Find a care homePrivacy Statement for Business Contacts
At Barchester Healthcare we are committed to protecting your personal data and handling it responsibly. Our Privacy Statement for Business Contacts explains how we collect and manage your data.
October 2024
- 1. WHAT IS THE PURPOSE OF THIS PRIVACY STATEMENT?
1.1 Under the UK GDPR and Data Protection Act 2018, we are required to explain to you why we collect your information, how we intend to use that information and whether we will share this information with anyone else. This statement applies to all prospective, current and former business contacts.
1.2 It is important that you read this Privacy Statement for Business Contacts so that you know how and why we use your information. It is also important that you inform us of any changes to the personal information we hold about you so that the information is accurate and up to date. We may update this Privacy Statement for Business Contacts at any time.- 2. WHO ARE WE?
2.1 We are Barchester Healthcare Homes Limited (Barchester), a company registered in England and Wales under company number 02849519 and with our registered office at 3rd Floor, The Aspect, Finsbury Square, London, United Kingdom, EC2A 1AS.
2.2 Barchester is the "Data Controller" for the information which we hold about you. This means that we are responsible for deciding how and why we hold your personal information.- 3. OUR DATA PROTECTION OFFICER
3.1 Our Data Protection Officer (DPO) is responsible for overseeing what we do with your information and monitoring our compliance with the Data Protection Laws.
3.2 Our DPO is Michael O’Reilly who is assisted by the Legal Team. If you have any concerns or questions about our use of your personal data, you can contact raise these by emailing dpo@barchester.com or writing to Data Protection Officer, 3rd Floor, The Aspect, Finsbury Square, London, United Kingdom, EC2A 1AS. Alternatively, if you wish to make contact but are unable to use any of the above methods, please contact your local General Manager or Hospital Manager who will be able to put your queries forward to the team.- 4. TYPES OF PERSONAL INFORMATION WE USE AND OUR LAWFUL BASIS FOR DOING SO
4.1 We process your personal information for a number of reasons which are relevant to our business relationship with you/your organisation, including the planning and administering our relationship with you/your organisation (such as entering into and performing a contract, ordering products or services, billing and processing payments and auditing) and for the purposes of resolving disputes (such as enforcing contractual arrangements, entering into dispute resolution processes and establishing, exercising or defending legal claims).
4.2 In accordance with the Data Protection Laws, we need a lawful basis for collecting and using information about you. These lawful bases are set out in Article 6 of the UK GDPR and, depending on the type of data, may require reliance on additional safeguards set out in Articles 9 and 10 of the UK GDPR and within the Data Protection Act 2018.
Standard personal data:
4.3 We will process standard personal data about you. Please refer to the Appendix to see the types of data we might process about you.
4.4 Our Article 6 GDPR lawful basis for processing this type of data will depend on the circumstances, but will include the following (as appropriate):
4.4.1 You have given us clear consent to process your personal data (in the circumstances where consent is the only available lawful basis) (Article 6(1)(a)) of the UK GDPR); or
4.4.2 It is necessary for the performance of our contract with you (Article 6(1)(b) of the UK GDPR); or
4.4.3 It is necessary to meet legal / regulatory obligations (Article 6(1)(c) of the UK GDPR); or
4.4.4 It is necessary for our legitimate interests (where they are not overridden by your rights) (Article 6(1)(f) UK GDPR).
Special categories of personal data:4.5 Some of the information which we may process about you will be “special category personal data” and criminal activity data. Special category personal data and criminal activity data (see further below) require a greater level of protection than standard personal data. Please refer to the Appendix to see the types of special category personal data and criminal activity data we might process about you.
4.6 Our Article 6 GDPR lawful basis for processing this type of data will depend on the circumstances, but will include the following (as appropriate):
4.6.1 You have given us consent to process your personal data (in the circumstances where consent is the only available lawful basis) (Article 6(1)(a)) of the UK GDPR); or
4.6.2 It is necessary in order for us the performance of our contract with you (Article 6(1)(b) of the UK GDPR); or
4.6.3 It is necessary to meet legal / regulatory obligations (Article 6(1)(c) of the UK GDPR); or
4.6.4 It is necessary to protect your life (Article 6(1)(d) of the UK GDPR); or
4.6.5 It is necessary for our legitimate interests (where they are not overridden by your rights) (Article 6(1)(f) UK GDPR).
4.7 We also require an Article 9 UK GDPR basis and must meet other additional conditions specified within the Data Protection Act 2018 to process this type of data.Criminal activity data:
4.8 We may process information about you in relation to details of criminal activity in relation to proven and unproven criminal offences (including allegations of criminal activity, investigations into criminal activity, details of proceedings and outcomes of proceedings). Please refer to the Appendix for more details of the data we might process about you.
Our Article 6 GDPR lawful basis for processing this type of data will depend on the circumstances, but will include the following (as appropriate):
4.8.1 You have given us consent to process your personal data (in the circumstances where consent is the only available lawful basis) (Article 6(1)(a)) of the UK GDPR); or
4.8.2 It is necessary in order for us the performance of our contract with you (Article 6(1)(b) of the UK GDPR); or
4.8.3 It is necessary to meet legal / regulatory obligations (Article 6(1)(c) of the UK GDPR); or
4.8.4 It is necessary for our legitimate interests (where they are not overridden by your rights) (Article 6(1)(f) UK GDPR).
4.9 We also require an additional Article 10 UK GDPR condition for processing this type of data, and must meet other additional conditions specified within Schedule 1 of the Data Protection Act 2018 to process this type of data.- 5. SOURCE OF YOUR PERSONAL INFORMATION
5.1 The information described at section 4 which we collect about you will be obtained through a variety of sources which may include:
5.1.1 from you directly as part of our business relationship;
5.1.2 from other members of your organisation;
5.1.3 from publicly available resources/information which you have otherwise made public;
5.1.4 from your authorised representatives (such as your solicitors/auditors);
5.1.5 from third parties such as safeguarding authorities / commissioning bodies and Integrated Care Boards / other regulators (such as the Nursing and Midwifery Council and the Information Commissioner’s Office) (and in some circumstances, their professional advisors or authorised representatives), external healthcare providers, from the Police and other law enforcement agencies (for example, the Home Office), the courts, the Office of the Public Guardian and coroners;
5.1.6 from other entities/persons which fall outside of this list which is made known to us in respect of our business relationship; and
5.1.7 Because circumstances are variable and change with time there may in some instances be situations outside the list above and we regularly review our Privacy Statement for Business Contacts to assess whether any updates are required.- 6. COMPLYING WITH DATA PROTECTION LAW
6.1 We will comply with the Data Protection Laws when using your personal information. At the heart of the Data Protection Laws are the data protection principles (Article 5(1) of the UK GDPR) which say that the personal information we hold about you must be:
6.1.1 processed lawfully, fairly and in a transparent way;
6.1.2 collected only for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes;
6.1.3 adequate and relevant to the purposes we have told you about and limited only to those purposes;
6.1.4 accurate and, where necessary, kept up to date;
6.1.5 kept only as long as necessary for the purposes we have told you about; and
6.1.6 processed in a manner that ensures appropriate security.- 7. SHARING YOUR INFORMATION
7.1 We will share your personal information with third parties where we have a lawful basis for doing so.
7.2 The types of organisations/persons we may share your personal data with are as follows:
7.2.1 emergency services, such ambulance services (for example, if there is a medical emergency relating to you when visiting our premises);
7.2.2 other organisations involved with a sale or transfer of services;
7.2.3 safeguarding authorities / commissioning bodies and Integrated Care Boards / other regulators (such as the Nursing and Midwifery Council and the Information Commissioner’s Office) (and in some circumstances, their professional advisors or authorised representatives);
7.2.4 the Police and other law enforcement agencies (for example, the Home Office), the courts, the Office of the Public Guardian and coroners.
7.2.5 IT service providers: we may use external IT or software providers who may have access to your personal data from time to time as is necessary to perform their services.
7.2.6 auditors / professional advisors (including solicitors and insurers).- 8. TRANSFERRING INFORMATION OUTSIDE OF THE UK AND THE EUROPEAN ECONOMIC AREA (EEA)
8.1 We strive to ensure that any data necessary to be shared with the companies we work with (i.e. our supply chains) remains within the UK or the EEA in the first instance. However, some companies that provide services to us are located in, or run their services from, countries outside of these areas and resultantly, on occasion, your personal data may be transferred to countries outside of these areas.
- 9. CAN WE USE YOUR INFORMATION FOR ANY OTHER PURPOSE?
9.1 We typically will only use your personal information for the purposes for which we collect it. It is possible that we will use your information for other purposes as long as those other purposes are compatible with those set out in this Privacy Statement for Business Contacts. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.
- 10. STORING YOUR INFORMATION AND DELETING IT
10.1 To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We will only retain your personal information in line with periods calculated using such criteria and in consideration of how long it is reasonable to keep records to show we have met the obligations we have to you and by law, any time limits for making a claim, any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations.
10.2 In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
- 11. YOUR RIGHTS
11.1 Under certain circumstances, you have the right to:
11.1.1 Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
11.1.2 Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
11.1.3 Request erasure of your personal information in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
11.1.4 Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) or public interest as our lawful basis for processing and there is something about your particular situation which leads you to object to processing on this ground. You also have the right to object if we are processing your personal information for direct marketing purposes.
11.1.5 In the limited circumstances where we are relying on your consent as our lawful basis to process your data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. If you withdraw your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another lawful basis for doing so.
11.1.6 Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
11.1.7 Request the transfer of your personal information to another party in certain circumstances.11.2 If you wish to exercise any of the above rights, please contact our Data Protection Officer whose details are set out in Section 3.
- 12. AUTOMATED DECISION MAKING
12.1 You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
- 13. RIGHT TO COMPLAIN TO THE ICO
13.1 You have the right to complain to the Information Commissioner's Office (the "ICO") if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or ico.org.uk.
- 14. CHANGES TO THIS PRIVACY STATEMENT
14.1 We reserve the right to update this Privacy Statement for Residents/Patients at any time where appropriate.
- APPENDIX
1. The standard personal data we may process about you includes:
- personal details (such as your name and job role within your organisation and other basic details which may be relevant to our business relationship);
- your contact details (such as your business address, telephone number, and email address) so that we can communicate with you about products, services and projects, including responding to any requests;
- records of communications that we have had with you or information created about you in the course of our business relationship with you (for example, details of any complaints you have raised);
- security information images/audio of you (such as CCTV footage etc.) should you enter one of our premises, in order to ensure public safety i.e. the safety and security of our residents and employees and those who visit our premises, as well as identify and help to deter criminal activity (such as vandalism/damage to the property and theft) and create an overall secure living environment for our residents/patients, and working environment for our employees;
- any other information which you, or another person/organisation, volunteers to us in relation to you or our business relationship which is necessary for us to be aware of; and
- because circumstances are variable and change with time, there may in some instances be situations outside the list above, and we regularly review our privacy statements to assess whether any updates are required.
2. It is unlikely that we would process any special category personal data about you. However, in the event that we do, this will be limited to the lawful basis set out in section 4 of this Privacy Statement for Business Contacts, and may include the following information:
- information about your racial or ethnic origin;
- information about your religious beliefs;
- information about your sex life and sexual orientation and political opinions; and- trade union membership (in order to make trade union premiums);
- information about your health, including any disabilities or special requirements which you may have in order to enter one of our premises (for example, where you are attending our premises for a business meeting and require a reasonable adjustment to be made) and vaccination status (in order to ensure your health and safety and the health and safety of those within the premises);
3. It is unlikely that we would process any criminal activity data about you. However, in the event that we do, this will be limited to the lawful basis set out in section 4 of this Privacy Statement for Business Contacts, and may include the following information: allegations of criminality, investigations and proceedings. We will only this type of information if it is appropriate and relates to our business relationship, or may impact on our duty of care towards our employees or the protection of our residents. This is because we have a duty of care to the people we employ and those who reside within our homes and are obliged to protect our employees/residents from the risk of assault, abuse, theft or possession or any other detriment.