Information

Privacy Policy

Introduction

Prometheus Safe and Secure (PSS) and Prometheus Complex Care (PCC) are committed to ensuring compliance with all relevant and applicable data protection laws and regulations. We recognise and accept our responsibility to manage personal data in line with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018 (DPA 2018) and other relevant and applicable legislation in relation to the collecting and using of personal data.

This Privacy Statement describes our policies and procedures on the collection, use and disclosure of your information when you use our services. It also outlines your Information Rights and how the law protects you.

Across each of the services we provide, we are dedicated to maintaining the confidentiality and rights to privacy of all patients, service users, employees, contractors, and other individuals we engage with.

We take our responsibilities in relation to data protection and information rights seriously and maintain robust processes for safeguarding the personal information we hold in order to carry out our services and provide easy access to the information rights of individuals.

Data Controller and Data Processor

PSS and PCC are Data Controllers in their own right, but are also Data Processors for each other, which is covered under a Data Processing Agreement. Where your personal information is collected by PSS, PSS is the data controller. Where the information is collected by PCC, PCC is the controller. In both cases, they may process information on behalf of the other, depending on your relationship with them.

Contact Details

For any queries in relation to this policy, your rights as an individual, or to get in touch with our Data Protection Officer, you can contact Raj Chima via rchima@psecure.co.uk. If you are an employee of PSS or PCC, please contact Farzana Muquit FMuquit@psecure.co.uk. We are registered with the ICO under the following registration numbers:

PSS: ZA049039
PCC: ZA884822

You can also write to us or call us, using the below contact details.

Prometheus Safe and Secure Ltd
Unit 603, Fort Dunlop
Fort Parkway
Birmingham
West Midlands
B24 9FD
Tel: 0800 009 6668

Personal Data that we collect

The type of information we collect, and process depends on your interest(s) in our business. We always collect the minimum data necessary for the purpose of the services requested.

We ensure we have a legal basis for the data that we collect and process.

Data protection principles

In relation to your personal data, we will:

  • process it fairly, lawfully and in a clear, transparent way
  • collect your data only for reasons that we find proper for the course of your employment in ways that have been explained to you
  • only use it in the way that we have told you about
  • ensure it is correct and up to date
  • keep your data for only as long as we need it
  • process it in a way that ensures it will not be used for anything that you are not aware of or have consented to (as appropriate), lost or destroyed

Types of data we process

We may hold two types of data for you:

  1. Personal data – data about you that you can be identified with, i.e., your name, contact details, national insurance number, date of birth, bank details, etc. basically any personal data that relates to you and that can be used to identify you.
  2. Personal special category data – this is also your personal data but includes more sensitive information about you. This type of data requires a higher level of protection. Special category data is information about your:
    • race;
    • ethnic origin;
    • political opinions;
    • religious or philosophical beliefs;
    • trade union membership;
    • genetic data;
    • biometric data (where this is used for identification purposes);
    • health data;
    • sex life; or
    • sexual orientation.

Personal data can include information relating to criminal convictions and offences. This also requires a higher level of protection.

How we collect your data

We collect data about you in a variety of ways and this depends on what your interest in our business is or on the relationship that we have with you.

Employees
Collection of data will usually start when we undertake a recruitment exercise, where we will collect the data from you directly or through a recruitment agency who should have your consent to share the information with us. This includes the information you would normally include in a CV or a recruitment cover letter, or notes made by our recruiting officers during a recruitment interview.

During the interview process we will rely on consent for a legal basis.

If you enter into an employment contract, further information will be collected directly from you, when you complete forms at the start of your employment, for example, your bank and next of kin details. Other details may be collected directly from you in the form of official documentation such as your driving licence, passport or other right to work evidence.

In some cases, we will collect data about you from third parties, such as employment agencies, former employers when gathering references or credit reference agencies.

Your personal data is kept in personnel paper files in locked storage and on a secure cloud environment.

Only those that require access to your files to perform their job duties have access to this information.

Your information is kept safe and secure in our HR and Finance departments.

Where you enter into an employment contract with us, we rely on contract as a legal basis.

Where we process special category data, we are obliged to also identify a condition for processing to collect and process that information. In this case we rely on (a) Explicit consent (b) Employment (i) Public health, depending on your role and the type of special category data we collect and process.

Website Users
If you have used the contact form on our website to make an enquiry, we collect the information that you provide to us directly.

Enquiries
If you contact us directly via phone or other communication channels, we collect the information that you provide us with.

In both cases, we rely on ‘consent’ as a legal basis for collecting your information, as you have voluntarily provided us with the information.

We will not contact you for any marketing or purposes other than to respond to your enquiry, however where there may be a legitimate interest, we may contact you about other services that we provide. When we do this, we carry out a ‘legitimate interest’ test before we do so. You can find out more information here. In this case we will use ‘legitimate interest’ as the legal basis for processing your information.

Service users
Where you engage us into a service contract, the legal basis we use to collect your staff/stakeholder information is contract.

As Data Processors
As a data processor we will process personal details and special category data on behalf of our clients, for which they have identified their legal basis which is transferred over to us, including any legal obligations and security measures that the data controllers have.

Consent
Where we rely on consent and explicit consent as a legal basis and condition for processing, you can ask us to delete/amend/give you access to your information at any point.

If you do not provide your data to us
One of the reasons for processing your data is to allow us to carry out our duties in line with our relationship with you, i.e. service contract/ your contract of employment. If you do not provide us with the data needed to do this, we may be unable to perform those duties, e.g. ensuring you are paid correctly/delivering our service.

International Transfers

We do not normally transfer data outside the European Economic Area (EEA). Where there is a specific service need for data to be transferred to the EEA through a third party, we will ensure that we and they put appropriate safeguards in place and adhere to all relevant legislations and regulations. Where information is transferred outside of the UK but within the EEA, we will abide by EU GDPR as well as UK GDPR.

Information Sharing

We will only share information with other services or professionals to support the provision of our services and/or our contract with you and therefore under UK GDPR they are considered data processors. We have data processing agreements in place with any party whom we share information with, to ensure compliance with the data protection laws and regulations.

We will only share information where we have a legal basis or obligation to do so.

Security

PSS and PCC take the privacy and security of individuals and their personal information very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction.

All our information systems are implemented with robust information security safeguards to protect the confidentiality, integrity, and availability of personal information.

All staff are legally bound to respect client/patient/stakeholder confidentiality and receive training to ensure they are aware of, and up to date with, their responsibilities surrounding information governance standards. Any breach of confidentiality is treated very seriously and could result in disciplinary action for the member of staff involved, including dismissal.

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

We are currently undertaking a Paperless Project in order to digitilise our collection and processing of data. Whilst we undertake this exercise, we may be holding your data on paper and/or digitally.

Where we hold paper records, these are stored safely and securely in our offices with limited access to those that require access.

Retention

We and our system providers will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Where we are commissioned by public authorities, we respect their processes with regards to record retention. Due to working within various professional services, we need to be mindful of guidance from professional bodies and adhere to their relevant retention policies and schedules.

If you would like to see a copy of our retention schedule, please email us.

Your Rights

Under data protection law you have certain rights that you can exercise in regard to your personal data, these are outlined below. These are not absolute rights and may be subject to exemptions. At the end of this section we have added a link to the ICO website where you can find out more information about exemptions and information rights.

In order to make an information rights request, please contact us.

You have:

  1. The right to be informed
    The right to be informed encompasses the obligation to provide clear and concise ‘fair processing information’, which we do through our privacy notice. It emphasises the need for transparency over how we use personal data. We therefore publish our Privacy Notice on our public webpage and aim to make is easily accessible.
  2. The right of access
    You have the right to access and request a copy of the information we hold about you, both on paper and electronically unless the information or part thereof is considered to have the potential to cause mental or physical harm to the individual or someone else.
  3. The right to rectification
    You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. Individuals can use their right to rectification to request sections of their records are amended or removed. Additionally, this right can be exercised if the individual believes information has been omitted and requires inclusion on their record. This is not an absolute right and pertinently, it must be recognised that clinical opinion is subjective and thus we reserve the right to refute any request deemed inappropriate.
  4. The right to erasure
    You have the right to request that organisations erase personal data about you that they hold. This is not an absolute right however, and depending on the legal basis that applies, an organisation may have overriding legitimate grounds to continue to process the data such as if you are a patient and your request is in relation to your health record. We cannot delete health records or information within a record unless they require rectifying.
  5. The right to restrict processing
    You have the right to request that we restrict processing of personal data about you that we hold. You can ask us to do this for example where you contest the accuracy of the data. We will restrict processing of your personal data whilst we consider its accuracy or the legitimate grounds for processing the personal data in question.
  6. The right to data portability
    You have the right to obtain and reuse their personal data for their own purposes across different services. It allows them to move copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  7. The right to object
    You have the right to object to:
    processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
    direct marketing (including profiling); and
    processing for purposes of scientific/historical research and statistics.
  8. Rights in relation to automated decision making and profiling.
    The UK GDPR applies to all automated individual decision-making and profiling. Article 22 of the UK GDPR has additional rules to protect individuals if and organisation is carrying out solely automated decision-making that has legal or similarly significant effects on them. The processing is defined as follows:Automated individual decision-making (deciding solely by automated means without any human involvement). Examples include an online decision to award a loan; or a recruitment aptitude test that uses pre-programmed algorithms and criteria. Automated individual decision-making does not have to involve profiling, although it often will do.

    Profiling (automated processing of personal data to evaluate certain things about an individual) and includes any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

There are exemptions to some of your rights. To find out more please visit the ICO website:

(https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/right-of-access/what-other-exemptions-are-there/) .

Cookies

What cookies are
Cookies are simple text files that are stored on your computer or mobile device by a website’s server. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier, website’s domain name, and some digits and numbers.

Consent
We need your consent in order to use these cookies and consent is sought as soon as you visit our website. Should you reject cookies that are necessary to run the website, you may not be able to use it. There is no obligation to accept non-essential cookies.

What types of cookies we use?
We use necessary and analytics cookies on our website.
You can accept/decline/change settings any time you visit our website, however we will only ask you for consent the first time and every time we make major changes to our website.

Necessary cookies are required to use basic function and features of our website allow us to offer you the best possible experience when accessing and navigating through our website.

Analytics cookies are cookies that track how users navigate and interact with a website. The information collected is used to help the website owner improve.

How to delete cookies or change preferences
If you want to restrict or block the cookies that are set by our website, you can do so through your browser setting or our cookie setting widget. Alternatively, you can visit www.internetcookies.com, which contains comprehensive information on how to do this on a wide variety of browsers and devices. You will find general information about cookies and details on how to delete cookies from your device.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us via Raj Chima rchima@psecure.co.uk .

You also have the right to complain to the ICO if you are unhappy with how we use or have used your data.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
Website: https://ico.org.uk

This privacy statement was reviewed on 27 July 2023. We review our privacy statement annually or as and when relevant and applicable legislation and guidance changes and where our processes change.
Currently we will review this policy more regularly as we move from paper records to digital records.