Legal basis for gathering and processing data
What is the lawful basis for Chrysalis Care processing data?
Chrysalis Care will process personal data in line with one of three lawful reasons. This will either be under ‘contract’ for employees, Clients and NHS, ‘legal obligation’ for employees and ‘public task’ for NHS clients, ‘consent’ for Private Clients.
When will we collect personal data?
For NHS/LA and Private Clients and their Next of Kin:
At initial enquiry stage Assessment process Prior to and throughout the contract of service
Job application process Selection process Contract of employment Duration of employment
What sort of personal data do we collect for employees? We may collect the following information:
* Name, age, job title
* Contact information including email address, telephone numbers
* Demographic information such as postal address
* Other information relevant to job applications
* Health, education, qualification, registrations
* ID for statutory requirement data * DBS checks * Financial information for legal purposes for HMRC
What sort of personal data do we collect for NHS and Private Clients?
*Name, age, status
*Next of Kin data
*Assessment of need details
*Health information, medical records
How and why we use your personal data:
Private and NHS clients: Provision of the service to NHS clients is a public task that requires a needs assessment. Chrysalis Care are obligated to provide personal data and information at the request of NHS and CQC.
The data subject will be aware that only appropriate information will be shared with a third party as detailed in the service contracts.
Chrysalis Care will ensure personal data is shared via secure electronic communication which is password protected.
As an employer Chrysalis Care are required under legal obligation to provide HMRC with financial information.
The data processing is used to enable Chrysalis Care to make an informed decision about the suitability of the employee to undertake a public task related to the safeguarding of vulnerable adults.
How we protect your personal data:
Chrysalis Care are committed to ensuring that your information is kept secure. In order to prevent un-authorised access or disclosure we have put in place suitable physical, electronic and managerial procedures to safeguard security information.
How long do we hold your information?
Type of Data Suggested Retention Period Reason
Staff Personnel files including training records and notes of disciplinary and grievance hearings
6 years from the end of employment
Contract References and potential litigation
Application forms/interview notes
At least 6 months from the date of the interviews
Time limits on litigation
Private and NHS Client records and data
10 years from date of end of contract
Contract/ Public Task Health and Social Care Act 2008
Income tax and NI returns, including correspondence with tax office *
At least 3 years after the end of the financial year to which the records relate
Legal obligation Income Tax (Employment) Regulations 1993
Wages and Salary records * 6 years Legal obligation
Taxes Management Act 1970
Who do we share your personal data with?
NHS/LA and Private client data:
NHS LA where appropriate CQC Family member’s/ advocate/ fiends (with consent where necessary) Relevant lawful statutory agencies and advisory bodies e.g. Doctor, OT, Pharmacy
HMRC CQC Accountants For recruitment processing i.e referees and previous employers Other statutory bodies such as Disclosure and Baring service Other employees with permission (i.e contact details with consent)
What are your rights over your personal data?
You have the right to request:
*access to your personal data
*the correction of your personal data when incorrect out of date or incomplete.
*where consent has been given you have the right to withdraw your consent, (this may affect the contracted service provided).
If you have any questions or queries then please contact Chrysalis DPO Data Protection Officer: Joanna Oliver Chrysalis Care Kings House 7 Princes Street Bexleyheath Kent DA7 4BQ
Jo.firstname.lastname@example.org 0208 2982800
If for any reason you feel that your data has not been handled incorrectly or you are unhappy with the response to any requests you have made regarding the use of your personal data you have the right to lodge a complaint with the information Commissioners office.
Contacting the regulator:
You can contact them by calling 03031231113
Or go online to www.ico.org.uk/concerns