| Version | Date | Changes | Reviewed By |
| 1.0 | 05/05/2022 | Initial Release | DPO |
| 1.1 | 13/09/2023 | Annual Review. | DPO |
| 1.2 | 12/03/2024 | Annual Review. | DPO |
| 1.3 | 30/04/2025 | Annual review. Added changelog. Added use of AI, GAN and similar systems. Added clarifications around VCare Group of companies. | DPO |
VCare24 respects your right to privacy. We put in place security measures for your personal data and manage your personal data in accordance with applicable data privacy regulations. Please note that VCare24 is the Data Controller of your personal data. The principles set out in this Privacy Notice apply to all instances in which VCare24 receives your personal data as a Data Controller for the purposes described in this notice. Those purposes are processing of data to participate in the various activities available on this website or as mentioned below.
If you have any requests concerning your personal data or any queries with regard to these practices, please contact VCare24 using the contact details given in Paragraph 5 below.
You can provide your personal data if you wish. We only collect personal data that YOU want to provide to us or that is needed to provide (and improve) our service to you. We collect personal data directly such as name, age, gender, address and e-mail address as well as connection and system information. The legal basis for the processing of your personal data is your consent and/or any other applicable legal basis, such as our legitimate interest in engaging in commerce and offering products and services of value to you. Any consent you provide may be withdrawn at any time by following the contact methods listed. You may want to give us your e-mail address, name, telephone number etc. so that we can provide you with information on our products/Services; respond to your questions or comments. Some website functionality may be unavailable to users who do not provide their data, or who do not consent to the use of Cookies and similar technologies on this site. Additionally, if you choose not to provide your personal data, we will not be able to provide you with our products or services or with other support or responses.
Alongside our website, VCare24 may also collect or require submission of personal data in order to fulfil a contract or service with you. Your data is processed in line with this privacy policy under the legislation and regulations applicable to the UK, namely the DPA 2018. The legal basis for the processing of your personal data is your consent and/or any other applicable legal basis, such as our legitimate interest in engaging in commerce and offering products and services of value to you. Any consent you provide may be withdrawn at any time by following the contact methods listed.
VCare Residential provides care and other services to local authorities and other professional services. As apart of these services we are required to collect and process children’s information including but not limited to name, DOB, healthcare information, criminal convictions and other sensitive information. Under the general data protection regulations strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information may be stored within electronic or paper records, or a combination of both. All our records are restricted so that only those individuals who have a need to know the information can gain access. This applies to the use of technology and paper files.
VCare24 will act as a joint data controller alongside VCare Residential and a data processor in relation to our services for Residential Support. Your information will be processed and retained in line with VCare24 Information Security policies alongside any requirements from you as a customer or an agreement/contract, for example Local Authority Tenders.
VCare24 provides secure transport and other services to local authorities, NHS, Police and other professional services. As apart of these services we are required to collect and process children’s and adults information including but not limited to name, DOB, healthcare information and other sensitive information. Under the general data protection regulations strict principles govern our use of information and our duty to ensure it is kept safe and secure. Your information will be stored within electronic records. All our records are restricted so that only those individuals who have a need to know the information can gain access. This applies to the use of technology and paper files.
VCare24 will act as a data processor in relation to our services for Secure Transport. Your information will be processed and retained in line with VCare24 Information Security policies alongside any requirements from you as a customer or an agreement/contract, for example NHS Tenders, Police Booking, etc.
VCare24 maintains a business relationship with other group companies, those being The Becklands School, Becklands Land Based Outdoor trading as Millbrook Horizons, VCare Residential, VCare Alliance, VCare Training Solutions, VMDM and Workplace Bereavement Advocacy. VCare24 provides Business Support Services including but not limited to IT, Finance and HR functions. To provide these services, VCare24 will process your information in line with this privacy policy and any agreements with the other group company. For further information, please see our Employee Privacy Notice.
VCare24 will act as a joint data controller along with the other group company in this instance. Your information will be processed and retained in line with VCare24 Information Security policies.
VCare24 takes security measures in line with data protection regulations. VCare24 has security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to the data. Only authorised VCare24 employees and authorised employees of our Third-Party service providers (a list of such providers is available on request) have access to your personal data. All VCare24 employees who have access to your personal data are required to adhere to the VCare24 Privacy Notice and all third-party service providers are requested by VCare24 to ensure that any of their employees who have access to your personal data have signed non-disclosure agreements. In addition, contracts are in place with such third -party service providers acting as data processors for VCare24 that have access to your personal data, to ensure that the level of security required in your jurisdiction is in place, and that your personal data is processed only as instructed by VCare24.
Your personal data will only be used for the purposes for which you provided it to VCare24, as indicated to you at the time you provided your personal data. It will also be used to administer, support and obtain feedback on the level of our services, to help prevent breaches of security, the law or our contract terms. It may also be disclosed, including a disclosure to entities based outside the European Economic Area (EEA), to third parties (as part of the information generally contained in business) in the event of a sale of the business, or a reorganisation of the business, or as otherwise required or permitted by law or applicable regulator.
VCare24 will never share your personal data with any Third-Party (i.e a party other than an entity within the VCare24 Group) business organisation that intends to use it for their own purposes, other than as required by law. VCare24, may transfer or disclose your personal data to another data controller in the VCare24 Group to be used for similar purposes, at its discretion, and you hereby consent to such transfer or disclosure. In some instances, VCare24 may act as a joint data controller along with other entities, other entities can be inside or external to the VCare Group of companies. If your personal data is transferred or disclosed to another data controller within the VCare24 Group, that other data controller shall have the same rights and obligations with regard to your personal data as VCare24. With your consent, VCare24 may share your personal data with Third-Parties (i.e. parties other than entities within the VCare24 Group) such as those who assist us in providing the products and services and who perform technical operations, but only in the strictly limited circumstances set out below:
Our Third-Party Data Processors (service providers such as our fulfilment and activation partners and digital agencies, hosting providers, data storage providers and other technical partners) who help us administer this website, or process the data submitted to it, may have access to your data. Some of these business partners may be located outside the country where you accessed this website.
You have the right to ask VCare24 to provide you with all the information it stores on you. If you wish to access your personal data you can contact the data controller. You have the right to ask VCare24 to rectify, block, complete and delete your personal data, to restrict its use, and to port your data to another organisation. You have the right to request additional information about the handling of your personal data. You also have the right to object to the processing of your data by VCare24 in some circumstances and, where we have asked for consent to process your data, to withdraw this consent. Additionally, you may contact our Data Protection Officer.
There are exceptions to these rights, however. For example, access to personal data may be denied in some circumstances if making the information available would reveal personal information about another person or if VCare24 is legally prevented from disclosing such information. In addition, VCare24 may be able to retain data even if you withdraw your consent, where VCare24 can demonstrate that it has a legal requirement to process your data.
VCare24 is a UK based company, and your personal data may be transferred across international borders in order for us to provide services and support to you. It may be transferred to countries that have different levels of data protection laws to the country from where you submitted your personal data. VCare24 (as Data Controller and Data Processor) has, where local data protection regulations so require, put in place security measures for the export of personal data from its jurisdiction. Where local data protection regulations so require, VCare24 has made arrangements with entities receiving your personal data such as VCare24 or Third-Party Data Processors, that they shall ensure that security measures are in place and that your personal data is processed only in accordance with UK Data Protection laws. If data is transferred from within the EEA to a jurisdiction outside the EEA, it is done so under a Data Transfer Agreement, which contains standard data protection contract clauses. The European Commission has adopted standard data protection contract clauses (known as the Model Clauses), which provide safeguards for personal information that is transferred outside of Europe.
The server that makes this website available may be located outside the country from which you have accessed this website. The provider of this website is bound by a contract that ensures your data is managed in accordance with UK Data Protection laws and that it acts only on VCare24 instructions and implements all technical measures necessary on an ongoing basis to keep your personal data secure.
VCare24 does make use of Cookies, which are small text files that are placed on your computer by websites that you visit or certain emails you open and other similar technologies such as Flash Cookies and web beacons. Such technologies are widely used in order to make websites work or work more efficiently, as well as to provide business and marketing information to the owners of the site, to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP etc. for the purpose of understanding how visitors use this website. Cookie and similar technologies help us tailor this website to your personal needs. This type of information obtained through cookies will not be disclosed outside VCare24 or our authorized Third-Party Data Processors. It will not be used for unsolicited communications.
Cookies located on your computer do not contain your name but an IP address. In many cases, after the user’s session is cancelled the information contained in the cookies is no longer available to VCare24. Please ensure that your computer setting reflects whether you are happy to accept cookies or not. You can set your browser to warn you before accepting cookies or you can simply set it to refuse them, although you may not have access to all the features of the website if you do so. See your browser “Help” button for how you can do this. Some Flash Cookies may not be affected by such settings. You do not need to have cookies on to use or navigate through many parts of this and other VCare24 websites. Remember that if you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.
VCare24 will occasionally make changes and corrections to this Privacy Policy. We will also give you the opportunity to consent to these material changes. Changes will be effective upon the posting of the changes and your acceptance of the changes, which may be through your continued use of the site or our services after the changes take effect.
VCare24 will retain your information only for as long as is necessary for the purposes set out in this policy. VCare24 will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, and enforce our agreements. We also retain log files for internal analysis purposes. These log files are generally retained for a short period of time, except where they are used for website security, to improve website functionality, or we are legally obligated to retain them for longer time periods.
VCare24 utilises AI, GAN and algorithmic systems to support our staff in managing workloads, provide faster and more efficient customer service to our clients and to assist in managing our business operations. At no stage does AI, GAN and algorithmic systems make decisions based on inputs without a human reviewing the output. AI, GAN and algorithmic systems are utilised at VCare24 under the guidance of GDPR and the ICO’s guidelines. These regulations and guidelines are regularly reviewed by our Data Protection Officer to ensure our continued compliance.
We understand the risks in using AI, GAN and algorithmic systems including incorrect answers, inconsistent responses, hallucinated or false information, bias or discriminatory outputs along with other limitations. We recognise AI, GAN and algorithmic systems to be emerging technologies at this time therefor we have a strict AI, GAN and algorithmic systems Policy all employees are required to follow when using such tools. Additionally, all AI, GAN and algorithmic systems undergo a DPIA review prior to implementation, data access or processing.
Information is to be categorised under a specific record type to ensure the business function/unit using the data is identified. Combined with our retention schedule based on these categories, this forms part of our GDPR requirements to keep records of processing of personal data and special categories of personal data. (See also GDPR ROPA)
| Record Type | Comments |
| Common Records | Assets that exist under all business units such as meeting minutes, policies and procedures, etc. |
| A: Employee Records and Management | Employee data and information, sickness, absence, contracts, performance, workplace records, recruitment, payroll, staff feedback, surveys, etc. |
| B: Financials | Budgets, financial reports, invoices, bank statements, pensions, payroll, etc. |
| C: Purchasing and Tenders | Tender files, quotations, contracts, etc. |
| D: Facilities | Waste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests, etc. |
| E: Organisational Management | Business plans, strategic planning, BCP, disaster recovery, projects, audits, risk management, etc. |
| F: Corporate Governance | Statutory communications, OFSTED/CQC/NHS reports, inspection reports, certificates, certifications, reg 40 reports, incident reports, physical intervention reports, etc. |
| G: Public Communications | Website blog posts, social media posts, intranet posts, etc. |
| H: IT/IS | System documentation, configuration management. |
| I: Business Intelligence Reporting | Transport, IT, Facilities SLA, service metrics, ticket reports, etc. |
| J: Information Management | Data lakes, data registers, DPO items (DSAR Requests), company policies, incident logs. |
| K: Legal | Legal requests, litigation, inquiry papers, legal advice. |
| L: Young Person Residential Records | Referral, placement documentation, IPA’s, contracts, placement notifications, etc. |
| M: Service User Transport Records | Booking forms, risk assessments, observation logs, etc. |
| N: Other | Records that do not fit in any other category but still require retention and disposal. |
The schedule of retention includes 9 columns setup as follows:
References the category and/or business unit related to.
Summary of the data
Brief examples as to what kind of file, type or system. This is not an exhaustive list.
The period of time where the records are required to be reviewed and either destroyed, purged or retention extended. Records may not be destroyed in line with this retention schedule of there is an overriding reason for retention, an ongoing investigation, legal request, etc.
Identifies if the record contains personal data. Personal Data examples include Name, address, personal email, contact information, bank information, etc.
Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores personal information.
Identifies records containing special category personal data. Special category personal data examples include racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual and criminal offences.
Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores special category personal information.
| Record Type | Title | Examples | Retention | Personal Data | Legal basis for processing personal data | Special category Personal Data | Legal basis for processing special category personal data |
| Common Record | Staff contact details | Staff profiles, Azure/M365 profile pictures, databases of staff names. | Whilst employed by VCare24 | Yes | Contract of employment | No | N/A |
| Common Record | Org structure | Org chart | Whilst correct and relevant | Yes (Names only) | Contract of employment | No | N/A |
| Common Record | Internal meetings | Minutes, agendas, follow up email threads. | 2 Years | No | Contract of employment | No | N/A |
| Common Records | External meetings | Minutes, agendas, follow up email threads. | 2 Years | Yes | Business operations, contracts. | Yes | Business operations, contracts. |
| Common Records | Policies | Internal policies and procedures | Indefinitely | No | N/A | No | N/A |
| Common Records | Internal knowledgebase and documentation | SSP Portal, Procedures documents | Until superseded | No | N/A | No | N/A |
| Common Records | Expenses | Receipts, expense forms, milage. | 7 Years | Yes | Business operations | No | N/A |
| Common Records | Questionnaires/Forms | Staff feedback, surveys. | Destroy once analysed | Yes but varies | Consent | Yes but varies | Consent |
| Common Records | Questionnaire/Forms analysis | Processed response data for BI | Retain until superseded or no longer accurate | No | N/A | No | N/A |
| A: Employee Records and Management | Staff absence records | Sick notes, fit notes, absence records, leave, special leave | Duration of employment + 7 Years | Yes | Legal obligation | Yes | Employment rights |
| A: Employee Records and Management | Medical/self certifications | Medical declarations, certs. Unrelated to work related injury | 4 years | Yes | Legal obligation | Yes | Employment rights |
| A: Employee Records and Management | Staff annual leave | Leave requests, remaining leave, approved and rejected requests | 2 years | Yes | Legal obligation | Yes | Employment rights |
| A: Employee Records and Management | DBS Checks Results | Results include positive or negative DBS, any disclosures. | Duration of employment + 7 Years | Yes | Legal obligation | Yes | Legal obligation |
| A: Employee Records and Management | Employment staff file (Physical) | Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc. | Until electronic file completed then destroyed | Yes | Legal obligation | Yes | Legal obligation |
| A: Employee Records and Management | Employment staff file (Electronic) | Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc. | Duration of employment + 7 Years | Yes | Legal obligation | Yes | Legal obligation |
| A: Employee Records and Management | Disciplinary files | Disciplinary letters, invites, meeting notes, case logs. | Duration of employment + 7 Years | Yes | Legal obligation | Yes | Legal obligation |
| A: Employee Records and Management | Staff performance management | Personal reviews, personal development plans | Duration of employment + 7 Years | Yes | Contract of employment | Yes | Employment rights and assessment of working capacity. |
| A: Employee Records and Management | Staff training | Training plans, courses, certs. | Duration of employment + 7 Years | Yes | Contract of employment | No | N/A |
| A: Employee Records and Management | Other | Meeting notes, other documents, etc. | Duration of employment + 7 Years | Yes | Contract of employment | No | N/A |
| B: Financials | Budgets, Financial reports, Invoices, bank statements | Debit, card statements | 10 years | No | Business operations | No | N/A |
| B: Financials | Pensions | NEST letters, pension payment details | Duration of employment + 6 Years | Yes | Business operations/ Contract of employment | No | N/A |
| B: Financials | Payroll | Payslips, P45’s, P60’s. | Duration of employment + 6 Years | Yes | Business operations/ Contract of employment | No | N/A |
| C: Purchasing and Tenders | Tender files, quotations, contracts | Tender contracts, documents, email chains. | 5 years (so long as operationally relevant) | No | N/A | No | N/A |
| D: Facilities | Waste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests | Assessment forms, results spreadsheets, Halo tickets. | 5 years (so long as operationally relevant) | No | Business operations, health and safety | No | N/A |
| E: Organisational Management | Business plans, strategic planning | Reports and plans, word documents, pdf documents. | Indefinite | No | N/A | No | N/A |
| E: Organisational Management | BCP, disaster recovery | Reports and plans, word documents, pdf documents. | Indefinite | No | N/A | No | N/A |
| E: Organisational Management | Projects, audits, risk management | Reports and plans, word documents, pdf documents. | Indefinite | No | N/A | No | N/A |
| F: Corporate Governance | Statutory communications | Reports and plans, word documents, pdf documents. | Indefinite | No | N/A | No | N/A |
| F: Corporate Governance | OFSTED/CQC/NHS reports, inspection reports | Reports and plans, word documents, pdf documents. | Indefinite | No | N/A | No | N/A |
| F: Corporate Governance | Certificates, certifications | Indefinite | No | N/A | No | N/A | |
| F: Corporate Governance | Reg 40 reports | Reg 40 | Indefinite | No | N/A | No | N/A |
| F: Corporate Governance | Incident reports, physical intervention reports | Incident logs, CCTV of incidents, witness statements | Indefinite | Yes | N/A | No | N/A |
| G: Public Communications | Website blog posts, social media posts, intranet posts | Facebook, Instagram, WordPress posts. Blog updates. | Indefinite (so long as operationally relevant) | No | N/A | No | N/A |
| H: IT/IS | System documentation | Halo Knowledgebase, IT Procedures and Documentation Word, PDF docs, etc. | 5 years (so long as operationally relevant) | No | N/A | No | N/A |
| H: IT/IS | Configuration management | Scripts, deployment tools, interfaces such as Intune | 5 years (so long as operationally relevant) | No | N/A | No | N/A |
| I: Business Intelligence Reporting | Transport, IT, Facilities SLA Metrics | Ticket SLA targets and goals hit. | 5 years | No | N/A | No | N/A |
| I: Business Intelligence Reporting | Transport, IT, Facilities, service metrics | Ticket average time taken, milage, vehicle usage, staff utilisation, etc. | 5 years | No | N/A | No | N/A |
| I: Business Intelligence Reporting | Ticket reports | Transport ticket exports, IT ticket exports, etc. | 7 years | Yes | Business operations | Yes | Results may contain special data which will be used in line with Privacy Notice and GDPR. |
| J: Information Management | Data lakes | M365 Storage, Druva | Indefinite | N/A | N/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may. | N/A | N/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may. |
| J: Information Management | Data registers | Information Asset Register, Asset log within HaloITSM | Indefinite | No | N/A | No | N/A |
| J: Information Management | DPO items (DSAR Requests) | Subject access requests | Indefinite | Yes | To perform DSAR request | No | Results may contain special data but this is not retained once provided to the requestor. |
| J: Information Management | Company policies | Contract of employment, staff policies, etc. | 5 years (so long as operationally relevant) | No | N/A | No | N/A |
| J: Information Management | Incident logs | Incident reports, CCTV of incidents, risk assessments, witness statements. | 7 years | Yes | Business operations, Health and Safety | Yes | If this is contained within an incident log: Health and Safety legislation. |
| K: Legal | Legal requests | Legal service. | 7 years | Yes | Legal obligations, complying with orders. | No | N/A |
| K: Legal | Litigation | Legal notices, emails, letters. Memos. | 7 years | Yes | Legal obligations, complying with orders. | No | N/A |
| K: Legal | Inquiry papers | Inquiry documents, paperwork, letters, emails, memos. | 7 years | Yes | Legal obligations, complying with orders. | No | N/A |
| K: Legal | Legal advice | Communications with courts, solicitors, letters, emails, memos etc | 7 years | Yes | Legal obligations, complying with orders. | No | N/A |
| L: Young Person Residential Records | Referrals | Referrals mailbox emails, residential documentation, RM mailboxes. | 7 years | Yes | Provision of care | Yes | Provision of care |
| L: Young Person Residential Records | Placement documentation | Referrals mailbox emails, residential documentation, RM mailboxes. | 7 years | Yes | Provision of care | Yes | Provision of care |
| L: Young Person Residential Records | Contracts, IPA’s | Referrals mailbox emails, residential documentation, RM mailboxes. | 7 years | Yes | Business operation | Yes | Provision of care |
| L: Young Person Residential Records | Placement notifications | Referrals mailbox emails, residential documentation. | 7 years | Yes | Provision of care | Yes | Provision of care |
| M: Service User Transport Records | Booking forms | Patient basic information, collection and drop off address, NHS number, contact details. | 7 years | Yes | Patient details for | Yes | Patient/employee safety and care |
| M: Service User Transport Records | Risk assessments | Risk of violence, COVID, absconding, etc. | 7 years | Yes | Records of patient care | Yes | Patient/employee safety and care |
| M: Service User Transport Records | Observation logs | Logs of events, incidents, etc during transport, collection and drop off of patiens. | 7 years | Yes | Records of patient care | Yes | Patient/employee safety and care |
| N: Other | Records that do not fit in any other category but still require retention and disposal. | N/A | Decided on case by case basis in line with GDPR and applicable laws and regulations | N/A | Business Operations | N/A | N/A |
If you have any questions about this Privacy Notice or our data collection practices, please contact us at the address, or email listed below and the nature of your question:
Please write to:
VCare24
Unit 10, Halifax Way
Pocklington Industrial Estate
YO42 1NP