletter.
  • You have applied for a job, apprenticeship or to volunteer with us.
  • You are representing your organisation.

We also receive personal information indirectly, in the following scenarios:

  • If you have been referred to us by another service.
  • If your Carer gives us your contact and other information about you so that we may understand their context and setting to fully support them.
  • We have contacted an organisation about a complaint you have made and it gives us your personal information in its response.
  • From other public authorities, regulators or law enforcement bodies.
  • An employee or applicant of ours gives your contact details as an emergency contact or a referee.

If it is not disproportionate or prejudicial, we’ll contact you to let you know we are processing your personal information. ​

As part of Carers’ Support East Kent contractual and charitable functions, we process special category data and criminal conviction data.

Safeguards Policy – special categories of personal data and criminal convictions

As part of Carers’ Support East Kent’s (CSEK) contractual and charitable functions, we process special category data and criminal conviction data for the purposes of performing or exercising obligations or rights which are imposed or conferred by contract and law on CSEK or the data subject in connection with employment, social security or social protection, and archiving.

For these types of processing we are required to have an appropriate policy in place setting out the explaining our procedures and policies.

Special category data

Special category data is defined at Article 9 GDPR as personal data revealing:

  • Racial or ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data for the purpose of uniquely identifying a natural person
  • Data concerning health
  • Data concerning a natural person’s sex life or sexual orientation

Criminal conviction data

Criminal conviction data also includes processing in relation to offences, or related security measures.

Substantial public interest

Under Article 9 (2) (g) GDPR, CSEK may process special category and criminal conviction data where it is necessary for reasons of substantial public interest. This must be carried out on the basis of union or member state law which proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subjects.

  1. 10 (3) Data Protection Act 2018 sets out that the processing meets the requirement in point (g) only if it meets a condition (or purpose) in Part 2 of Schedule 1.

We process for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • Paragraph 6 (1) and (2)statutory and government purposes
  • Paragraph 10 (1)preventing or detecting unlawful acts
  • Paragraph(1) and (2)protecting the public against dishonesty
  • Paragraph 12 (1) and (2)regulatory requirements relating to unlawful acts and dishonesty
  • Paragraph 24 (1) and (2)disclosure to elected representatives

In addition, there are additional processing conditions for criminal convictions set out in Part 3 of Schedule 1.

  • Paragraph 32personal data in the public domain
  • Paragraph 33legal claims
  • Paragraph 36substantial public interest

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures, reflected in an appropriate policy document.

Employment, social care and social protection

Under Article 9 (2) (b) GDPR, CSEK may process special category data and criminal convictions where it is necessary for purposes of carrying out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law. This must be carried out on the basis of union or Member State law or a collective agreement providing for appropriate safeguards for the fundamental rights and the interest of the data subject.

  1. 10 (2) Data Protection Act 2018 sets out that the processing meets the requirement in point (b) only if it meets a condition (or purpose) in Part 2 of Schedule 1.

We process for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • paragraph 6 (1) and (2)statutory and government purpose
  • paragraph 8equality of opportunity or treatment
  • paragraph 9racial or ethnic diversity at senior levels of organisation
  • paragraph 10 (1)preventing or detecting unlawful acts
  • paragraph 11protecting the public against dishonesty
  • paragraph 12 (1) and (2)regulatory requirements relating to unlawful acts and dishonesty
  • paragraph 16support for individuals with a particular disability or medical condition
  • paragraph 21occupational pensions
  • paragraph 24 (1) and (2)disclosure to elected representatives

In addition, there are additional processing conditions for criminal convictions set out in Part 3 of Schedule 1.

  • Paragraph 32personal data in the public domain
  • Paragraph 33legal claims

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures, reflected in an appropriate policy document.

Archiving

Under Article 9 (2) (j) GDPR, CSEK may process special category data and criminal convictions where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

  1. 10 (2) Data Protection Act 2018 sets out that the processing meets the requirement in point (j) only if it meets a condition (or purpose) in Part 2 of Schedule 1.

We process for the following purposes in Part 2 of Schedule 1. All processing is for the first listed purpose and might also be for others dependent on the context:

  • paragraph 6 (1) and (2)statutory and government purposes

The measures to safeguard rights and interests of data subjects include the implementation of policies and procedures, reflected in an appropriate policy document.

The following describes the measures we take to comply with the data protection principles in relation to these categories of personal data.

The first data protection principle ‘lawful, fair and transparent’

Processing personal data must be lawful, fair and transparent. It is only lawful if and to the extent it is based on law and either the data subject has given their consent for the processing, or the processing meets at least one of the conditions in Schedule 1. We provide clear transparency information to all those who provide personal data to us.

Our processing for purposes of substantial public interest satisfies the first Schedule 1 condition in that the processing is necessary for the exercise of a function conferred on CSEK by the legislation for which we act as a regulator e.g. Data Protection Act 2018. We act as a regulator in order to protect the fundamental rights and freedoms of natural persons in relation to processing as set out in Article 51 GDPR.

In circumstances where we seek consent, we make sure

  • The consent is unambiguous
  • The consent is given by an affirmative action
  • The consent is recorded as the condition for processing

The second data protection principle ‘specified, explicit and legitimate purposes’

We process personal data for purposes of substantial public interest. These are where the processing is necessary for CSEK to fulfil its statutory functions, where it is necessary for complying with or assisting another to comply with a regulatory requirement to establish whether an unlawful or improper conduct has occurred, to protect the public from dishonesty, preventing or detecting unlawful acts or for disclosure to elected representatives.

We are authorised by law to process personal data for these purposes. We may process personal data collected for any one of these purposes (whether by us or another controller), for any of the other purposes here, or for our law enforcement purposes, providing the processing is necessary and proportionate to that purpose.

If we are sharing data with another controller, we will document that they are authorised by law to process the data for their purpose.

We will not process personal data for purposes incompatible with the original purpose it was collected for.

The third data protection principle ‘adequate, relevant and not excessive’

We collect personal data necessary for the relevant purposes and ensure it is not excessive. The information we process is necessary for and proportionate to our purposes. Where personal data is provided to us or obtained by us but is not relevant to our stated purposes, we will erase it.

The fourth data protection principle ‘accurate and up to date’

Where we become aware that personal data is inaccurate or out of date, having regard to the purpose for which it is being processed, we will take every reasonable step to ensure that data is erased or rectified without delay. If we decide not to either erase or rectify it, we will document our decision.

The fifth data protection principle ‘kept for no longer than necessary’

We retain information processed for the periods set out in the corporate retention periods.

The sixth data protection principle ‘appropriate security’

Electronic information is processed within our secure network. Hard copy information is processed within our secure premises.

Our electronic systems and physical storage have appropriate access controls applied.

The systems we use to process personal data allow us to erase or update personal data at any point in time.

This policy satisfies the requirements of Schedule 1, Part 4 and is therefore an appropriate policy document in support of our compliance with the requirements of Articles 9 and 10 GDPR.

This policy will be reviewed annually or revised more frequently if necessary.

2.5      How you can contact us

Call us: 01304 364 637

Write to us:

Carers’ Support East Kent, 80 middle Street, Deal, Kent CT14 6HL

Email us: support@carersek.org.uk

2.6      Kent County Council Privacy Notices

We are a service provider contracted to Kent County Council (KCC). KCC may contact a sample of those who we support and other service users to obtain feedback and help demonstrate the impact of our service. Contact may be by post, email or phone and is a part of a contractual obligation that we hold with KCC.

Please click here for the KCC Kent adult social care and health (third parties) privacy notice

Please click here for the KCC general notice to cover adult social care and health

2.7      Legal Obligation

We have a legal obligation to share your information to comply with common law and other statutory obligations.

Examples include but are not limited to:

  • Cooperate with criminal investigations;
  • Prevent harm to another;
  • Reporting money laundering;
  • Reporting suspected fraud;
  • Reporting suspected criminal activity;
  • Reporting suspected terrorist activity.
  • Share staff pay information with HMRC;

2.8      Links to other websites

Our website may contain links to other websites run by other organisations. This privacy notice applies only to our website‚ so we encourage you to read the privacy notices on the other websites you visit. We cannot be held responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the privacy notices and policies of that third-party site.

2.9      Managing service user contact

Restricted contact 

We may impose a restriction on your access to our services if it’s necessary to protect our staff from unacceptable behaviour.

The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data when this is necessary for the performance of a contract to which you are party or in order to take steps at the request of the data subject prior to entering into a contract.

If we do this, we’ll explain to you the restriction we have applied and why we feel it’s necessary. We’ll create a record of the restriction for administration purposes, so relevant staff members know the restriction is in place. This will include your name, contact details and a description of why we have imposed a restriction.

The decision to impose a restriction will be taken, and reviewed, by a manager. We’ll write to you explaining why we’ve applied the restriction. We’ll review the restriction periodically. We’ll remove it if we feel your behaviour has changed or if you no longer communicate with us.

Single point of contact 

We may provide a single point of contact if you or we (or both) believe it will help to create a better outcome for all concerned.

The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data when this is necessary for the performance of a contract to which you are party or in order to take steps at the request of the data subject prior to entering into a contract.

If the information you provide us in relation to your single point of contact contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(g) of the GDPR, which also relates to our public task and the safeguarding of your fundamental rights, and Schedule 1 part 2(6) of the DPA2018 which relates to statutory and government purposes.

A decision will be made by a manager to give you a single point of contact. This may be where you have several complaints and we believe it will be more efficient for us to deal with them in this way. We’ll make a record of the fact that you have a single point of contact. All relevant staff will know about using it to manage communications between our office and you. It will include your name, contact details and a description of the need to have a single point of contact. We’ll review this requirement from time to time.

Contact by third parties but not for marketing purposes

We are a service provider contracted to Kent County Council (KCC). KCC may contact a sample of those who we support to obtain feedback and help demonstrate the impact of our service. Contact may be by post, email or phone and is a part of a contractual obligation that we hold with KCC.

What are your rights?

We are acting in our official capacity as a regulator regarding your contact restriction or single point of contact (or both), so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

2.10    Personal information and how we use it

In the course of working with you, we may collect the following personal information when you provide it to us:

Personal data

  • personal information e.g. name, date of birth, national insurance and NHS numbers, gender, title, working status, marital status, disability, hours that you care per week , power of attorney details
  • contact details
  • contact records e.g. by phone, correspondence, interviews, call recordings
  • information about your finances, e.g. bank details, savings, debt, income, benefits
  • safeguarding information

Special categories of personal data

  • information about your racial or ethnic origin, religious or philosophical belief and your sexual orientation
  • information about health conditions or disabilities that may apply to you
  • information about you and your circumstances
  • information about relevant health and safety concerns
  • information about your needs and wishes

2.11    Request a service adjustment

Service adjustments

As a charity and a provider of services to the public, we have a legal duty to comply with the Equality Act (2010).

This means we need to make service adjustments for anyone with a disability who contacts us in any capacity, to eliminate any barriers to accessing our services. Our legal basis for processing this information is article 6(1)(c) of the GDPR as we have a legal obligation to provide this. Our processing of special category data, such as health information you give us, will be based on article 9(2)(a), which means we need your consent.

We’ll create a record of your adjustment requirements. These will give your name, contact details and type of adjustment required, along with a brief description of why it is required. Relevant staff can access this to ensure they are communicating with you in the required way.

How long we keep it

For information about this please see our retention periods.

What are your rights?

As we need your consent to process your special category data you have a right to withdraw your consent at any time.

For more information on your rights, please see ‘Your rights as an individual’.

2.12    Safeguarding

In certain circumstances we may need to rely on vital interests under GDPR as our lawful basis if we need to process the personal data to protect someone’s life.

The processing must be necessary. If we can reasonably protect a person’s vital interests in another less intrusive way, we will do so.

We cannot rely on vital interests for health data or other special category data if an individual is capable of giving consent, even if they refuse their consent.

Article 6(1)(d) of the GDPR provides a lawful basis for processing where: “processing is necessary in order to protect the vital interests of the data subject or of another natural person”.

Recital 46 provides that “the processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…”

It is likely to be particularly relevant for emergency medical care, where we need to process personal data for medical purposes but the individual is incapable of giving consent to the processing.

It is less likely to be appropriate for medical care that is planned in advance. Another lawful basis such as legitimate interests  is likely to be more appropriate in this case.

Processing of one individual’s personal data to protect the vital interests of others is likely to happen more rarely. In many cases we may consider legitimate interest as our legal basis for processing, which gives us a framework to balance the rights and interests of the data subject(s) with the vital interests of the person or people we are trying to protect.

2.13    Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.

In some circumstances, we are legally obliged to share information. For example, under a court order or where we cooperate with other European supervisory authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we’ll satisfy ourselves that we have a lawful basis on which to share the information and document our decision making and satisfy ourselves we have a legal basis on which to share the information.

We may also share your information where we are legally obliged to do so such as in the event of or to prevent a criminal act, act of terrorism or a safeguarding incident. In this event we may share information with the appropriate authorities such as the police, security services or social services.

In the course of working with you we may collect information from, or share it with, some of the following third parties (non-exhaustive list):

  • advocates, deputies, legal powers of attorney
  • housing associations and landlords
  • Connect Well East Kent
  • central government
  • the Department for Work and Pensions (DWP)
  • external providers
  • family members and Carers
  • internal teams, such as social care teams and finance
  • Kent County Council (KCC)
  • Kent Integrated Data Set (KID)
  • Kent and Medway Safeguarding Adults Board (KMSAB)
  • Kent Safeguarding Children Board (KSCB)
  • legal representatives, such as solicitors
  • National Health Services (NHS) providers, such as GPs and hospitals
  • other professionals
  • partner agencies, such as volunteer and statutory organisations
  • Social Enterprise Kent (SEK)

This data sharing enables us to ensure that you are receiving the best support possible.

We will share personal information with law enforcement or other authorities if required by applicable law.

We are a service provider contracted to Kent County Council (KCC). KCC may contact a sample of those who we support to obtain feedback and help demonstrate the impact of our service. Contact may be by post, email or phone and is a part of a contractual obligation that we hold with KCC.

2.14    Visitors to our website

Analytics

When you visit www.carersek.org.uk, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not directly identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website.

If we do  collect personal data  through our website, we’ll be upfront about this. We’ll make it clear when we collect personal information and we’ll explain what we intend to do with it.

Personal information may be collected through our website when you use the following website services: call me back button; contact us links; consultations; donations page; forms; shopping page; and social media pages including our website, facebook and twitter.

Cookies

Like many other websites, the Carers’ Support East Kent website uses “cookies”. Cookies are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

They collect statistical data about your browsing actions and patterns and do not identify you as an individual. For example, we use cookies to store your country preference. This helps us to improve our website and deliver a better more personalised service. It is possible to switch off cookies by setting your browser preferences. Turning cookies of may result in a loss of functionality when using our website.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit:

www.aboutcookies.org or www.allaboutcookies.org.

Find out how to manage cookies on popular browsers:

To find information relating to other browsers, visit the browser developer’s website.

To opt-out of being tracked by Google Analytics across all websites, visit http://tools.google.com/dlpage/gaoptout.

Search engine

Our website search and decision notice search is powered by WordPress. Search queries and results are logged anonymously to help us improve our website and search functionality. No identifiable personal information is collected by us or WordPress.

Security and performance

When you give us personal information, we take steps to ensure that it’s treated securely. When you are on a secure page, a lock icon will appear at the top of web browsers such as Google Chrome in the search bar.

Non-sensitive details (your email address etc) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

We rely on the Privacy Shield Framework to transfer this information if appropriate to WordPress plugin servers which may be located in the US. They hold the information  for seven days.

Our website is hosted by 20i. Please read our data processing agreement with them here: https://www.20i.com/legal/gdpr-data-processing-agreement

We use a third-party service, WordPress.com, to publish our website. This site is hosted at WordPress.com, which is run by Automattic Inc. We use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors that want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see Automattic’s privacy notice.

Purpose and legal basis for processing

The purpose for implementing the above is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The lawful basis we rely on to process your personal data is either Article 6(1)(a) of the GDPR, for example when we require your consent for the optional cookies we use, or Article 6(1)(f) which allows us to process personal data when it’s necessary for our legitimate interests. For example, in order to maintain the integrity of our IT systems and the continuity of our business.

What are your rights?

As we are processing your personal data for our legitimate interests as stated above, you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it. For more information on your rights, please see ‘Your rights as an individual’. 

2.15    Visitors to our offices

We meet visitors at our offices e.g. applicants for positions, apprentices, clients, contractors, guests, staff, temporary staff, stakeholders, trustees, volunteers.

We ask all visitors to sign in and out, and may request that you show a form of ID. The ID is for verification purposes only, we don’t record this information.

The purpose for processing this information is for security and safety reasons. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests.

We have Wi-Fi on site for the use of visitors. We’ll provide you with the address and password.

We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received.

We don’t ask you to agree to terms, just to the fact that we have no responsibility or control over your use of the internet while you are on site, and we don’t ask you to provide any of your information to get this service.

The purpose for processing this information is to provide you with access to the internet whilst visiting our site. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it’s necessary for the purposes of our legitimate interests.

For information about how long we hold personal data, see our retention periods.

2.16    Your data protection rights

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here. 

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You can read more about this right here. 

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated. You can read more about this right here.

If we are processing your information for criminal law enforcement purposes, your rights are slightly different. Please see the relevant section of the notice.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Please contact us at dataprotection@carersek.org.uk if you wish to make a request, write to the Data Protection Lead at Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL or call us on 01304 364 637.

2.17    Your right to complain

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact us at dataprotection@carersek.org.uk and we’ll respond.

If anyone wishes to complain to CSEK about how their personal information has been processed, their GDPR complaint has been handled, or appeal against any decision made following a complaint, they can submit their complaint in writing (by letter, email or via our website):

  • via email to the Data Protection Lead – complaints@carersek.org.uk
  • by post to the Data Protection Lead – Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL.

In addition, the CSEK website www.carersek.org.uk contains details of this Data Protection and GDPR Complaints Policy and directions to find it.

  1. Reasons for contacting us

3.1      Apply for a job, apprenticeship or to volunteer

Purpose and legal basis for processing

Our purpose for processing this information is to assess your suitability for a role you have applied for.

The lawful basis we rely on for processing your personal data is article 6(1)(b) of the GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering a contract.

If you provide us with any information about reasonable adjustments you require under the Equality Act 2010 the lawful basis we rely on for processing this information is article 6(1)(c) to comply with our legal obligations under the Act.

The legal basis we rely on to process any information you provide as part of your application which is special category data, such as health, religious or ethnicity information is article 9(2)(b) of the GDPR, which relates to our obligations in employment and the safeguarding of your fundamental rights. And Schedule 1 part 1(1) of the DPA2018 which again relates to processing for employment purposes.

We process information about applicant criminal convictions and offences. The lawful basis we rely to process this data are Article 6(1)(e) for the performance of our public task. In addition, we rely on the processing condition at Schedule 1 part 2 paragraph 6(2)(a).

What will we do with the information you give us?

We’ll use all the information you provide during the recruitment process to progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.

We will not share any of the information you provide with any third parties for marketing purposes.

We’ll use the contact details you give us to contact you to progress your application. We’ll use the other information you provide to assess your suitability for the role.

What information do we ask for, and why?

We do not collect more information than we need to fulfil our stated purposes and will not keep it longer than necessary.

The information we ask for is used to assess your suitability for employment or volunteering. You don’t have to provide what we ask for but it may affect your application if you don’t.

Application stage

If you use our online application system, your details will be collected by a data processor on our behalf (please see below). If you apply to us via a recruitment agency or direct, we will process your information. All applications may then be retained in our paper based files and computerised information systems.

We ask you for your personal details including name and contact details. We’ll also ask you about previous experience, education, referees, interests and for answers to questions relevant to the role. Our recruitment team will have access to all this information. We do not ask for CV’s, but if this is supplied it may be retained with your application papers. By providing a CV without us requesting one you are providing consent which would be our legal basis for processing.

You will also be asked to provide equal opportunities information. This is not mandatory – if you don’t provide it, it won’t affect your application. We won’t make the information available to any staff outside our recruitment team, including hiring managers, in a way that can identify you. Any information you provide will be used to produce and monitor equal opportunities statistics.

Shortlisting

Our hiring managers shortlist applications for interview and may have access to your name and contact details, but not with your equal opportunities information if you have provided it.

Assessments

We may ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; attend an interview; or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by us.

If you are unsuccessful after assessment for the role, we may ask if you would like your details retained in our talent pool. If you say yes, we would proactively contact you should any further suitable vacancies arise.

Conditional offer

If we make a conditional offer of employment, we’ll ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We must confirm the identity of our staff and their right to work in the United Kingdom, and seek assurance as to their trustworthiness, integrity and reliability.

You must therefore provide:

  • proof of your identity – you will be asked to attend our office with original documents; we’ll take copies
  • proof of your qualifications – you will be asked to attend our office with original documents; we’ll take copies
  • a criminal records declaration to declare any unspent convictions
  • your email address, which we’ll pass to our disclosure bring service data processor which will contact you to complete an application for an Enhanced Criminal Record check via the Disclosure and Barring Service which will verify your declaration of unspent convictions.
  • We’ll contact your referees, using the details you provide in your application, directly to obtain references
  • We’ll also ask you to complete a questionnaire about your health to establish your fitness to work.
  • We’ll also ask you about any reasonable adjustments you may require under the Equality Act 2010. This information will be shared with relevant ICO staff to ensure these are in place for when you start your employment.

If we make a final offer, we’ll also ask you for the following:

  • bank details – to process salary payments
  • emergency contact details – so we know who to contact in case you have an emergency at work

After your start date

Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest. If you complete a declaration, the information will be held on your personnel file. You will also need to declare any secondary employment including self-employment.

How long is the information kept for?

For information about how long we hold personal data, see  our retention periods.

How we make decisions about recruitment

Final recruitment decisions are made by hiring managers and members of our recruitment team. We take account of all the information gathered during the application process.

Any online testing is marked manually.

You can ask about decisions on your application by speaking to your contact in our recruitment team or by emailing recruitment@carersek.org.uk.

Your rights

As an individual, you have certain rights regarding your own personal data.

For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

Yes – we use several processors to provide elements of our recruitment service for us.

We use Vacancy Filler to operate our online application system and to produce anonymised management information about campaigns. Here is a link to Vacancy Filler’s privacy notice.

If you accept a final offer from us, some of your personnel records will be held on CIPHR, which is an internally used HR records system. Here is a link to its privacy notice.

If you are employed by us, relevant details about you will be provided to Capita HR Services who provide our payroll services. This will include your name, bank details, address, date of birth, National Insurance Number and salary.

Likewise, your details will be provided to MyCSP who is the administrator of the Civil Service Pension Scheme, of which we are a member organisation. You will be auto-enrolled into the pension scheme and the details provided to MyCSP will be your name, date of birth, National Insurance number and salary. Your bank details will not be passed to MyCSP at this time.

We use Health Management to provide our Occupational Health service. We’ll send you a link to the questionnaire that will take you to Health Management’s website. The information you provide will be held by Health Management, who will give us a fit to work certificate or a report with recommendations. You are able to request to see the report before it is sent to us. If you decline for us to see it, this could affect your job offer. If an occupational health assessment is required, this is likely to be carried out by Health Management. Here is a link to Health Management’s privacy notice.

CEB provide online testing for us. If we ask you to complete one of its tests, we’ll send you a link to the test. Your answers will be provided to and held by CEB. Here is a link to CEB’s privacy notice.

For senior vacancies, we sometimes advertise through Hays Recruitment. Hays will collect the application information and may ask you to complete a work preference questionnaire that is used to assess your suitability for the role; the results are assessed by recruiters. Information collected by Hays will be kept for 12 months after the end of our agreement with Hays. Here is a link to Hays’ privacy notice.

3.2      Attend an event, workshop, presentation or support group (referred to as “the event”)

Purpose and legal basis for processing

Our purpose for collecting this information is so we can facilitate the event and provide you with an acceptable service.

The legal basis we rely on for processing your personal data is your consent under article 6(1)(a) of the GDPR. When we collect any information about dietary or access requirements we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

What we need

If you wish to attend one of our events, you will be asked to provide your contact information including your organisation’s name where applicable and, if offered a place, information about any dietary requirements or access provisions you may need. We may also ask for payment if there is a charge to attend.

Why we need it

We use this information to facilitate the event and provide you with an acceptable service. We also need this information so we can respond to you.

What we do with it

If you are not successful in securing a place, we’ll let you know and hold your details on a reserve list in case a place becomes available.

If you are allocated places at an event, we’ll ask for information about any dietary/allergen/access requirements. We don’t share this information in any identifiable way with the venue, and we delete it after the event.

We don’t publish delegate lists for events.

How long we keep it

For information about how long we hold personal data, see  our retention periods.

What are your rights?

We rely on your consent to process the personal data you give us to facilitate the event. This means you have the right to withdraw your consent at any time. If at any point you want to withdraw your consent please email or call us 01304 364 637.  If you do that, we’ll update our records within 7 working days to reflect your wishes. For more information on your rights, please see ‘Your rights as an individual’.

Do we use any data processors?

Yes – we sometimes use data processors to help facilitate the events and we may take registers of attendance to see if location and subject of the event are appropriate.

We may use data processors in recording event feedback from attendees and may record this manually on to our IT systems or use online survey feedback services.

We may sometimes charge a fee to attend an event. If this happens, our communications about the event will provide details of the data processor we use to collect payments.

3.3      How you can contact us

Calling us

When you call our us on our main number 01304 364 637 or any of our restricted phone numbers, we collect Calling Line Identification (CLI) information. This is the phone number you are calling from (if it’s not withheld). We hold a log of the phone number, date, time and duration of the call, and we may hold an audio record of the call itself. We hold this information for 90 days.

We use this information to understand the demand for our services and to improve how we operate. We may also use the number to call you back if you have asked us to do so, if your call drops, or if there is a problem with the line. We may also use it to check how many calls we have received from it.

We may audio record any calls for training and quality purposes and might make notes to help us answer your query. Other Carers’ Support East Kent or its partner staff may also listen to your call for training or quality assurance purposes.

We may use a translation service for customers when English is not their first language. We don’t retain call scripts,  it is processed live for the purposes of translating the call.

We also hold statistical information about the calls we receive for a number of years, but this does not contain any personal data.

Social media

If you send us a private or direct message via social media, it will be stored in accordance with our retention periods and will not be shared with any other organisations for marketing purposes. It may be shared in accordance with our contractual and legal obligations.

We see all this information and decide how we manage it. For example, if you send a message via social media that needs a response from us, we may process it in our case management system as an enquiry or a complaint. When contacting us through a social media platform, we suggest you also familiarise yourself with the privacy information of that platform.

Emailing us

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidance on email security. Most webmail such as Gmail and Hotmail use TLS by default.

We’ll also monitor any emails sent to us, including file attachments, for viruses or malicious software. You must ensure that any email you send is within the bounds of the law.

3.4      Information, advice, guidance and support

Most of the personal information we process is provided to us directly by you. We also receive personal information indirectly, from the following sources in the following scenarios:

The local authority; statutory services; charitable, community interest and voluntary organisations; commissioned services; health service, health professionals, and social services. These sources may, with your consent, refer you to us for the services that we provide.

The information supplied will include some or all of the types of information we have above depending on the information that you have chosen to supply.

Under the General Data Protection Regulation (GDPR) and Data Protection Act 2018, the lawful bases we rely on for processing this information are:

(a)       Your consent (which you can remove at any time by writing to us at Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL, calling us on 01304 364 637 or emailing us at support@carersek.org.uk).

(b)       We have a contractual obligation.

(c)       We have a legal obligation.

(d)       We have a vital interest.

(f)        We have a legitimate interest.

What we do with the information we have

We use the information that you have given us in order to:

  • provide you with information, advice, guidance, support, assessments and reviews.
  • signpost you to services that may be of interest to you.
  • refer you to services that can support you and to seek your views.
  • monitor training and quality.
  • provide management information for service performance monitoring and development.

We may share this information (but not for marketing purposes) with:

  • advocates, deputies, legal powers of attorney.
  • Connect Well East Kent (CWEK).
  • central and local government.
  • the Department for Work and Pensions (DWP).
  • external providers.
  • family members and Carers.
  • housing associations and landlords.
  • internal teams, such as social care teams and finance.
  • Kent County Council (KCC)
  • Kent Integrated Data Set (KID).
  • Kent and Medway Safeguarding Adults Board (KMSAB).
  • Kent Safeguarding Children Board (KSCB).
  • legal representatives, such as solicitors.
  • National Health Services (NHS) providers, such as GPs, specialist providers and hospitals.
  • other professionals such as community, health and social care professionals.
  • partner agencies, such as volunteer and statutory organisations.
  • Social Enterprise Kent (SEK).
  • Social Services.
  • Statutory Services.

How we store your information

Your information is securely stored at our business premises (including premises such as accountants for the purposes of audit and return), and on EU / UK computer servers.

We keep the following for up to:

  • recorded phone calls up to 7 months. This may be longer if evidential.
  • application forms and interview notes for unsuccessful job applicants up 3 years.
  • health and safety, statutory maternity, sick, and minimum wage pay records up to 7 years.
  • financial records unless itemised separately and personal information up to 7 years after cessation with service / employment.
  • invoices (capital items) up to 11 years.
  • leases up to 13 years after liabilities have ceased
  • public liability information, employment liability information, accident records, staff application forms, DBS certificate number and date, DBS correspondence and signed statements regarding involvement with investigations into vulnerable adults up to 51 years (insurance requirement).
  • organisation charts are retained permanently for commercial reasons.
  • records for key senior executives are retained permanently for historical reasons.

We will then dispose of your information by shredding physical items such as paper and secure permanent deletion of computer records.

3.5      Make a complaint:

Complaints regarding how personal data has been processed should be submitted to the Data Protection Lead (DPL). Receipt will be acknowledged within 3 working days;

The DPL will review and respond in writing to a complaint within 14 working days of receipt of the complaint. If a longer time is required CSEK will notify the Complainant of the delay and will provide an estimate of when CSEK will provide a substantive response;

  • If a Complainant is dissatisfied with the way in which their complaint has been handled they can appeal to:
  • via email to the CEO – ceo@carersek.org.uk
  • by post to the CEO – Carers’ Support East Kent, 80 Middle Street, Deal, Kent CT14 6HL.

If a Complainant remains further dissatisfied with the way in which their complaint has been handled they can refer their complaint to:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilsmslow
Cheshire
SK9 5AF
UK.

Data Protection and GDPR Complaints Procedure

CSEK Complaints Procedure has 3 stages of handling and escalation:

Stage 1 – Informal Complaints – delegation by the Data Protection Lead (DPL) to a suitable person knowledgeable about the circumstances for their investigation, discussion and resolution with the Complainant.

Stage 2 – Formal Complaints – investigation, discussion and resolution with the Complainant by the DPL themselves who is assigned to the role of dealing with Data Protection and GDPR complaints.

Stage 3 – Final Escalation to the CEO – consideration of the complaint and the prior investigation and efforts to resolve by the CEO of Carers’ Support East Kent (CSEK).

All complaints should go fully through Stages 1 or 2 before/if they proceed any further to Stage 3. The DPL can elect to decide, on behalf of CSEK, that a complaint is vexatious or of no merit to justify Stage 3 and can refuse any Complainant’s request for a Stage 3 review. Such a decision is to be undertaken in the knowledge that the Complainant’s next step would be to the Information Commissioners Office (ICO) or legal action which are factors that shall be taken into account in such decision.

Any Stage 2 Formal Complaint that is reasonably established to have been a reportable breach of GDPR shall be reported to the ICO as soon as reasonably possible after it has been established and within 72 hours.

Stage 1 – Informal Complaint

The Complainant makes a verbal complaint to a member of staff, who then logs and reports it immediately to the DPL – who decides whether it is a Stage 1 or Stage 2 process that is best required in the circumstances.

The appointed Line Manager with the support and guidance of the DPL hears the complaint, undertakes any required investigation into the circumstances of the allegation, agrees resolution with the Complainant and implements solution.

The Complainant confirms that they are satisfied with the resolution.

Timeframe:    Within 5 working days.

Method:         Verbal initially; reference to the DPL and their response to be in

writing.

Stage 2 – Formal Complaint

The complaint is received either verbally, in writing by email, phone, website or by personal submission.

The complaint is logged and reported to the DPL to deal with and action.

Receipt of the complaint is acknowledged within 1 working day.

Investigation of the complaint by the DLP will then proceed.

As above, if it is reasonably established that a Data Protection breach of the use or application of personal data has occurred which is reportable to the ICO, then CSEK shall as soon as reasonably possible formally notify the ICO.

The Complainant will receive a response from CSEK within 10 working days.

If applicable, the results of the investigation into the matter shall be shared with the ICO, and CSEK shall liaise with the ICO if and as required.

The Complainant has 10 working days after the response has been issued in which to respond further; in the absence of which it will afterward be assumed the complaint is resolved.

Timeframe:    Between 1 working day and, at the latest, 21 working days after submission of complaint.

Method:         Email, verbal or written complaint submission; written response.

Stage 3 – Escalation to the CEO

This applies where the Complainant confirms:

  • that they are not content with the proposed course of action, explanation or resolution, and
  • the DPL does not consider the case to be vexatious, or of no merit such as a Stage 3 is justified for purposes of transparency; or
  • the ICO considers that there has been a breach.

Receipt of the escalated complaint is acknowledged within 1 working day.

DPL fully briefs the CEO hearing the complaint concerning its history and the details and conclusions of any prior Stage 1 or Stage 2 investigations.

Within 5 working days, the Complainant is advised of when the CEO of CSEK will be considering the complaint which will be no more than 14 working days from the date of the acknowledgment of the escalated complaint.

The Complainant will be invited to make a final written submission to the CEO.

If the Complainant is asked to attend a meeting in person, the Complainant may be accompanied by an independent person for support.

The CEO will proceed with review of the substance of the case and its handling.

The Complainant will receive a response from the CEO or, as they may delegate such task, the DPL within 10 working days after the CEO’s consideration of the complaint.

The CEO’s decision is final, subject to any ruling or information relating to it from the ICO.

Timeframe:    Between 1 working day and, at the latest, 28 working days

after submission of complaint.

Method:         Written response from the CEO or on their behalf by the DPL.

Anonymous Complaints

Complaints submitted anonymously will be considered if there is enough information in the complaint to enable CSEK to make further inquiries. If, however, an anonymous complaint does not provide enough information to enable CSEK to take further action it may decide not to pursue it further.

Consideration to the issues raised will be given, and the complaint will be recorded so that corrective action can be taken as appropriate.

Any decision not to pursue an anonymous complaint must be authorised by the DPL who is responsible for dealing with Data Protection breaches. If an anonymous complaint contains serious allegations, it should be referred to the Board of Trustees.

Data Protection Complaint Inventory

CSEK shall keep a written log of complaints received and actions taken, and decisions reached in a Data Protection Complaint Inventory.  This shall consist of an adequate record to be retained of a case, any reporting to the Information Commissioners Office (ICO), action taken by CSEK and action/conclusion required by the ICO (if any).

Abusive, Persistent or Vexatious Correspondence and Complaints

It is important to note that for this Data Protection and GDPR Complaints Policy purpose, it is the complaint which must be vexatious and not the individual making the complaint.

It is important to distinguish between people who make a number of complaints because they really think things have gone wrong, and people who are simply being difficult. It must be recognised that Complainants may sometimes act out of character at times of anxiety or distress and reasonable allowances should be made for this.

Features of the types of complaint and behaviour that this Data Protection and GDPR Complaints Policy covers can include the following (the list is not exhaustive, nor does one single feature on its own necessarily imply that the person will be considered as being in this category):

Persisting in a complaint after being advised that there are insufficient or no grounds for their complaint or that CSEK is not the appropriate authority.

Refusing to co-operate with the complaints process, without good reason, whilst still wanting their complaint to be resolved, including a failure or refusal to specify the grounds of a complaint despite offers of assistance, changing the basis of the complaint as inquiries of a complaint despite offers of assistance, changing the basis of the complaint as enquiries are made and introducing trivial or irrelevant new information and expecting this to be taken into account and commented on.

Submitting repeat complaints, after the complaints procedure has been completed essentially about the same issues, with additions/variations which the Complainant then insists on being treated as new complaints and put through the full Data Protection and GDPR Complaints Policy procedure again.

Refusing to accept the outcome of the Data Protection and GDPR Complaints Policy procedure after its conclusion, repeatedly arguing the point, complaining about the outcome, and/or denying that an adequate response has been given.

Imposing Restrictions

CSEK will ensure that correspondence and/or complaints are being, or have been, investigated properly according to the appropriate procedure and are notified to the ICO if applicable and required.

If a decision has been taken to record the complaint formally, CSEK then has to decide on the next steps. This is the point at which it may consider whether a complaint is vexatious, persistent, repetitive or otherwise an abuse of process.

When the decision has been taken to apply this Data Protection and GDPR Complaints Policy, the individual will be written to with reasons for the decision and what action is being taken, subject to any requirements of the ICO. That decision may be amended if the individual Complainant continues to behave in a way which is unacceptable.

Where a Complainant’s behaviour is so extreme, or it threatens the immediate safety and welfare of any staff, volunteers, trustees or contractors of CSEK, then CSEK may consider other options, for example reporting the matter to the police or taking legal action.

3.6      Make an enquiry

Purpose and legal basis for processing

When you contact us to make an enquiry, we collect information, including your personal data, so that we can respond to it and fulfil our contractual and legal responsibilities.

The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data for the performance of a contract to which we are a party.

If the information you provide us in relation to your enquiry contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(a) of the GDPR, where you have given specific consent by providing the data to us. The data is collected as part of our contractual obligations (article 6(1)(b) of the GDPR).

What we need and why we need it

We need enough information from you to answer your enquiry. If you call us, we may make an audio recording of it for training and quality purposes, and to provide you with further services as required.

If you contact us via email or post, we’ll need a return address for response.

What we do with it

We’ll set up a case file on our case management system to record your enquiry and so we can get it to the correct area of the charity to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.

How long we keep it

For  information about how long we hold personal data, see  our retention periods.

What are your rights?

We are acting in our official capacity to respond to your enquiry, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

3.7      Make an Information Request

Purpose and legal basis for processing

When you contact us to make a request for information, we collect information, including your personal data, so that we can respond to it and fulfil our contractual and legal responsibilities.

The legal basis we rely on to process your personal data is article 6(1)(b) of the GDPR, which allows us to process personal data for the performance of a contract to which we are a party.

If the information you provide us in relation to your request for information contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(a) of the GDPR, where you have given specific consent by providing the data to us. The data is collected as part of our contractual obligations (article 6(1)(b) of the GDPR).

What we need and why we need it

We need enough information from you to answer your request for information. If you call us, we may make an audio recording of it for training and quality purposes, and to provide you with further services as required.

If you contact us via email or post, we’ll need a return address for response.

What we do with it

We’ll set up a case file on our case management system to record your request for information and so we can get it to the correct area of the charity to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the request for information and any subsequent issues that may arise, and to check on the level of service we provide.

How long we keep it

For  information about how long we hold personal data, see  our retention periods.

What are your rights?

We are acting in our official capacity to respond to your enquiry, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

3.8      Request our Publications

Purpose and legal basis for processing

When you contact us to request our publications, we collect information, including your personal data, so that we can respond to it.

The legal basis we rely on to process your personal data is article 6(1)(a) of the GDPR, where you have given consent to the processing of your personal data for one or more specific purposes.

If the information you provide us in relation to your request for our publications contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(a) of the GDPR, where you have given specific consent by providing the data to us. The data is collected as part of our contractual obligations (article 6(1)(b) of the GDPR).

What we need and why we need it

We need enough information from you to answer your enquiry. If you call us, we may make an audio recording of it for training and quality purposes, and to provide you with further services as required.

If you contact us via email or post, we’ll need a return address for response.

What we do with it

We’ll set up a case file on our case management system to record your enquiry and so we can get it to the correct area of the charity to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the enquiry and any subsequent issues that may arise, and to check on the level of service we provide.

How long we keep it

For  information about how long we hold personal data, see  our retention periods.

What are your rights?

We are acting in our official capacity to respond to your enquiry, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

3.9      Responding to our consultation requests and surveys

Purpose and legal basis for processing

When you contact us or a third party to respond to our consultation requests and surveys, we collect information, including your personal data, so that we can respond to it.

The legal basis we rely on to process your personal data is article 6(1)(a) of the GDPR, which allows us to process personal data with your consent.

If you respond to our consultation requests and surveys through any third parties, please read their privacy notices to inform your decision as to whether or not you wish to proceeded.

If the information you provide us in relation your response to our consultation requests and surveys contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(a) of the GDPR, where you have given specific consent by providing the data to us. The data is collected as part of our contractual obligations (article 6(1)(b) of the GDPR).

What we need and why we need it

We need enough information from you to process your response to our consultation request and surveys. If you call us, we may make an audio recording of it for training and quality purposes, and to provide you with further services as required.

If you contact us via email or post, we’ll need a return address for response.

What we do with it

We’ll set up a case file on our case management system to record your response and get it to the correct area of the charity to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with your response to consult with you, and to check on the level of service we provide.

How long we keep it

For  information about how long we hold personal data, see  our retention periods.

What are your rights?

We are acting in our official capacity to process your response, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

3.10    Subscribe to our newsletters

Purpose and legal basis for processing

When you subscribe to our newsletter, we collect information, including your personal data, so that we can respond to your subscription.

The legal basis we rely on to process your personal data is article 6(1)(a) of the GDPR, which allows us to process personal data with your consent.

If the information you provide us in relation to your subscription contains special category data, such as health, religious or ethnic information the legal basis we rely on to process it is article 9(2)(a) of the GDPR, where you have given specific consent by providing the data to us. The data is collected as part of our contractual obligations (article 6(1)(b) of the GDPR).

What we need and why we need it

We need enough information from you to supply the newsletter to you. If you call us, we may make an audio recording of your call for training and quality purposes, and to provide you with further services as required.

If you contact us via email or post, we’ll need a return address for response.

What we do with it

We’ll set up a case file on our case management system to record your subscription and so we can get it to the correct area of the charity to be dealt with. We’ll also keep a record of our response. We use the information supplied to us to deal with the subscription request and any subsequent issues that may arise, and to check on the level of service we provide.

How long we keep it

For  information about how long we hold personal data, see  our retention periods.

What are your rights?

We are acting in our official capacity to respond to your enquiry, so you have the right to object to our processing of your personal data. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.

For more information on your rights, please see ‘Your rights as an individual’.

  1. Referrals

4.1      Refer a Carer to our service

If you are a service or a professional referring a Carer to our service, you are undertaking that you have their consent or another GDPR legal basis for the referral. Our privacy notice is available here.

4.2      Refer yourself to our service

For those referring themselves to our service, our privacy notice is available here.

  1. Retention Periods

The term “years” stated in this document refer to financial years (1st April to 31st March).

Under contractual obligations, we are required to keep all records for 6 years from the end date of any contract with Kent County Council. The relevant contract periods are:

1st April 2013 – 31st March 2018 – earliest destruction date 1st April 2023

1st April 2018 – 31st March 2019 – earliest destruction date 1st April 2024

1st April 2019 – 31st March 2023 – earliest destruction date 1st April 2029

Any invoices/records for purchases made with KCC monies, staff, Carer records etc. will be subject to the above as a minimum.

Please note that the following retention periods are all extended by up to 1 year to allow for the actual destruction of records.

Carers Records
Document Retention period Reason for retention period
Personal Data 4 years after last input. Contractual
Carers documents 4 years after date of last entry Contractual
Records of complaint and investigations 7 years after completion of investigation Contractual
Carers meeting minutes 2 years Contractual
Staff meetings 2 years Contractual
Carer Assessment forms and all other documents linked to services delivered. 7 Years after the service contract end date Contractual
KCC contractual Obligation records 7 years after the service contract end date Contractual

 

Income/Monies received
Document Retention period Reason for retention period
Bank paying in counterfoils 7 years from the end of the financial year in which the transaction was made Legal Obligation
Bank statements Legal Obligation
Remittance advices Legal Obligation
Correspondence re donations Legal Obligation
Bank reconciliations and receipts cash book Legal Obligation

 

Insurance documents
Document Retention period Reason for retention period
Claims correspondence 4 years after settlement Contract
Accident reports and relevant correspondence 51 years after settlement Contract

 

 

Payroll documentation
Document Retention period Reason for retention period
Income tax records re staff leavingi.e. P45 7 years Legal Obligation
Notice to employer of tax code (P6) 7 years Legal Obligation
Annual return of staff and trustee expenses and benefits (P11D) 7 years Legal Obligation
Certificate of pay and tax deducted (P60) 7 years Legal Obligation
Notice of tax code change 7 years Legal Obligation
Annual return of taxable pay and tax deducted 7 years Legal Obligation
Records of pension deductions (including superannuation) 7 years Legal Obligation
Payroll and payroll control account 7 years Legal Obligation

 

Pension records
Document Retention period Reason for retention period
Pensions scheme – next of kin/expression of wish forms 7 years after date of death Legal Obligation
All trust deeds and rules Permanently Legal Obligation
Trustees’ minute book Permanently Legal Obligation
Annual accounts Permanently Legal Obligation
Pension scheme investment policies 13 years from the ending of any benefit payable Legal Obligation
Actuarial reports Permanently Legal Obligation
Contribution records Permanently Legal Obligation

 

Purchase invoices and supplier documentation
Document Retention period Reason for retention period
Payments cash book or record of payments made 7 years from the end of the financial year in which the transaction was made Legal Obligation
Purchase ledger Legal Obligation
Invoice – revenue Legal Obligation
Petty cash records Legal Obligation
Invoice – capital item 11 years Legal Obligation

 

Safeguarding documents
Document Retention period Reason for retention period
Full details of all training delivered in relation to protection policy including details of who attended, dates delivered, what was delivered and by whom 51 Years Contact
Record of all known abuse allegations and incidents and actions taken
Details of the outcome of any investigation and any follow up action taken by the Insured
Details of any notification made to relevant authorities. This could include Police, DBS, CQC, Ofsted, professional bodies and local safeguarding boards
51 Years Contact
Copies of relevant information and accompanying correspondence relating to abuse assault or molestation of or by OUR service users whilst in OUR care contained in  their referral assessment treatment and care plans 51 Years Contact
Accident reports and relevant correspondence 51 Years Contact

 

Staff/personnel records
Document Retention period Reason for retention period
Accident books, accident records/reports 4 years after last entry or end of investigation if later Legal Obligation
Organisation charts Permanently Historical Purposes
Personnel files and training records 7 years after the employment ceased Legal Obligation
Wages and salary records 7 years Legal Obligation
Expense accounts/records Legal Obligation
Overtime records/authorisation Legal Obligation
Redundancy details, calculations of payments, refunds, notifications to the Secretary of State 7 years after employment has ceased Legal Obligation
Life Assurance expression of wish forms 7 years after employment ceases or death Contract
Records relating to working time 3 years from date on which they were made Legal Obligation
Applications forms for staff appointed. 51 years Contract
Disclosure Barring Service (DBS) certificate reference number and date obtained, including any rationale for the judgement made about the staff’s job application in light of the DBS check 51 years Contract
Any relevant follow up correspondence in relation to DBS 51 years Contract

 

Staff/personnel records (continued)
Document Retention period Reason for retention period
Employment and engagement applications, references, identity verification records, 51 years Contract
Signed copy applicant stating any previous involvement with any investigation relating to a vulnerable adult matter 51 years Contract
Applications forms and interview notes (for unsuccessful candidates) 1 year Legal Obligation
Statutory Maternity Pay records, calculations, certificates or other medical evidence 4 years after the end of the tax year in which maternity period ends Legal Obligation
Statutory Sick Pay records, calculations, certificates, self-certificates 4 years after the end of each tax year for Statutory Sick Pay purposes Legal Obligation
National minimum wage records 4 years after the end of the pay reference period following the one that the records cover Legal Obligation
Records for key senior executives Keep permanently Historical purposes

 

Tax records
Document Retention period Reason for retention period
Records of all delivery of goods or services and of imports and exports for VAT purposes 7 years from the date the records were created Legal Obligation

 

Other documents
Document Retention period Reason for retention period
Trustee/director/governor minutes of meetings and decisions made as resolutions in writing 11 years from the date of the meeting or from the date of passing a resolution in writing Legal Obligation
Minutes of general meetings and members’ resolutions passed other than at a general meeting 11 years after the date of the meeting/resolution/decision Legal Obligation
Directors’ service contracts 2 years from the date of termination of the contract Legal Obligation
Annual accounts and annual review Permanently Legal Obligation
Health and safety records 4 years for general records. Permanently for records relating to hazardous substances. Legal Obligation

 

Other documents (continued)
Document Retention period Reason for retention period
Contract with customers, suppliers or agents, licensing agreements, rental/ hire purchase agreements, indemnities and guarantees and other agreements or contracts 7 years after expiry or termination of the contract. If the contract is executed as a deed, the limitation period is twelve years Legal Obligation
The Provider must ensure regular supervision and team meetings are established and recorded in a written form. All written documentation regarding these meetings must be retained. 4 years from the date of the meeting/documents. Contract
The Provider must put in place a mechanism for gathering and analysing feedback from staff and volunteers and setting action plans. All written documentation regarding these mechanisms must be retained. 4 years from the date of the meeting/documents. Contract