VCare24 Global Privacy Policy

Key Information

VCare24 respects your right to privacy. We put in place security measures for your personal data and manage your personal data in accordance with applicable data privacy regulations. Please note that VCare24 is the Data Controller of your personal data. The principles set out in this Privacy Notice apply to all instances in which VCare24 receives your personal data as a Data Controller for the purposes described in this notice. Those purposes are processing of data to participate in the various activities available on this website or as mentioned below.

If you have any requests concerning your personal data or any queries with regard to these practices, please contact VCare24 using the contact details given in Paragraph 5 below.

Personal data which VCare24 collects through this website and how VCare24 collects it

You can provide your personal data if you wish. We only collect personal data that YOU want to provide to us or that is needed to provide (and improve) our service to you. We collect personal data directly such as name, age, gender, address and e-mail address as well as connection and system information. The legal basis for the processing of your personal data is your consent and/or any other applicable legal basis, such as our legitimate interest in engaging in commerce and offering products and services of value to you. Any consent you provide may be withdrawn at any time by following the contact methods listed in Paragraph 5. You may want to give us your e-mail address, name, telephone number etc. so that we can provide you with information on our products/Services; respond to your questions or comments. Some website functionality may be unavailable to users who do not provide their data, or who do not consent to the use of Cookies and similar technologies on this site. Additionally, if you choose not to provide your personal data, we will not be able to provide you with our products or services or with other support or responses.

VCare24 security measures

VCare24 takes security measures in line with data protection regulations. VCare24 has security measures in place designed to prevent data loss, to preserve data integrity, and to regulate access to the data. Only authorised VCare24 employees and authorised employees of our Third-Party service providers (a list of such providers is available on request) have access to your personal data. All VCare24 employees who have access to your personal data are required to adhere to the VCare24 Privacy Notice and all third-party service providers are requested by VCare24 to ensure that any of their employees who have access to your personal data have signed non-disclosure agreements. In addition, contracts are in place with such third -party service providers acting as data processors for VCare24 that have access to your personal data, to ensure that the level of security required in your jurisdiction is in place, and that your personal data is processed only as instructed by VCare24.

How VCare24 uses your personal data

Your personal data will only be used for the purposes for which you provided it to VCare24, as indicated to you at the time you provided your personal data. It will also be used to administer, support and obtain feedback on the level of our services, to help prevent breaches of security, the law or our contract terms. It may also be disclosed, including a disclosure to entities based outside the European Economic Area (EEA), to third parties (as part of the information generally contained in business) in the event of a sale of the business, or a reorganisation of the business, or as otherwise required or permitted by law or applicable regulator.

Who VCare24 discloses your personal data to and why

VCare24 will never share your personal data with any Third-Party (i.e a party other than an entity within the VCare24 Group) business organisation that intends to use it for their own purposes, other than as required by law. VCare24, may transfer or disclose your personal data to another data controller in the VCare24 Group to be used for similar purposes, at its discretion, and you hereby consent to such transfer or disclosure. If your personal data is transferred or disclosed to another data controller within the VCare24 Group, that other data controller shall have the same rights and obligations with regard to your personal data as VCare24. With your consent, VCare24 may share your personal data with Third-Parties (i.e. parties other than entities within the VCare24 Group) such as those who assist us in providing the products and services and who perform technical operations, but only in the strictly limited circumstances set out below:

Our Third-Party Data Processors (service providers such as our fulfilment and activation partners and digital agencies, hosting providers, data storage providers and other technical partners) who help us administer this website, or process the data submitted to it, may have access to your data. Some of these business partners may be located outside the country where you accessed this website.

Your rights

You have the right to ask VCare24 to provide you with all the information it stores on you. If you wish to access your personal data you can contact the data controller. You have the right to ask VCare24 to rectify, block, complete and delete your personal data, to restrict its use, and to port your data to another organisation. You have the right to request additional information about the handling of your personal data. You also have the right to object to the processing of your data by VCare24 in some circumstances and, where we have asked for consent to process your data, to withdraw this consent. Additionally, you may contact our Data Protection Officer.

There are exceptions to these rights, however. For example, access to personal data may be denied in some circumstances if making the information available would reveal personal information about another person or if VCare24 is legally prevented from disclosing such information. In addition, VCare24 may be able to retain data even if you withdraw your consent, where VCare24 can demonstrate that it has a legal requirement to process your data.

Countries your personal data will be sent to and why

VCare24 is a UK based company, and your personal data may be transferred across international borders in order for us to provide services and support to you. It may be transferred to countries that have different levels of data protection laws to the country from where you submitted your personal data. VCare24 (as Data Controller and Data Processor) has, where local data protection regulations so require, put in place security measures for the export of personal data from its jurisdiction. Where local data protection regulations so require, VCare24 has made arrangements with entities receiving your personal data such as VCare24 or Third-Party Data Processors, that they shall ensure that security measures are in place and that your personal data is processed only in accordance with UK Data Protection laws. If data is transferred from within the EEA to a jurisdiction outside the EEA, it is done so under a Data Transfer Agreement, which contains standard data protection contract clauses. The European Commission has adopted standard data protection contract clauses (known as the Model Clauses), which provide safeguards for personal information that is transferred outside of Europe.

The server that makes this website available may be located outside the country from which you have accessed this website. The provider of this website is bound by a contract that ensures your data is managed in accordance with EU Data Protection laws and that it acts only on VCare24 instructions and implements all technical measures necessary on an ongoing basis to keep your personal data secure.

How and why VCare24 uses Cookies and other similar technologies

VCare24 does make use of Cookies, which are small text files that are placed on your computer by websites that you visit or certain emails you open and other similar technologies such as Flash Cookies and web beacons. Such technologies are widely used in order to make websites work or work more efficiently, as well as to provide business and marketing information to the owners of the site, to gather such personal data as browser type and operating system, referring page, path through site, domain of ISP etc. for the purpose of understanding how visitors use this website. Cookie and similar technologies help us tailor this website to your personal needs. This type of information obtained through cookies will not be disclosed outside VCare24 or our authorized Third-Party Data Processors. It will not be used for unsolicited communications.

Cookies located on your computer do not contain your name but an IP address. In many cases, after the user’s session is cancelled the information contained in the cookies is no longer available to VCare24. Please ensure that your computer setting reflects whether you are happy to accept cookies or not. You can set your browser to warn you before accepting cookies or you can simply set it to refuse them, although you may not have access to all the features of the website if you do so. See your browser “Help” button for how you can do this. Some Flash Cookies may not be affected by such settings. You do not need to have cookies on to use or navigate through many parts of this and other VCare24 websites. Remember that if you use different computers in different locations you will need to ensure that each browser is adjusted to suit your cookie preferences.

 

Changes to the terms of this Privacy Policy

VCare24 will occasionally make changes and corrections to this Privacy Policy. We will also give you the opportunity to consent to these material changes. Changes will be effective upon the posting of the changes and your acceptance of the changes, which may be through your continued use of the site or our services after the changes take effect.

Retention of your personal data

VCare24 will retain your information only for as long as is necessary for the purposes set out in this policy. VCare24 will retain and use your information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your information to comply with applicable tax/revenue laws), resolve disputes, and enforce our agreements. We also retain log files for internal analysis purposes. These log files are generally retained for a short period of time, except where they are used for website security, to improve website functionality, or we are legally obligated to retain them for longer time periods.

Records Retention

Information is to be categorised under a specific record type to ensure the business function/unit using the data is identified. Combined with our retention schedule based on these categories, this forms part of our GDPR requirements to keep records of processing of personal data and special categories of personal data. (See also GDPR ROPA)

Record Categories

Record Type

Comments

Common Records

Assets that exist under all business units such as meeting minutes, policies and procedures, etc.

A: Employee Records and Management

Employee data and information, sickness, absence, contracts, performance, workplace records, recruitment, payroll, staff feedback, surveys, etc.

B: Financials

Budgets, financial reports, invoices, bank statements, pensions, payroll, etc.

C: Purchasing and Tenders

Tender files, quotations, contracts, etc.

D: Facilities

Waste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests, etc.

E: Organisational Management

Business plans, strategic planning, BCP, disaster recovery, projects, audits, risk management, etc.

F: Corporate Governance

Statutory communications, OFSTED/CQC/NHS reports, inspection reports, certificates, certifications, reg 40 reports, incident reports, physical intervention reports, etc.

G: Public Communications

Website blog posts, social media posts, intranet posts, etc.

H: IT/IS

System documentation, configuration management.

I: Business Intelligence Reporting

Transport, IT, Facilities SLA, service metrics, ticket reports, etc.

J: Information Management

Data lakes, data registers, DPO items (DSAR Requests), company policies, incident logs.

K: Legal

Legal requests, litigation, inquiry papers, legal advice.

L: Young Person Residential Records

Referral, placement documentation, IPA’s, contracts, placement notifications, etc.

M: Service User Transport Records

Booking forms, risk assessments, observation logs, etc.

N: Other

Records that do not fit in any other category but still require retention and disposal.

 

Schedule of Retention

The schedule of retention includes 9 columns setup as follows:

Record Type

References the category and/or business unit related to.

Title

Summary of the data

Examples

Brief examples as  to what kind of file, type or system. This is not an exhaustive list.

Retention

The period of time where the records are required to be reviewed and either destroyed, purged or retention extended. Records may not be destroyed in line with this retention schedule of there is an overriding reason for retention, an ongoing investigation, legal request, etc.

Personal Data

Identifies if the record contains personal data. Personal Data examples include Name, address, personal email, contact information, bank information, etc.

Legal basis for processing personal data

Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores personal information.

Special category personal data

Identifies records containing special category personal data. Special category personal data examples include racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual and criminal offences.

Legal basis for processing special category personal data

Identifies the purpose for which VCare24 has collected, holds, uses, processes and stores special category personal information.

Schedule

Record Type

Title

Examples

Retention

Personal Data

Legal basis for processing personal data

Special category Personal Data

Legal basis for processing special category personal data

Common Record

Staff contact details

Staff profiles, Azure/M365 profile pictures, databases of staff names.

Whilst employed by VCare24

Yes

Contract of employment

No

N/A

Common Record

Org structure

Org chart

Whilst correct and relevant

Yes (Names only)

Contract of employment

No

N/A

Common Record

Internal meetings

Minutes, agendas, follow up email threads.

2 Years

No

Contract of employment

No

N/A

Common Records

External meetings

Minutes, agendas, follow up email threads.

2 Years

Yes

Business operations, contracts.

Yes

Business operations, contracts.

Common Records

Policies

Internal policies and procedures

Indefinitely

No

N/A

No

N/A

Common Records

Internal knowledgebase and documentation

SSP Portal, Procedures documents

Until superseded

No

N/A

No

N/A

Common Records

Expenses

Receipts, expense forms, milage.

7 Years

Yes

Business operations

No

N/A

Common Records

Questionnaires/Forms

Staff feedback, surveys.

Destroy once analysed

Yes but varies

Consent

Yes but varies

Consent

Common Records

Questionnaire/Forms analysis

Processed response data for BI

Retain until superseded or no longer accurate

No

N/A

No

N/A

A: Employee Records and Management

Staff absence records

Sick notes, fit notes, absence records, leave, special leave

Duration of employment + 7 Years

Yes

Legal obligation

Yes

Employment rights

A: Employee Records and Management

Medical/self certifications

Medical declarations, certs. Unrelated to work related injury

4 years

Yes

Legal obligation

Yes

Employment rights

A: Employee Records and Management

Staff annual leave

Leave requests, remaining leave, approved and rejected requests

2 years

Yes

Legal obligation

Yes

Employment rights

A: Employee Records and Management

DBS Checks Results

Results include positive or negative DBS, any disclosures.

Duration of employment + 7 Years

Yes

Legal obligation

Yes

Legal obligation

A: Employee Records and Management

Employment staff file (Physical)

Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc.

Until electronic file completed then destroyed

Yes

Legal obligation

Yes

Legal obligation

A: Employee Records and Management

Employment staff file (Electronic)

Recruitment records, interview notes, application forms, contacts, variations, dismissal, death, etc.

Duration of employment + 7 Years

Yes

Legal obligation

Yes

Legal obligation

A: Employee Records and Management

Disciplinary files

Disciplinary letters, invites, meeting notes, case logs.

Duration of employment + 7 Years

Yes

Legal obligation

Yes

Legal obligation

A: Employee Records and Management

Staff performance management

Personal reviews, personal development plans

Duration of employment + 7 Years

Yes

Contract of employment

Yes

Employment rights and assessment of working capacity.

A: Employee Records and Management

Staff training

Training plans, courses, certs.

Duration of employment + 7 Years

Yes

Contract of employment

No

N/A

A: Employee Records and Management

Other

Meeting notes, other documents, etc.

Duration of employment + 7 Years

Yes

Contract of employment

No

N/A

B: Financials

Budgets, Financial reports, Invoices, bank statements

Debit, card statements

10 years

No

Business operations

No

N/A

B: Financials

Pensions

NEST letters, pension payment details

Duration of employment + 6 Years

Yes

Business operations/ Contract of employment

No

N/A

B: Financials

Payroll

Payslips, P45’s, P60’s.

Duration of employment + 6 Years

Yes

Business operations/ Contract of employment

No

N/A

C: Purchasing and Tenders

Tender files, quotations, contracts

Tender contracts, documents, email chains.

5 years (so long as operationally relevant)

No

N/A

No

N/A

D: Facilities

Waste management, Health and Safety assessments and reports, PAT Tests, Facilities maintenance requests

Assessment forms, results spreadsheets, Halo tickets.

5 years (so long as operationally relevant)

No

Business operations, health and safety

No

N/A

E: Organisational Management

Business plans, strategic planning

Reports and plans, word documents, pdf documents.

Indefinite

No

N/A

No

N/A

E: Organisational Management

BCP, disaster recovery

Reports and plans, word documents, pdf documents.

Indefinite

No

N/A

No

N/A

E: Organisational Management

Projects, audits, risk management

Reports and plans, word documents, pdf documents.

Indefinite

No

N/A

No

N/A

F: Corporate Governance

Statutory communications

Reports and plans, word documents, pdf documents.

Indefinite

No

N/A

No

N/A

F: Corporate Governance

OFSTED/CQC/NHS reports, inspection reports

Reports and plans, word documents, pdf documents.

Indefinite

No

N/A

No

N/A

F: Corporate Governance

Certificates, certifications

 

Indefinite

No

N/A

No

N/A

F: Corporate Governance

Reg 40 reports

Reg 40

Indefinite

No

N/A

No

N/A

F: Corporate Governance

Incident reports, physical intervention reports

Incident logs, CCTV of incidents, witness statements

Indefinite

Yes

N/A

No

N/A

G: Public Communications

Website blog posts, social media posts, intranet posts

Facebook, Instagram, WordPress posts. Blog updates.

Indefinite (so long as operationally relevant)

No

N/A

No

N/A

H: IT/IS

System documentation

Halo Knowledgebase, IT Procedures and Documentation Word, PDF docs, etc.

5 years (so long as operationally relevant)

No

N/A

No

N/A

H: IT/IS

Configuration management

Scripts, deployment tools, interfaces such as Intune

5 years (so long as operationally relevant)

No

N/A

No

N/A

I: Business Intelligence Reporting

Transport, IT, Facilities SLA Metrics

Ticket SLA targets and goals hit.

5 years

No

N/A

No

N/A

I: Business Intelligence Reporting

Transport, IT, Facilities, service metrics

Ticket average time taken, milage, vehicle usage, staff utilisation, etc.

5 years

No

N/A

No

N/A

I: Business Intelligence Reporting

Ticket reports

Transport ticket exports, IT ticket exports, etc.

7 years

Yes

Business operations

Yes

Results may contain special data which will be used in line with Privacy Notice and GDPR.

J: Information Management

Data lakes

M365 Storage, Druva

Indefinite

N/A

N/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may.

N/A

N/A – A lake is a large group of storage systems, it does not directly contain data but the subsystems may.

J: Information Management

Data registers

Information Asset Register, Asset log within HaloITSM

Indefinite

No

N/A

No

N/A

J: Information Management

DPO items (DSAR Requests)

Subject access requests

Indefinite

Yes

To perform DSAR request

No

Results may contain special data but this is not retained once provided to the requestor.

J: Information Management

Company policies

Contract of employment, staff policies, etc.

5 years (so long as operationally relevant)

No

N/A

No

N/A

J: Information Management

Incident logs

Incident reports, CCTV of incidents, risk assessments, witness statements.

7 years

Yes

Business operations, Health and Safety

Yes

If this is contained within an incident log: Health and Safety legislation.

K: Legal

Legal requests

Legal service.

7 years

Yes

Legal obligations, complying with orders.

No

N/A

K: Legal

Litigation

Legal notices, emails, letters. Memos.

7 years

Yes

Legal obligations, complying with orders.

No

N/A

K: Legal

Inquiry papers

Inquiry documents, paperwork, letters, emails, memos.

7 years

Yes

Legal obligations, complying with orders.

No

N/A

K: Legal

Legal advice

Communications with courts, solicitors, letters, emails, memos etc

7 years

Yes

Legal obligations, complying with orders.

No

N/A

L: Young Person Residential Records

Referrals

Referrals mailbox emails, residential documentation, RM mailboxes.

7 years

Yes

Provision of care

Yes

Provision of care

L: Young Person Residential Records

Placement documentation

Referrals mailbox emails, residential documentation, RM mailboxes.

7 years

Yes

Provision of care

Yes

Provision of care

L: Young Person Residential Records

Contracts, IPA’s

Referrals mailbox emails, residential documentation, RM mailboxes.

7 years

Yes

Business operation

Yes

Provision of care

L: Young Person Residential Records

Placement notifications

Referrals mailbox emails, residential documentation.

7 years

Yes

Provision of care

Yes

Provision of care

M: Service User Transport Records

Booking forms

Patient basic information, collection and drop off address, NHS number, contact details.

7 years

Yes

Patient details for

Yes

Patient/employee safety and care

M: Service User Transport Records

Risk assessments

Risk of violence, COVID, absconding, etc.

7 years

Yes

Records of patient care

Yes

Patient/employee safety and care

M: Service User Transport Records

Observation logs

Logs of events, incidents, etc during transport, collection and drop off of patiens.

7 years

Yes

Records of patient care

Yes

Patient/employee safety and care

N: Other

Records that do not fit in any other category but still require retention and disposal.

N/A

Decided on case by case basis in line with GDPR and applicable laws and regulations

N/A

Business Operations

N/A

N/A

 

How to contact VCare24

If you have any questions about this Privacy Notice or our data collection practices, please contact us at the address, or email listed below and the nature of your question:

[email protected]

Please write to:

VCare24

Unit 10, Halifax Way

Pocklington Industrial Estate

YO42 1NP