VCare24 Global Privacy Policy

Change Log

VersionDateChangesReviewed By
1.005/05/2022Initial  ReleaseDPO
1.113/09/2023Annual Review.DPO
1.212/03/2024Annual Review.DPO
1.330/04/2025Annual review. Added changelog. Added use of AI, GAN and similar systems. Added clarifications around VCare Group of companies.DPO

Key Information

VCare24 respects your right to privacy. We put in place security measures for your personal data and manage your personal data in accordance with applicable data privacy regulations. Please note that VCare24 is the Data Controller of your personal data. The principles set out in this Privacy Notice apply to all instances in which VCare24 receives your personal data as a Data Controller for the purposes described in this notice. Those purposes are processing of data to participate in the various activities available on this website or as mentioned below.

If you have any requests concerning your personal data or any queries with regard to these practices, please contact VCare24 using the contact details given in Paragraph 5 below.

Personal data which VCare24 collects through this website and how VCare24 collects it

You can provide your personal data if you wish. We only collect personal data that YOU want to provide to us or that is needed to provide (and improve) our service to you. We collect personal data directly such as name, age, gender, address and e-mail address as well as connection and system information. The legal basis for the processing of your personal data is your consent and/or any other applicable legal basis, such as our legitimate interest in engaging in commerce and offering products and services of value to you. Any consent you provide may be withdrawn at any time by following the contact methods listed. You may want to give us your e-mail address, name, telephone number etc. so that we can provide you with information on our products/Services; respond to your questions or comments. Some website functionality may be unavailable to users who do not provide their data, or who do not consent to the use of Cookies and similar technologies on this site. Additionally, if you choose not to provide your personal data, we will not be able to provide you with our products or services or with other support or responses.

Personal data which VCare24 collects through other systems

Alongside our website, VCare24 may also collect or require submission of personal data in order to fulfil a contract or service with you. Your data is processed in line with this privacy policy under the legislation and regulations applicable to the UK, namely the DPA 2018. The legal basis for the processing of your personal data is your consent and/or any other applicable legal basis, such as our legitimate interest in engaging in commerce and offering products and services of value to you. Any consent you provide may be withdrawn at any time by following the contact methods listed.

Residential Support Services

VCare Residential provides care and other services to local authorities and other professional services. As apart of these services we are required to collect and process children’s information including but not limited to name, DOB, healthcare information, criminal convictions and other sensitive information. Under the general data protection regulations strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can gain access. This applies to the use of technology and paper files.

VCare24 will act as a joint data controller alongside VCare Residential and a data processor in relation to our services for Residential Support. Your information will be processed and retained in line with VCare24 Information Security policies alongside any requirements from you as a customer or an agreement/contract, for example Local Authority Tenders.

Secure Transport Services

VCare24 provides secure transport and other services to local authorities, NHS, Police and other professional services. As apart of these services we are required to collect and process children’s and adults information including but not limited to name, DOB, healthcare information and other sensitive information. Under the general data protection regulations strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information will be stored within electronic records. All our records are restricted so that only those individuals who have a need to know the information can gain access. This applies to the use of technology and paper files.

VCare24 will act as a data processor in relation to our services for Secure Transport. Your information will be processed and retained in line with VCare24 Information Security policies alongside any requirements from you as a customer or an agreement/contract, for example NHS Tenders, Police Booking, etc.

Business Support Services

VCare24 maintains a business relationship with other group companies, those being The Becklands School, Becklands Land Based Outdoor trading as Millbrook Horizons, VCare Residential, VCare Alliance, VCare Training Solutions, VMDM and Workplace Bereavement Advocacy. VCare24 provides Business Support Services including but not limited to IT, Finance and HR functions. To provide these services, VCare24 will process your information in line with this privacy policy and any agreements with the other group company. For further information, please see our Employee Privacy Notice.

VCare24 will act as a joint data controller along with the other group company in this instance. Your information will be processed and retained in line with VCare24 Information Security policies.

VCare24 security measures

VCare24 takes security measures in line with data protection regulations. VCare24 has security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to the data. Only authorised VCare24 employees and authorised employees of our Third-Party service providers (a list of such providers is available on request) have access to your personal data. All VCare24 employees who have access to your personal data are required to adhere to the VCare24 Privacy Notice and all third-party service providers are requested by VCare24 to ensure that any of their employees who have access to your personal data have signed non-disclosure agreements. In addition, contracts are in place with such third -party service providers acting as data processors for VCare24 that have access to your personal data, to ensure that the level of security required in your jurisdiction is in place, and that your personal data is processed only as instructed by VCare24.

How VCare24 uses your personal data

Your personal data will only be used for the purposes for which you provided it to VCare24, as indicated to you at the time you provided your personal data. It will also be used to administer, support and obtain feedback on the level of our services, to help prevent breaches of security, the law or our contract terms. It may also be disclosed, including a disclosure to entities based outside the European Economic Area (EEA), to third parties (as part of the information generally contained in business) in the event of a sale of the business, or a reorganisation of the business, or as otherwise required or permitted by law or applicable regulator.

Who VCare24 discloses your personal data to and why

VCare24 will never share your personal data with any Third-Party (i.e a party other than an entity within the VCare24 Group) business organisation that intends to use it for their own purposes, other than as required by law. VCare24, may transfer or disclose your personal data to another data controller in the VCare24 Group to be used for similar purposes, at its discretion, and you hereby consent to such transfer or disclosure. In some instances, VCare24 may act as a joint data controller along with other entities, other entities can be inside or external to the VCare Group of companies. If your personal data is transferred or disclosed to another data controller within the VCare24 Group, that other data controller shall have the same rights and obligations with regard to your personal data as VCare24. With your consent, VCare24 may share your personal data with Third-Parties (i.e. parties other than entities within the VCare24 Group) such as those who assist us in providing the products and services and who perform technical operations, but only in the strictly limited circumstances set out below:

Our Third-Party Data Processors (service providers such as our fulfilment and activation partners and digital agencies, hosting providers, data storage providers and other technical partners) who help us administer this website, or process the data submitted to it, may have access to your data. Some of these business partners may be located outside the country where you accessed this website.

Your rights

You have the right to ask VCare24 to provide you with all the information it stores on you. If you wish to access your personal data you can contact the data controller. You have the right to ask VCare24 to rectify, block, complete and delete your personal data, to restrict its use, and to port your data to another organisation. You have the right to request additional information about the handling of your personal data. You also have the right to object to the processing of your data by VCare24 in some circumstances and, where we have asked for consent to process your data, to withdraw this consent. Additionally, you may contact our Data Protection Officer.

There are exceptions to these rights, however. For example, access to personal data may be denied in some circumstances if making the information available would reveal personal information about another person or if VCare24 is legally prevented from disclosing such information. In addition, VCare24 may be able to retain data even if you withdraw your consent, where VCare24 can demonstrate that it has a legal requirement to process your data.

Countries your personal data will be sent to and why

VCare24 is a UK based company, and your personal data may be transferred across international borders in order for us to provide services and support to you. It may be transferred to countries that have different levels of data protection laws to the country from where you submitted your personal data. VCare24 (as Data Controller and Data Processor) has, where local data protection regulations so require, put in place security measures for the export of personal data from its jurisdiction. Where local data protection regulations so require, VCare24 has made arrangements with entities receiving your personal data such as VCare24 or Third-Party Data Processors, that they shall ensure that security measures are in place and that your personal data is processed only in accordance with UK Data Protection laws. If data is transferred from within the EEA to a jurisdiction outside the EEA, it is done so under a Data Transfer Agreement, which contains standard data protection contract clauses. The European Commission has adopted standard data protection contract clauses (known as the Model Clauses), which provide safeguards for personal information that is transferred outside of Europe.

The server that makes this website available may be located outside the country from which you have accessed this website. The provider of this website is bound by a contract that ensures your data is managed in accordance with UK Data Protection laws and that it acts only on VCare24 instructions and implements all technical measures necessary on an ongoing basis to keep your personal data secure.

How and why VCare24 uses Cookies and other similar technologies

VCare24 does make use of Cookies, which are small text files that are placed on your computer by websites that you visit or certain emails you open and other similar technologies such as Flash Cookies and web beacons. Such technologies are widely used in order to make websites work or work more efficiently, as well as to provide business and marketing information to the owners of the site, to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP etc. for the purpose of understanding how visitors use this website. Cookie and similar technologies help us tailor this website to your personal needs. This type of information obtained through cookies will not be disclosed outside VCare24 or our authorized Third-Party Data Processors. It will not be used for unsolicited communications.

Cookies located on your computer do not contain your name but an IP address. In many cases, after the user’s session is cancelled the information contained in the cookies is no longer available to VCare24. Please ensure that your computer setting reflects whether you are happy to accept cookies or not. You can set your browser to warn you before accepting cookies or you can simply set it to refuse them, although you may not have access to all the features of the website if you do so. See your browser “Help” button for how you can do this. Some Flash Cookies may not be affected by such settings. You do not need to have cookies on to use or navigate through many parts of this and other VCare24 websites. Remember that if you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.

Changes to the terms of this Privacy Policy

VCare24 will occasionally make changes and corrections to this Privacy Policy. We will also give you the opportunity to consent to these material changes. Changes will be effective upon the posting of the changes and your acceptance of the changes, which may be through your continued use of the site or our services after the changes take effect.

Retention of your personal data

VCare24 will retain your information only for as long as is necessary for the purposes set out in this policy. VCare24 will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, and enforce our agreements. We also retain log files for internal analysis purposes. These log files are generally retained for a short period of time, except where they are used for website security, to improve website functionality, or we are legally obligated to retain them for longer time periods.

AI Use and your information

VCare24 utilises AI, GAN and algorithmic systems to support our staff in managing workloads, provide faster and more efficient customer service to our clients and to assist in managing our business operations. At no stage does AI, GAN and algorithmic systems make decisions based on inputs without a human reviewing the output. AI, GAN and algorithmic systems are utilised at VCare24 under the guidance of GDPR and the ICO’s guidelines. These regulations and guidelines are regularly reviewed by our Data Protection Officer to ensure our continued compliance.

We understand the risks in using AI, GAN and algorithmic systems including incorrect answers, inconsistent responses, hallucinated or false information, bias or discriminatory outputs along with other limitations. We recognise AI, GAN and algorithmic systems to be emerging technologies at this time therefor we have a strict AI, GAN and algorithmic systems Policy all employees are required to follow when using such tools. Additionally, all AI, GAN and algorithmic systems undergo a DPIA review prior to implementation, data access or processing.

Records Retention

Information is to be categorised under a specific record type to ensure the business function/unit using the data is identified. Combined with our retention schedule based on these categories, this forms part of our GDPR requirements to keep records of processing of personal data and special categories of personal data. (See also GDPR ROPA)

Record Categories

Record TypeComments
Common RecordsAssets that exist under all business units such as meeting minutes, policies and procedures, etc.
A: Employee Records and ManagementEmployee data and information, sickness, absence, contracts, performance, workplace records, recruitment, payroll, staff feedback, surveys, etc.
B: Financials Budgets, financial reports, invoices, bank statements, pensions, payroll, etc.
C: Purchasing and TendersTender files, quotations, contracts, etc.
D: FacilitiesWaste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests, etc.
E: Organisational ManagementBusiness plans, strategic planning, BCP, disaster recovery, projects, audits, risk management, etc.
F: Corporate GovernanceStatutory communications, OFSTED/CQC/NHS reports, inspection reports, certificates, certifications, reg 40 reports, incident reports, physical intervention reports, etc.
G: Public CommunicationsWebsite blog posts, social media posts, intranet posts, etc.
H: IT/ISSystem documentation, configuration management.
I: Business Intelligence ReportingTransport, IT, Facilities SLA, service metrics, ticket reports, etc.
J: Information ManagementData lakes, data registers, DPO items (DSAR Requests), company policies, incident logs.
K: LegalLegal requests, litigation, inquiry papers, legal advice.
L: Young Person Residential RecordsReferral, placement documentation, IPA’s, contracts, placement notifications, etc.
M: Service User Transport RecordsBooking forms, risk assessments, observation logs, etc.
N: OtherRecords that do not fit in any other category but still require retention and disposal.

Schedule of Retention

The schedule of retention includes 9 columns setup as follows:

Record Type

References the category and/or business unit related to.

Title

Summary of the data

Examples

Brief examples as  to what kind of file, type or system. This is not an exhaustive list.

Retention

The period of time where the records are required to be reviewed and either destroyed, purged or retention extended. Records may not be destroyed in line with this retention schedule of there is an overriding reason for retention, an ongoing investigation, legal request, etc.

Personal Data

Identifies if the record contains personal data. Personal Data examples include Name, address, personal email, contact information, bank information, etc.

Legal basis for processing personal data

Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores personal information.

Special category personal data

Identifies records containing special category personal data. Special category personal data examples include racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual and criminal offences.

Legal basis for processing special category personal data

Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores special category personal information.

Schedule

Record TypeTitleExamplesRetentionPersonal DataLegal basis for processing personal dataSpecial category Personal DataLegal basis for processing special category personal data
Common RecordStaff contact detailsStaff profiles, Azure/M365 profile pictures, databases of staff names.Whilst employed by VCare24YesContract of employmentNoN/A
Common RecordOrg structureOrg chartWhilst correct and relevantYes (Names only)Contract of employmentNoN/A
Common RecordInternal meetingsMinutes, agendas, follow up email threads.2 YearsNoContract of employmentNoN/A
Common RecordsExternal meetingsMinutes, agendas, follow up email threads.2 YearsYesBusiness operations, contracts.YesBusiness operations, contracts.
Common RecordsPoliciesInternal policies and proceduresIndefinitelyNoN/ANoN/A
Common RecordsInternal knowledgebase and documentationSSP Portal, Procedures documentsUntil supersededNoN/ANoN/A
Common RecordsExpensesReceipts, expense forms, milage.7 YearsYesBusiness operationsNoN/A
Common RecordsQuestionnaires/FormsStaff feedback, surveys.Destroy once analysedYes but variesConsentYes but variesConsent
Common RecordsQuestionnaire/Forms analysisProcessed response data for BIRetain until superseded or no longer accurateNoN/ANoN/A
A: Employee Records and ManagementStaff absence recordsSick notes, fit notes, absence records, leave, special leaveDuration of employment + 7 YearsYesLegal obligationYesEmployment rights
A: Employee Records and ManagementMedical/self certificationsMedical declarations, certs. Unrelated to work related injury4 yearsYesLegal obligationYesEmployment rights
A: Employee Records and ManagementStaff annual leaveLeave requests, remaining leave, approved and rejected requests2 yearsYesLegal obligationYesEmployment rights
A: Employee Records and ManagementDBS Checks ResultsResults include positive or negative DBS, any disclosures.Duration of employment + 7 YearsYesLegal obligationYesLegal obligation
A: Employee Records and ManagementEmployment staff file (Physical)Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc.Until electronic file completed then destroyedYesLegal obligationYesLegal obligation
A: Employee Records and ManagementEmployment staff file (Electronic)Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc.Duration of employment + 7 YearsYesLegal obligationYesLegal obligation
A: Employee Records and ManagementDisciplinary filesDisciplinary letters, invites, meeting notes, case logs.Duration of employment + 7 YearsYesLegal obligationYesLegal obligation
A: Employee Records and ManagementStaff performance managementPersonal reviews, personal development plansDuration of employment + 7 YearsYesContract of employmentYesEmployment rights and assessment of working capacity.
A: Employee Records and ManagementStaff trainingTraining plans, courses, certs.Duration of employment + 7 YearsYesContract of employmentNoN/A
A: Employee Records and ManagementOtherMeeting notes, other documents, etc.Duration of employment + 7 YearsYesContract of employmentNoN/A
B: FinancialsBudgets, Financial reports, Invoices, bank statementsDebit, card statements10 yearsNoBusiness operationsNoN/A
B: FinancialsPensionsNEST letters, pension payment detailsDuration of employment + 6 YearsYesBusiness operations/ Contract of employmentNoN/A
B: FinancialsPayrollPayslips, P45’s, P60’s.Duration of employment + 6 YearsYesBusiness operations/ Contract of employmentNoN/A
C: Purchasing and TendersTender files, quotations, contractsTender contracts, documents, email chains.5 years (so long as operationally relevant)NoN/ANoN/A
D: FacilitiesWaste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requestsAssessment forms, results spreadsheets, Halo tickets.5 years (so long as operationally relevant)NoBusiness operations, health and safetyNoN/A
E: Organisational ManagementBusiness plans, strategic planningReports and plans, word documents, pdf documents.IndefiniteNoN/ANoN/A
E: Organisational ManagementBCP, disaster recoveryReports and plans, word documents, pdf documents.IndefiniteNoN/ANoN/A
E: Organisational ManagementProjects, audits, risk managementReports and plans, word documents, pdf documents.IndefiniteNoN/ANoN/A
F: Corporate GovernanceStatutory communicationsReports and plans, word documents, pdf documents.IndefiniteNoN/ANoN/A
F: Corporate GovernanceOFSTED/CQC/NHS reports, inspection reportsReports and plans, word documents, pdf documents.IndefiniteNoN/ANoN/A
F: Corporate GovernanceCertificates, certifications IndefiniteNoN/ANoN/A
F: Corporate GovernanceReg 40 reportsReg 40IndefiniteNoN/ANoN/A
F: Corporate GovernanceIncident reports, physical intervention reportsIncident logs, CCTV of incidents, witness statementsIndefiniteYesN/ANoN/A
G: Public CommunicationsWebsite blog posts, social media posts, intranet postsFacebook, Instagram, WordPress posts. Blog updates.Indefinite (so long as operationally relevant)NoN/ANoN/A
H: IT/ISSystem documentationHalo Knowledgebase, IT Procedures and Documentation Word, PDF docs, etc.5 years (so long as operationally relevant)NoN/ANoN/A
H: IT/ISConfiguration managementScripts, deployment tools, interfaces such as Intune5 years (so long as operationally relevant)NoN/ANoN/A
I: Business Intelligence ReportingTransport, IT, Facilities SLA MetricsTicket SLA targets and goals hit.5 yearsNoN/ANoN/A
I: Business Intelligence ReportingTransport, IT, Facilities, service metricsTicket average time taken, milage, vehicle usage, staff utilisation, etc.5 yearsNoN/ANoN/A
I: Business Intelligence ReportingTicket reportsTransport ticket exports, IT ticket exports, etc.7 yearsYesBusiness operationsYesResults may contain special data which will be used in line with Privacy Notice and GDPR.
J: Information ManagementData lakesM365 Storage, DruvaIndefiniteN/AN/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may.N/AN/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may.
J: Information ManagementData registersInformation Asset Register, Asset log within HaloITSMIndefiniteNoN/ANoN/A
J: Information ManagementDPO items (DSAR Requests)Subject access requestsIndefiniteYesTo perform DSAR requestNoResults may contain special data but this is not retained once provided to the requestor.
J: Information ManagementCompany policiesContract of employment, staff policies, etc.5 years (so long as operationally relevant)NoN/ANoN/A
J: Information ManagementIncident logsIncident reports, CCTV of incidents, risk assessments, witness statements.7 yearsYesBusiness operations, Health and SafetyYesIf this is contained within an incident log: Health and Safety legislation.
K: LegalLegal requestsLegal service.7 yearsYesLegal obligations, complying with orders.NoN/A
K: LegalLitigationLegal notices, emails, letters. Memos.7 yearsYesLegal obligations, complying with orders.NoN/A
K: LegalInquiry papersInquiry documents, paperwork, letters, emails, memos.7 yearsYesLegal obligations, complying with orders.NoN/A
K: LegalLegal adviceCommunications with courts, solicitors, letters, emails, memos etc7 yearsYesLegal obligations, complying with orders.NoN/A
L: Young Person Residential RecordsReferralsReferrals mailbox emails, residential documentation, RM mailboxes.7 yearsYesProvision of careYesProvision of care
L: Young Person Residential RecordsPlacement documentationReferrals mailbox emails, residential documentation, RM mailboxes.7 yearsYesProvision of careYesProvision of care
L: Young Person Residential RecordsContracts, IPA’sReferrals mailbox emails, residential documentation, RM mailboxes.7 yearsYesBusiness operationYesProvision of care
L: Young Person Residential RecordsPlacement notificationsReferrals mailbox emails, residential documentation.7 yearsYesProvision of careYesProvision of care
M: Service User Transport RecordsBooking formsPatient basic information, collection and drop off address, NHS number, contact details.7 yearsYesPatient details forYesPatient/employee safety and care
M: Service User Transport RecordsRisk assessmentsRisk of violence, COVID, absconding, etc.7 yearsYesRecords of patient careYesPatient/employee safety and care
M: Service User Transport RecordsObservation logsLogs of events, incidents, etc during transport, collection and drop off of patiens.7 yearsYesRecords of patient careYesPatient/employee safety and care
N: OtherRecords that do not fit in any other category but still require retention and disposal.N/ADecided on case by case basis in line with GDPR and applicable laws and regulationsN/ABusiness OperationsN/AN/A

How to contact VCare24

If you have any questions about this Privacy Notice or our data collection practices, please contact us at the address, or email listed below and the nature of your question:

[email protected]

Please write to:

VCare24

Unit 10, Halifax Way

Pocklington Industrial Estate

YO42 1NP