Privacy Notice for Visitors and Family
This notice applies to current and former living visitors of the care home, including family members of our residents. This notice does not form part of any contract to provide services to you or your relative. We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
Who we are
Korian UK Ltd and Korian UK Estates Ltd (“we” or “Company”) are each a ‘controller’. This means that we are responsible for deciding how we hold and use personal information about you. In accordance with and as required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) and the Data Protection Act 2018, we have implemented this privacy notice to inform you, as visitors to a care home run by the Company, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
Data Protection Principles
Under the UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant UK GDPR procedures for international transferring of personal data
The personal information we collect and use
Information collected by us directly and from other sources
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection. This is covered in a later section of this privacy notice.
In the course of providing residential and nursing care for our residents, we collect and keep several categories of personal information when you provide it to us. We keep this data in files relating to each resident and we also hold the data within our computer systems.
Specifically, we collect, hold and use the following types of data about you:
• Identity Data: your name, title, address, date of birth, telephone numbers, email addresses.
• Your gender and/or marital status.
• Your coronavirus vaccination status and information.
• CCTV footage.
• Image and videos for marketing purposes (with your consent).
• Building access records.
In some cases, we will collect data about you from third parties, such as your friend or relative, or other parts of the health and care system.
Personal data is kept in files or within the Company’s IT systems.
How we use your personal information
We use your personal information for the following purposes and activities:
• Creation and administration of pre-entry questionnaires for visitors, to ensure that visitor details are correct, that the visitor is feeling healthy and an up to date log of visits is maintained.
• Ensure the site is kept secure and robust against unauthorised access, for the safety of the care home residents.
• Communication with local and statutory bodies.
• Contacting you for notice of your friend or relative’s family/residents’ meetings, for emergency purposes, or other general reasons relating to your family member’s or friend’s care.
• Images and videos for marketing purposes including social media
Who we share your personal information with
We will share your personal data where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Data is shared with third parties for the following reasons:
• With social workers, relevant local authorities, NHS or CCG to carry out a care needs or financial assessment. This will ensure the most appropriate and effective care package is provided for your friend or relative.
• With local or safeguarding authorities, including the Care Quality Commission, Local Authority Safeguarding Teams, the Police, the Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC), as required under the Care Act or applicable law.
• For audit purposes, the Company Statutory Auditors will review information containing personal information in order to comply with a legal obligation upon us
• With insurance companies for any claims made.
• The police or other law enforcement agencies if we have to by law or court order.
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. Where your personal data is shared in the context of a Company sale or restructure, we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, or in order to provide services to us.
All our third-party service providers and other entities in the Company group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
National Data Opt-Out
Berkley Care and all our associated subsidiaries reviews our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies. If any data processing falls within the scope of the National Data Opt-Out, we use MESH to check if any of our residents have opted out of their data being used for this purpose
At this time, we do not share any data for planning or research purposes for which the national data opt out would apply. We review all the confidential resident information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.
How long your personal information will be kept
We will hold your personal data for no longer than is necessary under applicable UK law to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Some data retention periods are set by the law. Retention periods can vary depending on why we need your personal data; however, under our standard policy, we will hold financial information relating to the invoicing for our care services for a period of 7 years, while all other personal information will be held for a period of 3 years after we have ceased to provide our care services to you. Personal data is deleted or securely destroyed at the end of its retention period.
Reasons we can collect and use your personal information
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement; where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; in order to perform the contract we have with you or in pursuit of our legitimate interests. We may also use your personal data where we need to protect you (or someone else’s) interests; or where it is needed in the public interest or for an official purpose.
The information below categorises the types of data processing we undertake and the lawful basis we rely on.
|Type of activity||Lawful Basis|
|Creation and administration of pre-entry questionnaire for visitors||Legitimate interest (to allow us to provide highquality care and support to residents and ensure safety of residents from Coronavirus and other transmissible viruses)|
|Creating and updating resident’s care plan||Legitimate interest (to allow us to provide highquality care and support to residents)|
|Visiting resident in the care home facility||Legitimate interest (to allow us to provide highquality care and support to residents)|
|Collation of enquiry data including name and contact details plus status of relationship with prospective customer||Legitimate interests (to gather information to ensure we can provide required services)|
|Collation of enquiry data including name and contact details plus status of relationship with prospective customer||Legitimate interests (to gather information to ensure we can provide required services)|
|Reporting to safeguarding and regulatory authorities||Legal obligation|
|Complying with health and safety obligations||Legal obligation|
|Gathering feedback and comments from you for the purposes of quality assurance by way of surveys and pulse surveys||Our legitimate interests (to ensure quality assurance and continuous improvement through feedback)|
|Undertaking a needs assessment or financial assessment with local authority||Legitimate interest (to allow us to provide highquality care and support to residents)|
|Dealing with legal claims made against us||Our legitimate interests (respond to and defend against legal claims)|
|Operating CCTV in communal interior and exterior areas of our care homes||Our legitimate interests (as part of safety and risk management)|
|Preventing fraud||Our legitimate interests (to prevent fraud and other illegal activity)|
Where we rely upon legitimate interest as a reason for processing personal data, we have considered whether or not those interests are overridden by the rights and freedoms of the contractor and have concluded that they are not.
Special Categories Of Personal Data
Special categories of personal data are data relating to your:
b) sex life
c) sexual orientation
e) ethnic origin
f) political opinion
h) trade union membership
i) genetic and biometric data.
These special categories of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of data when the following applies:
a) in limited circumstances, where you have given explicit consent to the processing.
b) we must process the data in order to carry out our legal obligations or exercise rights in connection with employment.
c) we must process data for reasons of substantial public interest, such as for equal opportunities monitoring or in relation to an occupational pension scheme.
d) where it is necessary to protect you or another person from harm.
e) where it is needed in relation to legal claims.
f) where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
g) you have already made the data public.
In general, we will not process particularly sensitive personal data about you unless it is necessary for performing or exercising obligations or rights in connection with your residential care. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. For example, we may process your particularly sensitive personal data:
a) if we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being; or
b) specifically your physical health, to ensure that you are feeling healthy and well when visiting your friend or relative at the appropriate care home to prevent the spread of Covid-19 and other transmissible viruses, including requesting confirmation and evidence of a negative lateral flow Coronavirus test.
We do not need your consent if we use special categories of your personal information to carry out our legal obligations or exercise specific rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.
Transfer of your information out of the EEA
We will transfer the personal information we collect about you to countries within the European Economic Area in order to perform our contract with you. There are adequacy regulations in respect of those countries within the European Economic Area. This means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
Failure To Provide Data
Your failure to provide us with data may mean that we are unable to grant you access to the applicable residential care home that your friend or relative resides in. We may also be prevented from complying with our legal obligations, such as to ensure the health and safety of our residents.
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated Decision Making
Automated decision-making means making decision about you using no human involvement e.g. using computerised filtering equipment. We are allowed to use automated decisionmaking in the following circumstances:
1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you, unless we have a lawful basis for doing so and we have notified
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Under certain circumstances, you have a number of important rights in relation to the personal data we hold on you. In summary, those include rights to:
• Fair processing of information and transparency over the personal data we hold on you and how we use your use personal information.
• Access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Require us to correct any mistakes in your information which we hold, however they come to light. This is also known as ‘rectification’.
• Require the erasure of personal information concerning you in certain situations. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing. This is also known as ‘erasure’
• Data portability i.e., you have the right to receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to a third party in certain situations
• Object at any time to processing of personal information concerning you for direct marketing
• Object to profiling or decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
• Object in certain other situations to our continued processing of your personal information, including the right to object to the inclusion of any personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground
• Otherwise restrict our processing of your personal information in certain circumstances. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with, and an explanation of the reason will be provided.
If you wish to exercise any of the rights explained above, please contact our Data Protection Officer, details of which are at the end of this policy.
Where you have provided consent to our collection, processing or transfer of your personal data for a specific purpose, you also have the right to withdraw that consent at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will stop processing your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a genuine business need to know it. Those processing your information will do so only in an authorised manner on our instructions and are subject to a duty of confidentiality. Details of these measures may be obtained from our Data Protection Officer.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. This notification will be made without undue delay and may, dependent on the circumstances, be made after the supervisory authority is notified.
The following information will be provided when a breach is notified to the affected individuals:
a) A description of the nature of the breach
b) The name and contact details of the data protection officer where more information can be obtained
c) A description of the likely consequences of the personal data breach
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information. The UK GDPR also gives you the right to lodge a complaint with the Information Commissioner (ICO). You can contact the ICO at https://ico.org.uk/concerns/ or Information Commissioner’s
Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or telephone: 0303 123 1113 (local rate) or 01625 545 745.
Changes to this privacy notice
This privacy notice was updated and published on 14 August 2023. We may (and reserve the right to) change this privacy notice from time to time. When we do, we will inform you via your chosen stated method of communication with us and provide you with an updated copy of this notice as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your personal information.
How to contact us
We have appointed a Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or the information we hold about you, or how we handle your personal information, please write to us at either Berkley Care Group, The Pavilion, Ashlyns Hall, Chesham Road, Berkhamsted, HP4 2ST or firstname.lastname@example.org, addressing all correspondence to the Chief HR Officer (Leah Smith), the designated person responsible for data protection matters; or call 07826 133549.