At Hollybank Trust, we are committed to protecting and respecting the privacy of our service users, their families, employees, website visitors, supporters, suppliers, Governors, or anyone who might come into contact with us.

This privacy notice explains how and why we collect personal information and what we do with this information. How we use your data will depend on our relationship with you and how you interact with our services.

Once Hollybank has collected your personal data to facilitate various functions, outlined in this notice, then Hollybank become what is known as the Data Controller.

This simply means that we are responsible for keeping your information secure and confidential.

We have senior members of staff, including a Data Protection Officer, a Senior Information Risk Owner and a Caldicott Guardian, who regularly check that we are compliant with the law when using your personal information. The team can be contacted directly at the Trust on 01924 490833 or via email at: [email protected]. Melanie Hill is our Data Protection Officer and can be contacted at: [email protected]

What Personal Data do we hold and why do we hold and process it?

The information we collect may include your name, address, phone number, email address or images or it may be more sensitive personal information relating to your health, for example: all personal information we collect will be for a specific purpose or purposes that Hollybank require to fulfil our various functions, obligations and responsibilities. Using your personal details for these purposes is commonly known as processing your personal information.

Children, Young People and Adults – The majority of personal information that Hollybank will take part in be processing relates directly to children, young people and adults. If you attend our school, Little Pips, attend sessions or stay in one of our residential homes, it is essential that we have a complete picture of all of your requirements. This will assist our employees involved in your care to deliver appropriate, safe and effective care and support; so, as well as basic demographics such as your name and date of birth we require a full medical history and details of your interactions with other related services. We need to use this information in all the locations where care is provided.

We might be required to share this information with various external agencies such as our regulators, commissioning bodies, health and social welfare organisations, the Department of Education, the local authority, charities and voluntary organisations.

We are mandated to provide information about pupils within Hollybank to the Department for Education as part of statutory data collections such as the school census and early years census. Some of this information is then stored in the National Pupil Database (NPD), which is owned and managed by the Department for Education and provides evidence on school performance to inform research and service planning. The Department for Education may share information from the NPD with other organisations which promote children’s education or wellbeing in England. If you would like further information, please contact the Department for Education on 0370 000 2288 or access their website at: https://www.gov.uk/guidance/data-protection-how-we-collect-and-share-research-data

National Data Opt-Out – Research and Planning
Health records contain confidential information, which can be used to help with research and planning. We will never use your identifiable data for research or planning purposes, you can however opt-out from other organisations using your data in this way. If you would like this to stop, you can opt out of this yourself or on behalf of someone else. For example, if you are a parent or guardian of a child under the age of 13. To find out more please visit:
nhs.uk/your-nhs-data-matters

If you choose not to allow your confidential patient information to be used for research and planning, your data may still be used in some situations:

• When required by law – your confidential patient information may still be used when there is a legal requirement to provide it, such as a court order.
• Where there is overriding public interest your confidential patient information may still be used in an emergency or in situations where there is an overriding benefit to others. For example, to help manage contagious diseases and stop them spreading, like meningitis and COVID-19. In these situations, the safety of others is most important.
• Information about your health care or treatment may still be used in research and planning if the information that can identify you is removed first.
• Where there is a specific exclusion – when information is used to collect official national statistics, like the Population Census.

N.B. We do not share information about you with any third party without consent unless the law allows us to do so.

Information about other people

If you provide personal data to us relating to any person other than yourself, you must ensure before you do so that they understand how their personal data will be used and that you are authorised to disclose it to us, and to consent to its use on their behalf. You should bring this privacy notice to their attention.

How do we collect information from you?

As a provider of support, care and education to over 100 children, young people and adults at our school, residential homes and adult daytime activity programme we will collect personal information that enables us to undertake the associated functions.

We collect personal data from you in connection with specific activities such as registering to take part in an event, supplying us with products or services, volunteering, making a donation, employment purposes or visiting our website.

Depending on how we interact with you, we may collect personal data from you in various ways such as:

• Through face-to-face interactions, through this website, by e-mail, over the phone or using any paper forms you might complete.
• From another organisation such as Just Giving, Google Analytics or Vacancy Filler.
• Directly from you when you contact us when enquiring about our services or when making a donation.

For our residential children, young people and adults we will be given information from various healthcare professionals involved in your current and historical care and we might also receive information from various third parties such as social services, advocates, carers, relatives and friends. This information can be received verbally, in writing, by electronic means or via telephone.

Other processing of your personal information

CCTV
If you visit our premises, we may have CCTV images of you as you move around the site, these images are purely used for your personal safety.

Cookies
We use cookies to monitor and track website usage and improve the quality of our website. We look at the number of visitors we receive, our total page views and monitor which pages are most popular. We also monitor how users reach our website (such as through Facebook or Google search). The information we collect is anonymous and we do not collect personally identifiable information. When you visit our website, you can turn off this feature by clicking the “opt out” cookie pop-up.

Donations – Credit and Debit card information

If you use our website to donate to us, “Just Giving” – our third-party card processor will process your card details and Hollybank does not receive any of these card details. We will receive a notification of payment to us with the details that you disclosed at the time of payment. By using this service you are agreeing to Just Giving’s Privacy Notice which can be found here.

If you use “PayPal” to donate to us, PayPal are processing your card details and Hollybank do not receive any of these details. We receive a notification with your name and your address and contact details if you disclose them. This is used to administrate any donations received. By using this service, you are agreeing to PayPal’s Privacy Notice which can be found here.

If you provide us with your card details in person at our on-site canteen, within ELMS, Bradbury or over the phone, all identifiable credit and debit card details and validation codes are destroyed securely once a payment or donation has been processed. Only staff who are authorised to process payments will handle your personal data.

However you choose to make a donation, your payment and personal data is then stored onto our donor management system to create a profile, which helps us to administer your payments.

Direct Marketing

Hollybank would like to contact its supporters from time to time with news and updates on what is happening at Hollybank. You can update your preferences at any time by contacting the Communications team on 01924 490833

Bradbury and ELMS

We collect your personal information if you are a visitor to either of these sites. We will collect some basic personal information from you such as your name and address to administer your visit and will also require your bank card details to process any electronic payments you make for our
services. We also require information relating to your health conditions and requirements so that we can ensure that you fully enjoy the facilities on offer in a safe and comfortable environment.

Recruitment

The personal information that you provide to us when you apply for a job with Hollybank will be used solely for undertaking essential tasks that are required as part of the recruitment process. This data will not be used for any secondary purpose. Processing data from job applicants allows Hollybank to manage our recruitment process, assess and confirm candidates’ suitability for employment and decide whom to offer a job to. During this exercise we are mandated to comply with legal obligations, such as undertaking DBS checks and we might also require details on your health that will help us to identify if any changes are required to our recruitment process. If your application is unsuccessful, we may keep your personal data on file for future use in the event that suitable future employment opportunities arise, this is stored internally for no more than six months and by our third-party supplier for no more than two years. We also request information from the referees you provide, which is done in confidence. At the onset of the recruitment process we are now required to record the Covid-19 vaccination status of any person who applies for a role with the Trust, this will be held in accordance with Data Protection Regulations and only shared in the event of a CQC inspection.

Employees

We will process your personal data for all aspects of your employment with Hollybank. As well as collecting your bank details and national insurance number to enable us to pay your salary and administer your pension and benefits, we will also undertake criminal record and health checks. We are required to hold the Covid-19 vaccination status of all staff, this may be shared with CQC inspectors if they require it. We will use the information you provide us with to carry out anything related to your performance management, including any appraisals or disciplinaries. For drivers, we need to undertake DVLA checks and for those members of staff that drive on behalf of the company, we will monitor your driving behaviour through our telematics software. We are mandated to obtain personal information from you for the purposes of Equal Opportunities monitoring and we will share appropriate information with national bodies such as HMRC and the DWP. We will also share statistical information with Adult Social Care Workforce Data Set (ASC-WDS) to be used for workforce intelligence for adult social care.

Our Legal Basis for using this data

Under current data protection legislation – Data Protection Act 2018 – Hollybank are required to identify a legal basis to process your personal information. The legal basis will depend upon how you interact with Hollybank, but we have listed below the legal basis that we will be using to justify the processing of your personal information.

• Contract – your personal information is processed in order to fulfil a contractual or potential contractual arrangement.
• Consent – where you agree to us using your information e.g. to receive certain information from us.
• Legitimate interest – where we use your data in a way that we believe you would expect us to because of our relationship e.g. to monitor and improve our services. In each case where we use your data based on our legitimate interests, we carefully balance your rights and expectations to ensure that processing is fair to you.
• Legal obligation – where there is a statutory or other legal
  requirement to process and share the information e.g. gift aid returns.
• Vital interests – the processing is necessary to save someone’s life.
• Public task – the processing is necessary for us to perform a task in the public interest of for our official functions and the task or function has a clear basis in law.

The legal bases outlined above cover our processing of your personal information, such as name, address and email address. If, however Hollybank are required to process what is referred to as special category data, such as your health care information then we are required to identify a further legal basis specifically to cover this additional processing. To process special category data the legal basis we will be applying will be one of the following:

• For the provision of health or social care.
• To protect the vital interests of individuals of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.
• Explicit consent from the individuals concerned.
• Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.
• Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

How do we store your data?

Your data is stored internally both on paper, electronically and in the cloud. We may use an electronic database to store information such as for supporters or suppliers. We take appropriate technical and organisational steps to ensure the security of all personal data, and we have strict policies in place around the use of technology, devices and access to systems.

Who has access to your information

Only people and departments who require access to the data for the performance of their roles will be able to see your data. Every individual who works for Hollybank has a legal and contractual obligation to keep information about you confidential.

Third party providers

We may pass your information to our third party service providers, agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf. However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own purposes, including direct marketing, for example.

We share your information with third parties in the following ways:

• In accordance with our legal obligations, we may share information with local authorities for example if we have safeguarding concerns.
• On occasion, we may need to share information with the police.
• We may also need to share information with our legal advisors for the purpose of obtaining legal advice.
• Occasionally we may use consultants, experts or other advisors to assist Hollybank in fulfilling its obligations. We might need to share your information with them if this is relevant to their work.
• Organisations who we work with for fundraising events.
• Security organisations.
• Website hosting company.
• Health and social welfare organisations.
• Suppliers and service providers – to enable them to provide the service we have contracted them for.
• We may share some information with our insurance providers if there is a serious incident.
• Our regulators, OFSTED and CQC, Health and Safety Executive, NMC, DBS or other relevant professional bodies.
• Financial organisations.
• We may need to share information if there is an emergency.

Data Protection Impact Assessments

When using personal data in a new way or changing the way we use personal data, we conduct a Data Protection Impact Assessment to ensure the proposed change meets Data Protection Requirements and to help us to decide whether this change is a positive move . Our completed DPIAs can be made available should you wish to see how we ensure the software and processes we use are as safe as possible. Please contact us via data.protectio[email protected] if you wish to view any of these documents.

How long do we keep your information?

We only keep your information for as long as we are required to do so by law. Our Retention and Destruction of Records Policy sets out how we securely destroy your data once it is no longer required, as well as how long we keep your information for.

How can you access and update your information

It is up to you how you want to hear from us and you can let us know at any time if you would like to change the way we send you information or update your information. You can request a copy of the data we hold on you, known as a Subject Access Request, by contacting our Data Protection Team at [email protected].

Your choices

You have a number of rights when it comes to the personal data that we have. You can:

• Access and obtain a copy of your data on request – this is known as a subject access request (SAR)
• Ask us to change incorrect or incomplete data. a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
• Ask us to delete or stop processing your data (conditions apply to
  this) is this the right to be forgotten and erasure (please see below)
• Right to be informed via this privacy notice
• Data Portability – data provided electronically in a commonly used format
• The right to be forgotten and erasure of data does not apply to an individual’s health record or for public health purposes
• Right to object – You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable.

Please discuss any concerns with the clinician treating you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.

If you do have any concerns about the way in which we are processing your personal information or wish to restrict the processing of your personal information, please contact our Data Protection Team in the first instance: [email protected]

If, following a review by the Data Protection Officer, you would like to make a complaint about the way that Hollybank is processing your personal information you can do so through the Information Commissioner’s Office on their website. (www.ico.org.uk)