VCare24 Global Privacy Policy
Key Information
VCare24 respects your right to privacy. We put in place security measures for your personal data and manage your personal data in accordance with applicable data privacy regulations. Please note that VCare24 is the Data Controller of your personal data. The principles set out in this Privacy Notice apply to all instances in which VCare24 receives your personal data as a Data Controller for the purposes described in this notice. Those purposes are processing of data to participate in the various activities available on this website or as mentioned below.
If you have any requests concerning your personal data or any queries with regard to these practices, please contact VCare24 using the contact details given in Paragraph 5 below.
Personal data which VCare24 collects through this website and how VCare24 collects it
You can provide your personal data if you wish. We only collect personal data that YOU want to provide to us or that is needed to provide (and improve) our service to you. We collect personal data directly such as name, age, gender, address and e-mail address as well as connection and system information. The legal basis for the processing of your personal data is your consent and/or any other applicable legal basis, such as our legitimate interest in engaging in commerce and offering products and services of value to you. Any consent you provide may be withdrawn at any time by following the contact methods listed in Paragraph 5. You may want to give us your e-mail address, name, telephone number etc. so that we can provide you with information on our products/Services; respond to your questions or comments. Some website functionality may be unavailable to users who do not provide their data, or who do not consent to the use of Cookies and similar technologies on this site. Additionally, if you choose not to provide your personal data, we will not be able to provide you with our products or services or with other support or responses.
VCare24 security measures
VCare24 takes security measures in line with data protection regulations. VCare24 has security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to the data. Only authorised VCare24 employees and authorised employees of our Third-Party service providers (a list of such providers is available on request) have access to your personal data. All VCare24 employees who have access to your personal data are required to adhere to the VCare24 Privacy Notice and all third-party service providers are requested by VCare24 to ensure that any of their employees who have access to your personal data have signed non-disclosure agreements. In addition, contracts are in place with such third -party service providers acting as data processors for VCare24 that have access to your personal data, to ensure that the level of security required in your jurisdiction is in place, and that your personal data is processed only as instructed by VCare24.
How VCare24 uses your personal data
Your personal data will only be used for the purposes for which you provided it to VCare24, as indicated to you at the time you provided your personal data. It will also be used to administer, support and obtain feedback on the level of our services, to help prevent breaches of security, the law or our contract terms. It may also be disclosed, including a disclosure to entities based outside the European Economic Area (EEA), to third parties (as part of the information generally contained in business) in the event of a sale of the business, or a reorganisation of the business, or as otherwise required or permitted by law or applicable regulator.
Who VCare24 discloses your personal data to and why
VCare24 will never share your personal data with any Third-Party (i.e a party other than an entity within the VCare24 Group) business organisation that intends to use it for their own purposes, other than as required by law. VCare24, may transfer or disclose your personal data to another data controller in the VCare24 Group to be used for similar purposes, at its discretion, and you hereby consent to such transfer or disclosure. If your personal data is transferred or disclosed to another data controller within the VCare24 Group, that other data controller shall have the same rights and obligations with regard to your personal data as VCare24. With your consent, VCare24 may share your personal data with Third-Parties (i.e. parties other than entities within the VCare24 Group) such as those who assist us in providing the products and services and who perform technical operations, but only in the strictly limited circumstances set out below:
Our Third-Party Data Processors (service providers such as our fulfilment and activation partners and digital agencies, hosting providers, data storage providers and other technical partners) who help us administer this website, or process the data submitted to it, may have access to your data. Some of these business partners may be located outside the country where you accessed this website.
Your rights
You have the right to ask VCare24 to provide you with all the information it stores on you. If you wish to access your personal data you can contact the data controller. You have the right to ask VCare24 to rectify, block, complete and delete your personal data, to restrict its use, and to port your data to another organisation. You have the right to request additional information about the handling of your personal data. You also have the right to object to the processing of your data by VCare24 in some circumstances and, where we have asked for consent to process your data, to withdraw this consent. Additionally, you may contact our Data Protection Officer.
There are exceptions to these rights, however. For example, access to personal data may be denied in some circumstances if making the information available would reveal personal information about another person or if VCare24 is legally prevented from disclosing such information. In addition, VCare24 may be able to retain data even if you withdraw your consent, where VCare24 can demonstrate that it has a legal requirement to process your data.
Countries your personal data will be sent to and why
VCare24 is a UK based company, and your personal data may be transferred across international borders in order for us to provide services and support to you. It may be transferred to countries that have different levels of data protection laws to the country from where you submitted your personal data. VCare24 (as Data Controller and Data Processor) has, where local data protection regulations so require, put in place security measures for the export of personal data from its jurisdiction. Where local data protection regulations so require, VCare24 has made arrangements with entities receiving your personal data such as VCare24 or Third-Party Data Processors, that they shall ensure that security measures are in place and that your personal data is processed only in accordance with UK Data Protection laws. If data is transferred from within the EEA to a jurisdiction outside the EEA, it is done so under a Data Transfer Agreement, which contains standard data protection contract clauses. The European Commission has adopted standard data protection contract clauses (known as the Model Clauses), which provide safeguards for personal information that is transferred outside of Europe.
The server that makes this website available may be located outside the country from which you have accessed this website. The provider of this website is bound by a contract that ensures your data is managed in accordance with EU Data Protection laws and that it acts only on VCare24 instructions and implements all technical measures necessary on an ongoing basis to keep your personal data secure.
How and why VCare24 uses Cookies and other similar technologies
VCare24 does make use of Cookies, which are small text files that are placed on your computer by websites that you visit or certain emails you open and other similar technologies such as Flash Cookies and web beacons. Such technologies are widely used in order to make websites work or work more efficiently, as well as to provide business and marketing information to the owners of the site, to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP etc. for the purpose of understanding how visitors use this website. Cookie and similar technologies help us tailor this website to your personal needs. This type of information obtained through cookies will not be disclosed outside VCare24 or our authorized Third-Party Data Processors. It will not be used for unsolicited communications.
Cookies located on your computer do not contain your name but an IP address. In many cases, after the user’s session is cancelled the information contained in the cookies is no longer available to VCare24. Please ensure that your computer setting reflects whether you are happy to accept cookies or not. You can set your browser to warn you before accepting cookies or you can simply set it to refuse them, although you may not have access to all the features of the website if you do so. See your browser “Help” button for how you can do this. Some Flash Cookies may not be affected by such settings. You do not need to have cookies on to use or navigate through many parts of this and other VCare24 websites. Remember that if you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.
Changes to the terms of this Privacy Policy
VCare24 will occasionally make changes and corrections to this Privacy Policy. We will also give you the opportunity to consent to these material changes. Changes will be effective upon the posting of the changes and your acceptance of the changes, which may be through your continued use of the site or our services after the changes take effect.
Retention of your personal data
VCare24 will retain your information only for as long as is necessary for the purposes set out in this policy. VCare24 will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, and enforce our agreements. We also retain log files for internal analysis purposes. These log files are generally retained for a short period of time, except where they are used for website security, to improve website functionality, or we are legally obligated to retain them for longer time periods.
Records Retention
Information is to be categorised under a specific record type to ensure the business function/unit using the data is identified. Combined with our retention schedule based on these categories, this forms part of our GDPR requirements to keep records of processing of personal data and special categories of personal data. (See also GDPR ROPA)
Record Categories
Record Type |
Comments |
Common Records |
Assets that exist under all business units such as meeting minutes, policies and procedures, etc. |
A: Employee Records and Management |
Employee data and information, sickness, absence, contracts, performance, workplace records, recruitment, payroll, staff feedback, surveys, etc. |
B: Financials |
Budgets, financial reports, invoices, bank statements, pensions, payroll, etc. |
C: Purchasing and Tenders |
Tender files, quotations, contracts, etc. |
D: Facilities |
Waste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests, etc. |
E: Organisational Management |
Business plans, strategic planning, BCP, disaster recovery, projects, audits, risk management, etc. |
F: Corporate Governance |
Statutory communications, OFSTED/CQC/NHS reports, inspection reports, certificates, certifications, reg 40 reports, incident reports, physical intervention reports, etc. |
G: Public Communications |
Website blog posts, social media posts, intranet posts, etc. |
H: IT/IS |
System documentation, configuration management. |
I: Business Intelligence Reporting |
Transport, IT, Facilities SLA, service metrics, ticket reports, etc. |
J: Information Management |
Data lakes, data registers, DPO items (DSAR Requests), company policies, incident logs. |
K: Legal |
Legal requests, litigation, inquiry papers, legal advice. |
L: Young Person Residential Records |
Referral, placement documentation, IPA’s, contracts, placement notifications, etc. |
M: Service User Transport Records |
Booking forms, risk assessments, observation logs, etc. |
N: Other |
Records that do not fit in any other category but still require retention and disposal. |
Schedule of Retention
The schedule of retention includes 9 columns setup as follows:
Record Type
References the category and/or business unit related to.
Title
Summary of the data
Examples
Brief examples as to what kind of file, type or system. This is not an exhaustive list.
Retention
The period of time where the records are required to be reviewed and either destroyed, purged or retention extended. Records may not be destroyed in line with this retention schedule of there is an overriding reason for retention, an ongoing investigation, legal request, etc.
Personal Data
Identifies if the record contains personal data. Personal Data examples include Name, address, personal email, contact information, bank information, etc.
Legal basis for processing personal data
Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores personal information.
Special category personal data
Identifies records containing special category personal data. Special category personal data examples include racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual and criminal offences.
Legal basis for processing special category personal data
Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores special category personal information.
Schedule
Record Type |
Title |
Examples |
Retention |
Personal Data |
Legal basis for processing personal data |
Special category Personal Data |
Legal basis for processing special category personal data |
Common Record |
Staff contact details |
Staff profiles, Azure/M365 profile pictures, databases of staff names. |
Whilst employed by VCare24 |
Yes |
Contract of employment |
No |
N/A |
Common Record |
Org structure |
Org chart |
Whilst correct and relevant |
Yes (Names only) |
Contract of employment |
No |
N/A |
Common Record |
Internal meetings |
Minutes, agendas, follow up email threads. |
2 Years |
No |
Contract of employment |
No |
N/A |
Common Records |
External meetings |
Minutes, agendas, follow up email threads. |
2 Years |
Yes |
Business operations, contracts. |
Yes |
Business operations, contracts. |
Common Records |
Policies |
Internal policies and procedures |
Indefinitely |
No |
N/A |
No |
N/A |
Common Records |
Internal knowledgebase and documentation |
SSP Portal, Procedures documents |
Until superseded |
No |
N/A |
No |
N/A |
Common Records |
Expenses |
Receipts, expense forms, milage. |
7 Years |
Yes |
Business operations |
No |
N/A |
Common Records |
Questionnaires/Forms |
Staff feedback, surveys. |
Destroy once analysed |
Yes but varies |
Consent |
Yes but varies |
Consent |
Common Records |
Questionnaire/Forms analysis |
Processed response data for BI |
Retain until superseded or no longer accurate |
No |
N/A |
No |
N/A |
A: Employee Records and Management |
Staff absence records |
Sick notes, fit notes, absence records, leave, special leave |
Duration of employment + 7 Years |
Yes |
Legal obligation |
Yes |
Employment rights |
A: Employee Records and Management |
Medical/self certifications |
Medical declarations, certs. Unrelated to work related injury |
4 years |
Yes |
Legal obligation |
Yes |
Employment rights |
A: Employee Records and Management |
Staff annual leave |
Leave requests, remaining leave, approved and rejected requests |
2 years |
Yes |
Legal obligation |
Yes |
Employment rights |
A: Employee Records and Management |
DBS Checks Results |
Results include positive or negative DBS, any disclosures. |
Duration of employment + 7 Years |
Yes |
Legal obligation |
Yes |
Legal obligation |
A: Employee Records and Management |
Employment staff file (Physical) |
Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc. |
Until electronic file completed then destroyed |
Yes |
Legal obligation |
Yes |
Legal obligation |
A: Employee Records and Management |
Employment staff file (Electronic) |
Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc. |
Duration of employment + 7 Years |
Yes |
Legal obligation |
Yes |
Legal obligation |
A: Employee Records and Management |
Disciplinary files |
Disciplinary letters, invites, meeting notes, case logs. |
Duration of employment + 7 Years |
Yes |
Legal obligation |
Yes |
Legal obligation |
A: Employee Records and Management |
Staff performance management |
Personal reviews, personal development plans |
Duration of employment + 7 Years |
Yes |
Contract of employment |
Yes |
Employment rights and assessment of working capacity. |
A: Employee Records and Management |
Staff training |
Training plans, courses, certs. |
Duration of employment + 7 Years |
Yes |
Contract of employment |
No |
N/A |
A: Employee Records and Management |
Other |
Meeting notes, other documents, etc. |
Duration of employment + 7 Years |
Yes |
Contract of employment |
No |
N/A |
B: Financials |
Budgets, Financial reports, Invoices, bank statements |
Debit, card statements |
10 years |
No |
Business operations |
No |
N/A |
B: Financials |
Pensions |
NEST letters, pension payment details |
Duration of employment + 6 Years |
Yes |
Business operations/ Contract of employment |
No |
N/A |
B: Financials |
Payroll |
Payslips, P45’s, P60’s. |
Duration of employment + 6 Years |
Yes |
Business operations/ Contract of employment |
No |
N/A |
C: Purchasing and Tenders |
Tender files, quotations, contracts |
Tender contracts, documents, email chains. |
5 years (so long as operationally relevant) |
No |
N/A |
No |
N/A |
D: Facilities |
Waste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests |
Assessment forms, results spreadsheets, Halo tickets. |
5 years (so long as operationally relevant) |
No |
Business operations, health and safety |
No |
N/A |
E: Organisational Management |
Business plans, strategic planning |
Reports and plans, word documents, pdf documents. |
Indefinite |
No |
N/A |
No |
N/A |
E: Organisational Management |
BCP, disaster recovery |
Reports and plans, word documents, pdf documents. |
Indefinite |
No |
N/A |
No |
N/A |
E: Organisational Management |
Projects, audits, risk management |
Reports and plans, word documents, pdf documents. |
Indefinite |
No |
N/A |
No |
N/A |
F: Corporate Governance |
Statutory communications |
Reports and plans, word documents, pdf documents. |
Indefinite |
No |
N/A |
No |
N/A |
F: Corporate Governance |
OFSTED/CQC/NHS reports, inspection reports |
Reports and plans, word documents, pdf documents. |
Indefinite |
No |
N/A |
No |
N/A |
F: Corporate Governance |
Certificates, certifications |
|
Indefinite |
No |
N/A |
No |
N/A |
F: Corporate Governance |
Reg 40 reports |
Reg 40 |
Indefinite |
No |
N/A |
No |
N/A |
F: Corporate Governance |
Incident reports, physical intervention reports |
Incident logs, CCTV of incidents, witness statements |
Indefinite |
Yes |
N/A |
No |
N/A |
G: Public Communications |
Website blog posts, social media posts, intranet posts |
Facebook, Instagram, WordPress posts. Blog updates. |
Indefinite (so long as operationally relevant) |
No |
N/A |
No |
N/A |
H: IT/IS |
System documentation |
Halo Knowledgebase, IT Procedures and Documentation Word, PDF docs, etc. |
5 years (so long as operationally relevant) |
No |
N/A |
No |
N/A |
H: IT/IS |
Configuration management |
Scripts, deployment tools, interfaces such as Intune |
5 years (so long as operationally relevant) |
No |
N/A |
No |
N/A |
I: Business Intelligence Reporting |
Transport, IT, Facilities SLA Metrics |
Ticket SLA targets and goals hit. |
5 years |
No |
N/A |
No |
N/A |
I: Business Intelligence Reporting |
Transport, IT, Facilities, service metrics |
Ticket average time taken, milage, vehicle usage, staff utilisation, etc. |
5 years |
No |
N/A |
No |
N/A |
I: Business Intelligence Reporting |
Ticket reports |
Transport ticket exports, IT ticket exports, etc. |
7 years |
Yes |
Business operations |
Yes |
Results may contain special data which will be used in line with Privacy Notice and GDPR. |
J: Information Management |
Data lakes |
M365 Storage, Druva |
Indefinite |
N/A |
N/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may. |
N/A |
N/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may. |
J: Information Management |
Data registers |
Information Asset Register, Asset log within HaloITSM |
Indefinite |
No |
N/A |
No |
N/A |
J: Information Management |
DPO items (DSAR Requests) |
Subject access requests |
Indefinite |
Yes |
To perform DSAR request |
No |
Results may contain special data but this is not retained once provided to the requestor. |
J: Information Management |
Company policies |
Contract of employment, staff policies, etc. |
5 years (so long as operationally relevant) |
No |
N/A |
No |
N/A |
J: Information Management |
Incident logs |
Incident reports, CCTV of incidents, risk assessments, witness statements. |
7 years |
Yes |
Business operations, Health and Safety |
Yes |
If this is contained within an incident log: Health and Safety legislation. |
K: Legal |
Legal requests |
Legal service. |
7 years |
Yes |
Legal obligations, complying with orders. |
No |
N/A |
K: Legal |
Litigation |
Legal notices, emails, letters. Memos. |
7 years |
Yes |
Legal obligations, complying with orders. |
No |
N/A |
K: Legal |
Inquiry papers |
Inquiry documents, paperwork, letters, emails, memos. |
7 years |
Yes |
Legal obligations, complying with orders. |
No |
N/A |
K: Legal |
Legal advice |
Communications with courts, solicitors, letters, emails, memos etc |
7 years |
Yes |
Legal obligations, complying with orders. |
No |
N/A |
L: Young Person Residential Records |
Referrals |
Referrals mailbox emails, residential documentation, RM mailboxes. |
7 years |
Yes |
Provision of care |
Yes |
Provision of care |
L: Young Person Residential Records |
Placement documentation |
Referrals mailbox emails, residential documentation, RM mailboxes. |
7 years |
Yes |
Provision of care |
Yes |
Provision of care |
L: Young Person Residential Records |
Contracts, IPA’s |
Referrals mailbox emails, residential documentation, RM mailboxes. |
7 years |
Yes |
Business operation |
Yes |
Provision of care |
L: Young Person Residential Records |
Placement notifications |
Referrals mailbox emails, residential documentation. |
7 years |
Yes |
Provision of care |
Yes |
Provision of care |
M: Service User Transport Records |
Booking forms |
Patient basic information, collection and drop off address, NHS number, contact details. |
7 years |
Yes |
Patient details for |
Yes |
Patient/employee safety and care |
M: Service User Transport Records |
Risk assessments |
Risk of violence, COVID, absconding, etc. |
7 years |
Yes |
Records of patient care |
Yes |
Patient/employee safety and care |
M: Service User Transport Records |
Observation logs |
Logs of events, incidents, etc during transport, collection and drop off of patiens. |
7 years |
Yes |
Records of patient care |
Yes |
Patient/employee safety and care |
N: Other |
Records that do not fit in any other category but still require retention and disposal. |
N/A |
Decided on case by case basis in line with GDPR and applicable laws and regulations |
N/A |
Business Operations |
N/A |
N/A |
How to contact VCare24
If you have any questions about this Privacy Notice or our data collection practices, please contact us at the address, or email listed below and the nature of your question:
Please write to:
VCare24
Unit 10, Halifax Way
Pocklington Industrial Estate
YO42 1NP