OxleyCare Privacy Notice
OxleyCare understands that your privacy is important to you and that you care about how your personal data is used. We respect and value the privacy of all of our clients’, potential new clients, employees of OxleyCare Limited included those subcontracted to OxleyCare Limited and visitors to our website.
Will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and subject to the UK General Data Protection Regulation (UK GDPR).
Who are we?
OxleyCare Limited is a “controller” for the purpose of your personal data. This means that we determine the purpose and means of the processing of your personal data. You will find our contact details at the end of this notice.
Key Terms
The following are some of the terms used within this document.
“we, us, our, OxleyCare, Oxley Limited” | OxleyCare Limited |
Our website | www.oxleycare.co.uk |
Personal data | Any information relating to an identified or identifiable individual |
Special category data | Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic and biometric data and data concerning health, sex life or sexual orientation |
Criminal offence data | Data relating to criminal convictions and offences, allegations, or proceedings
|
Personal data we collect and use
Depending upon your relating with OxleyCare, we may collect and hold some or all of the personal and non-personal data set out in the table below.
Individual clients [including potential new clients]
Personal data we will collect | |
Identity Data | Your name and title
Information to enable us to check and verify your identity e.g. – your date of birth, – your NHS number, – your national insurance number, – your passport, photocard drivers’ licence, bank statement or recent utility bill |
Contact Data | Your address (postal and/or email) and telephone number (landline and/or mobile)
|
Health & Financial Data | Information that you (or a third party) give us (including special category data) relating to the matter in which you are seeking our advice or care.
Your financial details so far as relevant to your requirements e.g., the source of your funds [if private, social funding or other] if you are instructing us or your bank details if we need to return money to you in the event of a refund of services. |
Personal data may collect | |
Marketing data | Marketing and communications information, which may include your communication preferences |
Other data | Information we ask for or that you volunteer to us when you correspond with us by email, post, telephone or text or information from social media accounts when interacting with us via a personal profile (e.g., Facebook, Instagram, Twitter, or LinkedIn) |
Prospective new client
Personal data we will collect | |
Identity Data | Your name and title
Your date of birth |
Contact Data | Your address (postal and/or email) and telephone number (landline and/or mobile)
|
Health and Financial Data | Information that you (or a third party) give us (including special category data) relating to the matter in which you are seeking our advice or care.
Your financial details so far as relevant to your requirements e.g., the source of your funds [if private, social funding or other] if you are instructing us or your bank details if we need to return money to you in the event of a refund of services. |
Personal data may collect | |
Marketing data | Marketing and communications information, which may include your communication preferences |
Other data | Information we ask for or that you volunteer to us when you correspond with us by email, post, telephone or text or information from social media accounts when interacting with us via a personal profile (e.g., Facebook, Instagram, Twitter, or LinkedIn) |
Other individuals with whom we deal with, or whose data we handle during the course of our business (e.g., individuals who work for or represent our clients, healthcare professionals or suppliers)
Personal data we will collect | |
Identity Data | Your name and title
|
Contact Data | Your address (postal and/or email) and telephone number (landline and/or mobile)
|
Health and Financial Data | Information that you (or a third party) give us (including special category data) relating to the matter in which you are seeking our advice or care.
Your financial details so far as relevant to your requirements e.g., the source of your funds [if private, social funding or other] if you are instructing us or your bank details if we need to return money to you in the event of a refund of services. |
Personal data may collect | |
Identity Data | Your date of birth
Information to enable us to verify your identity Your national insurance number Your passport, drivers licence, bank statement or utility bill [including special category data]
|
Marketing data | Marketing and communications information, which may include your communication preferences |
Other data | Information we ask for or that you volunteer to us when you correspond with us by email, post, telephone or text or information from social media accounts when interacting with us via a personal profile (e.g., Facebook, Instagram, Twitter, or LinkedIn) |
How your personal data is collected
We collect most personal data from you. However, we may also collect information:
- directly from a third party e.g.
- health consultants and other healthcare professionals, that we may engage in relation to you.
- your previous employment, professional body registrations or pension administrators.
- your doctors, medical and occupational health professionals.
- DWP, HMRC.
- from a referrer (e.g., your accountant); and
- other parties involved in your care and support (e.g., other solicitors, power of attorney [health and financial]);
- from cookies on our Website – for more information on our use of cookies and other similar technologies, please see our cookie policy, which you will find on our Website.
How and why, we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason for doing so, for example:
- for the performance of our contract with you or to take steps to information gather at your request before entering into the terms and conditions of contract.
- to comply with our legal and regulatory obligations.
- for our legitimate interests or those of a third party; or
- where you have given consent.
A legitimate interest is when we have a business reason to use your information, so long as this is not overridden by your own rights and interests. The table below explains what we use your personal data for and our lawful basis for doing so, depending on our relationship with you.
Our purpose for using your personal data | What we do with your personal data | Lawful basis relied on under the UK GDPR | What personal data we use (the terms used in this column are taken from the table “Personal data we collect and use”) |
For our individual clients – to provide health care and support
|
We will collect personal data relevant to your care, support or contract and we may use it to advise and represent you. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies
|
Necessary for the performance of our contract with you or to take steps at your request before entering into a contract in line with our terms and conditions. | Identity Data
Contact Data Legal Matter Data Health & Financial Data Other Data [including special category] |
For individuals who work for or represent our clients – to provide terms with services | We will collect personal data relevant to your care, support or contract and we may use it to advise and represent you. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies
|
Necessary for the legitimate interests
to provide you with care, support, or contracted services. |
Identity Data
Contact Data Other Individual Data Other Data |
For individuals with whom we deal (and/or whose personal data we handle) during the course of our business e.g., clients, prospective clients and their representative, administrative staff | We will collect your personal data and use it in connection with the contracted, subcontracted or client terms and conditions. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies | Necessary for the legitimate interests
to provide you with care, support, or contracted services. |
Identity Data
Contact Data Other Individual Data Other Data |
For other individuals who work for or represent organisations with whom we have contracts e.g., suppliers, for corresponding with you | We will collect your personal data and use it to correspond with you about the contract with the organisation you work for or represent. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies | Necessary for the legitimate interests
to provide you with care, support, or contracted services. |
Identity Data
Contact Data Other Individual Data Other Data |
For other individuals who work for or represent organisations with whom we do not have contracts e.g., prospective suppliers – e.g., for corresponding with you about the services we provide
|
We will collect your personal data and use it to correspond with you about e.g., the services your organisation offers and to obtain a price quote. We will store your personal data on our IT systems and destroy it in accordance with our data retention and other business policies | Necessary for the legitimate interests
to provide you with care, support, or contracted services. |
Identity Data
Contact Data Other Individual Data Other Data |
To prevent and detect fraud against you or us | We will check and monitor the security of our email and IT systems which hold your personal data and undertake other verification checks of your personal data (as necessary) | Necessary for your and our legitimate interests i.e., to minimise fraud that could be damaging for us and for you | Potentially any personal data held |
To conduct checks to identify our clients, prospective clients and others to verify yours and their identity
|
If we need to undertake enhanced due diligence to verify your identity, then we may need to collect further information from you e.g., a copy of your passport | Necessary for compliance with a legal obligation to which we are subject to | Identity Data
Contact Data Other Data |
For enquiries or investigations by regulatory bodies (e.g., Care Quality Commission or the Information Commissioner’s Office) or law enforcement agencies | We will extract your personal data from our IT systems and disclose it as required by law or further to a court order | Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law or a court order) | Potentially any personal data held |
To ensure our business policies are adhered to e.g., policies covering security and internet use | We will check our use of your personal data against our business policies | Necessary for our legitimate interests i.e., to make sure we are following our own internal procedures so we can deliver the best service we are able to | Potentially any personal data held |
To ensure the confidentiality of all sensitive information | We will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data | Necessary for our legitimate interests i.e. to protect trade secrets and other Necessary for compliance with a legal obligation to which we are subject | Potentially any personal data held |
For statistical analysis to help us manage our care organisation e.g. in relation to our financial performance, client base, work type or other efficiency measures | We will use relevant personal data in data analysis software and also for manual analysis | Necessary for our legitimate interests i.e., to be as efficient as we can so we can deliver the best service we are able to at the best price | Identity Data
Contact Data Health & Financial Data Other Individual Data Marketing Data Website Enquiry Data Other Data |
To prevent unauthorised access and modifications to our systems | We will put in place reasonable and appropriate security measures to protect the integrity of our systems that hold your personal data | Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law)
Necessary for our legitimate interests or those of a third party i.e., to prevent and detect criminal activity that could be damaging for us and for you
|
Potentially any personal data held |
To update and maintain client and other records | We will enter and hold your personal data in the relevant parts of our IT systems, and we may hold your personal data in manual records
|
For individual clients – necessary for the performance of our contract with you or to take steps at your request before entering into a contract with you: Article 6(1)(b) UK GDPR
Necessary for compliance with a legal obligation to which we are subject (e.g., data protection law and CQC guidance) Necessary for our legitimate interests or those of a third party i.e. to make sure we can keep in touch with you where necessary
|
Identity Data
Contact Data Health & Financial Data Other Individual Data Website Enquiry Data Marketing Data Other Data |
For staff management, training, and administration of service | We will access and use your personal data held in our IT systems and may use it in emails between our staff and for training purposes and general administration of our services | Necessary for our legitimate interests i.e., to make sure we are following our own internal procedures and working efficiently so we can deliver the best service that we are able to | Potentially any personal data held (excluding Technical Data) |
To deal with complaints or legal claims against us | We will review your personal data held in our IT systems and may collect other information relevant to the complaint/legal claim. We will review any information collected and assess the merits of any complaint or legal claim.
We may also communicate with third parties as necessary to seek advice/representation and/or in connection with health and care, or prospective legal proceedings
|
Necessary for our legitimate interests i.e., to ensure that we are able to respond to any complaints or legal claims made against us | Potentially any personal data held |
For the external audit of our accounts | We will provide access to such personal data held on our IT systems as is required by our auditors in connection with their audit of financial transactions | Necessary for compliance with a legal obligation to which we are subject (section 475 Companies Act 2006): Article 6(1)(c) UK GDPR | As required by our auditors in connection with the statutory audit of our accounts |
For our Care quality commission [CQC] assessment | We will provide access to such personal data held on our IT systems and manual records as is required by our CQC assessor in connection with our CQC assessment | Necessary for our clients’ legitimate interests and our legitimate interests
i.e., to maintain our CQC registration so we can demonstrate we operate at the highest standards
|
As required by our CQC assessor in connection with our CQC registration (including special category data) |
To enforce or apply our Website terms and conditions or any other agreements | We will review your personal data held in our IT systems and if appropriate, use it to take enforcement action, including legal proceedings | Necessary for our legitimate interests i.e., to enforce our legal rights and protect our business | Identity Data
Contact Data Health & Financial Data Other Individual Data Website Enquiry Data Other Data |
To administer and protect our business and our Website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | We will use your personal data held in our IT systems | Necessary for our legitimate interests i.e. for running our business, network security, to prevent fraud and in the context of a business reorganisation
Necessary for compliance with a legal obligation to which we are subject (e.g. data protection law): Article 6(1)(c) UK GDPR |
Potentially any personal data held |
To improve our Website and your experience (through the use of data analytics) | We will use personal data collected via cookies and other similar technologies on our Website | Necessary for your and our legitimate interests i.e., to understand how our Website is used, keep our Website updated and relevant, improve your user experience and to develop our business | Technical Data
Usage Data |
With permission and/or were permitted so by law, we may also use your personal data for marketing purposes, which may include contacting you by email and telephone and text message and post with information, news, and updates on our services.
You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the Data Protection Legislation and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out. We do not share your personal data with third parties for marketing purposes.
We will only use your personal data for the purpose(s) for which it was originally collected unless we reasonably believe that another purpose is compatible with that or those original purpose(s) and need to use your personal data for that purpose. If we do use your personal data in this way and you wish us to explain how the new purpose is compatible with the original, please contact us using the details in Part 11.
If we need to use your personal data for a purpose that is unrelated to, or incompatible with, the purpose(s) for which it was originally collected, we will inform you and explain the legal basis which allows us to do so.
In some circumstances, where permitted or required by law, we may process your personal data without your knowledge or consent. This will only be done within the bounds of the UK GDPR Regulations and your legal rights.
Cookies
What Are My Rights?
Under the Data Protection Legislation, you have the following rights, which we will always work to uphold:
- The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact OxleyCare to find out more or to ask any questions
- The right to access the personal data we hold about you.
- The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete.
- The right to erasure, i.e., the right to ask us to delete or otherwise dispose of any of your personal data that we hold.
- The right to restrict (i.e., prevent) the processing of your personal data.
- The right to object to us using your personal data for a particular purpose or purposes.
- The right to withdraw consent. This means that, if we are relying on your consent as the legal basis for using your personal data, you are free to withdraw that consent at any time.
- The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.
- Rights relating to automated decision-making and profiling. We do not use your personal data in this way.
For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided at the end of this document.
It is important that your personal data is kept accurate and up to date. If any of the personal data we hold about you changes, please keep us informed as long as we have that data. Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.
If you have any cause for complaint about our use of your personal data, you have the right to raise a complaint in line with OxleyCare P12 Complaints Policy. We would welcome the opportunity to resolve your concerns ourselves, however, so please contact us first, using the details documented at the end of this document. Alternatively, a complaint can be raised with the Information Commissioner’s Office.
How Long Will You Keep My Personal Data?
We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):
Type of Data | How Long we keep It |
Identity Data
Contact Data Health & Financial Data Other Individual Data Website Enquiry Data Other Data |
For the length of the Carer contract with OxleyCare plus any additional retention period laid out within GDPR legislation. |
Special category data | For the length of the Carer contract with OxleyCare plus any additional retention period laid out within GDPR legislation. |
How and Where Do You Store or Transfer My Personal Data?
We will only store or transfer your personal data within the UK. This means that it will be fully protected under the Data Protection Legislation.
The security of your personal data is essential to us, and to protect your data, we take a number of important measures, including the following:
- limiting access to your personal data to those employees, agents, contractors, and other third parties with a legitimate need to know and ensuring that they are subject to duties of confidentiality.
- Procedures for dealing with data breaches (the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, your personal data) including notifying you and/or the Information Commissioner’s Office where we are legally required to do so;
- Information Technology controls including firewall, anti-malware, user access control, hierarchy access to electronic files
Do You Share My Personal Data?
We will not share any of your personal data with third parties, subject to the following exceptions. We may sometimes contract with the following third parties to supply services
Recipient | Activity Carried Out | Sector | Location |
Local authority or council, CQC who commission us, | We provide data in order to monitor and review our contracts.
Most is summary, anonymised data. |
Local authority/ council/CQC/NHS | Local authority/CQC/NHS |
If any of your personal data is shared with a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
How Can I Access My Personal Data?
If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.
All subject access requests should be made in writing and sent to the email or postal addresses shown at the end of this document. There is not normally any charge for a subject access request. If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
How Do I Contact You?
To contact us about anything to do with your personal data and data protection, including to make a subject access request, please use the following details:
Data Security and Protection Lead: Edward Parker
Email address: edward.parker@oxleycare.co.uk
Telephone number: 01980 846690
Postal Address: A10, Aspire Business Centre, Ordnance Road, TIDWORTH, Wiltshire, SP97QD
Changes to this Privacy Notice
We may change this Privacy Notice from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.
This Privacy Notice in September 2023 and supersedes all previous versions.
This privacy notice is to be used in conjunction with OxleyCare Privacy Statement and any other relevant policy and procedure.