At Hollybank Trust, we are committed to protecting and respecting the privacy of our service users, their families, employees, website visitors, supporters, suppliers, Governors, or anyone who might come into contact with us.
This privacy notice explains how and why we collect personal information and what we do with this information. How we use your data will depend on our relationship with you and how you interact with our services.
Once Hollybank has collected your personal data to facilitate various functions, outlined in this notice, then Hollybank become what is known as the Data Controller.
This simply means that we are responsible for keeping your information secure and confidential.
We have senior members of staff, including a Data Protection Officer, a Senior Information Risk Owner and a Caldicott Guardian, who regularly check that we are compliant with the law when using your personal information. The team can be contacted directly at the Trust on 01924 490833 or via email at: [email protected]. Melanie Hill is our Data Protection Officer and can be contacted at: [email protected]
What Personal Data do we hold and why do we hold and process it?
The information we collect may include your name, address, phone number, email address or images or it may be more sensitive personal information relating to your health, for example: all personal information we collect will be for a specific purpose or purposes that Hollybank require to fulfil our various functions, obligations and responsibilities. Using your personal details for these purposes is commonly known as processing your personal information.
Children, Young People and Adults – The majority of personal information that Hollybank will take part in be processing relates directly to children, young people and adults. If you attend our school, Little Pips, attend sessions or stay in one of our residential homes, it is essential that we have a complete picture of all of your requirements. This will assist our employees involved in your care to deliver appropriate, safe and effective care and support; so, as well as basic demographics such as your name and date of birth we require a full medical history and details of your interactions with other related services. We need to use this information in all the locations where care is provided.
We might be required to share this information with various external agencies such as our regulators, commissioning bodies, health and social welfare organisations, the Department of Education, the local authority, charities and voluntary organisations.
We are mandated to provide information about pupils within Hollybank to the Department for Education as part of statutory data collections such as the school census and early years census. Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department for Education and provides evidence on school performance to inform research and service planning. The Department for Education may share information from the NPD with other organisations which promote children’s education or wellbeing in England. If you would like further information, please contact the Department for Education on 0370 000 2288 or access their website at: https://www.gov.uk/guidance/data-protection-how-we-collect-and-share-research-data
National Data Opt-Out – Research and Planning
Health records contain confidential information, which can be used to help with research and planning. We will never use your identifiable data for research or planning purposes, you can however opt-out from other organisations using your data in this way. If you would like this to stop, you can opt out of this yourself or on behalf of someone else. For example, if you are a parent or guardian of a child under the age of 13. To find out more please visit:
nhs.uk/your-nhs-data-matters
If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations:
N.B. We do not share information about you with any third party without consent unless the law allows us to do so.
Information about other people
If you provide personal data to us relating to any person other than yourself, you must ensure before you do so that they understand how their personal data will be used and that you are authorised to disclose it to us, and to consent to its use on their behalf. You should bring this privacy notice to their attention.
How do we collect information from you?
As a provider of support, care and education to over 100 children, young people and adults at our school, residential homes and adult daytime activity programme we will collect personal information that enables us to undertake the associated functions.
We collect personal data from you in connection with specific activities such as registering to take part in an event, supplying us with products or services, volunteering, making a donation, employment purposes or visiting our website.
Depending on how we interact with you, we may collect personal data from you in various ways such as:
For our residential children, young people and adults we will be given information from various healthcare professionals involved in your current and historical care and we might also receive information from various third parties such as social services, advocates, carers, relatives and friends. This information can be received verbally, in writing, by electronic means or via telephone.
Other processing of your personal information
CCTV
If you visit our premises, we may have CCTV images of you as you move around the site, these images are purely used for your personal safety.
Cookies
We use cookies to monitor and track website usage and improve the quality of our website. We look at the number of visitors we receive, our total page views and monitor which pages are most popular. We also monitor how users reach our website (such as through Facebook or Google search). The information we collect is anonymous and we do not collect personally identifiable information. When you visit our website, you can turn off this feature by clicking the “opt out” cookie pop-up.
Donations – Credit and Debit card information
If you use our website to donate to us, “Just Giving” – our third-party card processor will process your card details and Hollybank does not receive any of these card details. We will receive a notification of payment to us with the details that you disclosed at the time of payment. By using this service you are agreeing to Just Giving’s Privacy Notice which can be found here.
If you use “PayPal” to donate to us, PayPal are processing your card details and Hollybank do not receive any of these details. We receive a notification with your name and your address and contact details if you disclose them. This is used to administrate any donations received. By using this service, you are agreeing to PayPal’s Privacy Notice which can be found here.
If you provide us with your card details in person at our on-site canteen, within ELMS, Bradbury or over the phone, all identifiable credit and debit card details and validation codes are destroyed securely once a payment or donation has been processed. Only staff who are authorised to process payments will handle your personal data.
However you choose to make a donation, your payment and personal data is then stored onto our donor management system to create a profile, which helps us to administer your payments.
Direct Marketing
Hollybank would like to contact its supporters from time to time with news and updates on what is happening at Hollybank. You can update your preferences at any time by contacting the Communications team on 01924 490833
Bradbury and ELMS
We collect your personal information if you are a visitor to either of these sites. We will collect some basic personal information from you such as your name and address to administer your visit and will also require your bank card details to process any electronic payments you make for our
services. We also require information relating to your health conditions and requirements so that we can ensure that you fully enjoy the facilities on offer in a safe and comfortable environment.
Recruitment
The personal information that you provide to us when you apply for a job with Hollybank will be used solely for undertaking essential tasks that are required as part of the recruitment process. This data will not be used for any secondary purpose. Processing data from job applicants allows Hollybank to manage our recruitment process, assess and confirm candidates’ suitability for employment and decide whom to offer a job to. During this exercise we are mandated to comply with legal obligations, such as undertaking DBS checks and we might also require details on your health that will help us to identify if any changes are required to our recruitment process. If your application is unsuccessful, we may keep your personal data on file for future use in the event that suitable future employment opportunities arise, this is stored internally for no more than six months and by our third-party supplier for no more than two years. We also request information from the referees you provide, which is done in confidence. At the onset of the recruitment process we are now required to record the Covid-19 vaccination status of any person who applies for a role with the Trust, this will be held in accordance with Data Protection Regulations and only shared in the event of a CQC inspection.
Employees
We will process your personal data for all aspects of your employment with Hollybank. As well as collecting your bank details and national insurance number to enable us to pay your salary and administer your pension and benefits, we will also undertake criminal record and health checks. We are required to hold the Covid-19 vaccination status of all staff, this may be shared with CQC inspectors if they require it. We will use the information you provide us with to carry out anything related to your performance management, including any appraisals or disciplinaries. For drivers, we need to undertake DVLA checks and for those members of staff that drive on behalf of the company, we will monitor your driving behaviour through our telematics software. We are mandated to obtain personal information from you for the purposes of Equal Opportunities monitoring and we will share appropriate information with national bodies such as HMRC and the DWP. We will also share statistical information with Adult Social Care Workforce Data Set (ASC-WDS) to be used for workforce intelligence for adult social care.
Our Legal Basis for using this data
Under current data protection legislation – Data Protection Act 2018 – Hollybank are required to identify a legal basis to process your personal information. The legal basis will depend upon how you interact with Hollybank, but we have listed below the legal basis that we will be using to justify the processing of your personal information.
The legal bases outlined above cover our processing of your personal information, such as name, address and email address. If, however Hollybank are required to process what is referred to as special category data, such as your health care information then we are required to identify a further legal basis specifically to cover this additional processing. To process special category data the legal basis we will be applying will be one of the following:
How do we store your data?
Your data is stored internally both on paper, electronically and in the cloud. We may use an electronic database to store information such as for supporters or suppliers. We take appropriate technical and organisational steps to ensure the security of all personal data, and we have strict policies in place around the use of technology, devices and access to systems.
Who has access to your information
Only people and departments who require access to the data for the performance of their roles will be able to see your data. Every individual who works for Hollybank has a legal and contractual obligation to keep information about you confidential.
Third party providers
We may pass your information to our third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes, including direct marketing, for example.
We share your information with third parties in the following ways:
Data Protection Impact Assessments
When using personal data in a new way or changing the way we use personal data, we conduct a Data Protection Impact Assessment to ensure the proposed change meets Data Protection Requirements and to help us to decide whether this change is a positive move . Our completed DPIAs can be made available should you wish to see how we ensure the software and processes we use are as safe as possible. Please contact us via data.protectio[email protected] if you wish to view any of these documents.
How long do we keep your information?
We only keep your information for as long as we are required to do so by law. Our Retention and Destruction of Records Policy sets out how we securely destroy your data once it is no longer required, as well as how long we keep your information for.
How can you access and update your information
It is up to you how you want to hear from us and you can let us know at any time if you would like to change the way we send you information or update your information. You can request a copy of the data we hold on you, known as a Subject Access Request, by contacting our Data Protection Team at [email protected].
Your choices
You have a number of rights when it comes to the personal data that we have. You can:
Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
If you do have any concerns about the way in which we are processing your personal information or wish to restrict the processing of your personal information, please contact our Data Protection Team in the first instance: [email protected]
If, following a review by the Data Protection Officer, you would like to make a complaint about the way that Hollybank is processing your personal information you can do so through the Information Commissioner’s Office on their website. (www.ico.org.uk)
Hollybank Trust is a registered Charity: 1043129