Privacy Notice

Caring Homes Group ("we", "us", "our") is committed to protecting and respecting your privacy. This privacy notice explains how we collect, use, and safeguard the personal data of our residents, their families, visitors, and other relevant individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We process various categories of personal data. The table below outlines these categories along with illustrative but not exhaustive examples of what each may include.

We process personal data to deliver our services, meet legal and regulatory requirements, and support operational effectiveness. The list below outlines our main purposes for processing.

1. Provision of Services: To deliver care, manage care plans, and ensure the wellbeing of residents.
2. Safety and Security: To safeguard residents, staff, and visitors, including the use of CCTV.
3. Communication: To keep residents, their families, and authorised individuals informed.
4. Billing and Administration: To manage contracts, handle financials, and process payments.
5. Regulatory Compliance: To comply with healthcare, data protection, and safeguarding laws.
6. Health and Safety: To provide a safe environment and comply with public health guidelines.
7. Research: To support studies that focus on enhancing health, care, and overall quality of life.
8. Service Improvement: To support quality assurance and improve operational efficiency.
9. Marketing: To share updates and promotional material about our services and events.
10. Job Applications: To manage recruitment processes and assess candidate suitability.
11. Digital Signage: To welcome and inform visitors of our care homes and offices.

We obtain personal data from a range of sources. The following table sets out these sources along with illustrative but not exhaustive examples of each.

We process personal data under the following lawful bases as per Article 6 of the UK GDPR.

• Consent: Clear, recorded permission from you to process your data for a particular purpose.
• Contract: To provide services both of us have agreed to.
• Legal Obligation: To comply with legal duties, such as safeguarding and data protection laws.
• Vital Interests: To protect an individual’s life or serious health.
• Public Interest: To carry out lawful tasks that benefit society, including research studies.
• Legitimate Interests: To improve service quality, ensure security, and support operations.

We process special category data under the following lawful bases as per Article 9 of the UK GDPR.

• Explicit Consent: Clear, recorded permission from you to process your sensitive personal data.
• Legal Claims or Judicial Acts: To establish, exercise, or defend legal rights.
• Public Interest: To protect the wider community, including through research studies.
• Health or Social Care: To provide care under professional duties and health standards.
• Public Health: To manage and prevent health risks, such as infections or outbreaks.

In rare cases, legal obligations or safeguarding requirements may override certain data protection rights, such as disclosing personal data without consent to support a legal investigation or protect an individual’s vital interests. In all such cases, we ensure disclosure is lawful and strictly necessary.

We only share personal data with third parties when necessary and always require that they, and any engaged sub-processors, comply with applicable data protection laws. This includes:

1. Healthcare Providers: To coordinate care and support treatment needs.
2. Local Authorities and Safeguarding Boards: To meet statutory obligations and reporting duties.
3. Regulatory Bodies: To comply with legal and regulatory inspections or audits.
4. Service Providers: To deliver IT, data, and operational services on our behalf.
5. Research Partners: When involved in approved health or social care research studies.
6. Law Enforcement or Legal Authorities: When required by law or to protect vital interests.
7. Website Analytics Providers: To improve website functionality and user experience.

Anonymised data cannot identify individuals, and pseudonymised data is protected by safeguards to prevent re-identification, in accordance with data protection laws.

Where appropriate, we use anonymised or pseudonymised data to minimize the amount of identifiable information, including for research, analytics, reporting, and operational purposes.

If your personal data is transferred outside the UK or EU, it is only to meet legal obligations or support the services we provide. In such cases, we rely on safeguards like Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms to protect your information in line with UK GDPR.

Certain types of personal data, such as health information, are classified as "special category data" under the UK GDPR. We handle this data with extra care and apply additional safeguards to prevent misuse, maintain confidentiality, and protect your privacy.

Individuals can choose not to share their confidential patient information beyond care and treatment, such as for research or planning, through the NHS National Data Opt‑Out, without affecting the services they receive.

For more information or to set your preference, visit https://www.nhs.uk/your-nhs-data-matters.

We apply robust technical and organisational measures to protect your data against unauthorised access, loss, or destruction. Data retention periods are based on the type of information and legal requirements, with sensitive information retained for only as long as necessary. Examples include:

We have appointed a Data Protection Officer (DPO) to oversee our compliance with data protection laws. They manage complaints, Data Subject Access Requests (DSARs), and personal data breaches. For all data protection queries, please contact them using the details below.

Caring Homes Group is a trading name used by several limited companies within our group, all registered with the ICO. Depending on the care home or services provided, these companies may act as individual data controllers. For more information, or to request a list of companies and ICO registration numbers, please contact us using the details below.

All our staff undergo mandatory data protection and information governance training, which is renewed annually. This maintains our commitment to processing your personal data responsibly, securely, and in compliance with applicable laws.

You have the following rights concerning your personal data. For example:

• Access: Request a copy of the personal data we hold, such as care records or CCTV footage.
• Rectification: Ask us to correct any inaccurate or incomplete information.
• Erasure: Request deletion of your data, subject to legal obligations.
• Restriction: Request that we limit the processing of your personal data.
• Portability: Obtain a copy of your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or direct marketing.
• Withdrawal: Withdraw consent to processing your personal data at any time.

To exercise these rights, please contact our DPO using the details above. If you are not satisfied with our response, you may lodge a formal complaint with the Information Commissioner’s Office (ICO).

We are committed to making this privacy notice accessible to everyone. If you require an alternative format, such as large print, Braille, or audio, please contact us using the details above. We will accommodate requests where reasonably practicable.

This privacy notice is reviewed regularly to ensure it remains accurate and compliant with legal requirements. Updates will be made as necessary to reflect changes in our practices or legal obligations and will be communicated through our website or other appropriate means.