At the Apuldram Centre we, as the Data Controller, are committed to safeguarding and preserving your privacy and personal data. This notice explains what happens to any personal data that you provide to us and has been updated to comply with the new legislation called the General Data Protection Regulation (GDPR) which comes into effect on 25th May 2018. We do update this notice from time to time so please do review this notice regularly.
To support NHS Test and Trace (which is part of the Department for Health and Social Care) in England, we have been mandated by law to collect and keep a limited record of customers who come onto our premises for the purpose of contact tracing.
By maintaining records of customers and sharing these with NHS Test and Trace where requested, we can help to identify people who may have been exposed to the coronavirus.
As a customer of the Apuldram Centre Shop-Café you will be asked to provide some basic information and contact details. The following information will be collected:
• the names of all customers, or if it is a group of people, the name of one member of the group
• a contact phone number for each customer, or for the lead member of a group of people
• date of visit and arrival time and departure time.
The establishment, as the data controllers for the collection of your personal data, will be responsible for compliance with data protection legislation for the period of time it holds the information. When that information is requested by the NHS Test and Trace service, the service would at this point be responsible for compliance with data protection legislation for that period of time.
The NHS Test and Trace service as part of safeguarding your personal data, has in place technical, organisational and administrative security measures to protect your personal information that it receives from the establishment, that it holds from loss, misuse, and unauthorised access, disclosure, alteration and destruction.
NHS Test and Trace have asked us to retain this information for 21 days from the date of your visit, to enable contact tracing to be carried out by NHS Test and Trace during that period. We will only share information with NHS Test and Trace if it is specifically requested by them.
For example, if another customer at the Shop-Café reported symptoms and subsequently tested positive, NHS Test and Trace can request the log of customer details for a particular time period (for example, this may be all customers who visited on a particular day or time-band, or over a 2-day period).
Under government guidance, the information we collect may include information which we would not ordinarily collect from you and which we therefore collect only for the purpose of contact tracing. Information of this type will not be used for other purposes, and NHS Test and Trace will not disclose this information to any third party unless required to do so by law (for example, as a result of receiving a court order). In addition, where the information is only collected for the purpose of contact tracing, it will be destroyed by us 21 days after the date of your visit.
However, the government guidance may also cover information that we would usually collect and hold onto as part of our ordinary dealings with you (perhaps, for example, your name, date of birth and phone number). Where this is the case, this information only will continue to be held after 21 days and we will use it as we usually would, unless and until you tell us not to.
Your information will always be stored and used in compliance with the relevant data protection legislation.
The use of your information is covered by the General Data Protection Regulations Article 6 (1) (c) – a legal obligation to which we as an establishment are subject to. The legal obligation to which we’re subject, means that we’re mandated by law, by a set of new regulations from the government, to co-operate with the NHS Test and Trace service, in order to help maintain a safe operating environment and to help fight any local outbreak of corona virus.
When someone visits our website we use a third party service, Google Analytics, to collect standard internet information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone and the IP address information is anonymised.
In visiting our website, we may collect and process the following data about you:
- Information provided voluntarily by you. For example, when you register for our newsletter
- Information that you provide when you communicate with us by any means.
You can adjust the settings on your computer to decline any cookies if you wish. This can be done within the “settings” section on your computer.
Third Party Links
On occasion we include links to third parties on our website. Where we provide a link it does not mean that we endorse or approve that site’s policy towards visitor privacy. You should review their privacy notice before sending them any personal data.
We use a third party provider, Mailchimp, to deliver our e-newsletters. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter.
We use a third party provider, Hootsuite to manage our social media interactions.
If you send us a private or direct message via social media the message will be stored by Hootsuite for 6 months. It will not be shared with any other organisations.
All incoming and outgoing emails are stored on our Microsoft Office 365 hosted service.
We monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.
We use CCTV across the Day Centre site of the Apuldram Centre. The CCTV data is only used for security and safety purposes. The images captured by the CCTV system will be retained for a maximum of 28 days, except where the image identifies an issue and is retained specifically in the context of an investigation/prosecution of that issue.
Members of our 100 Club monthly draw have their contact and bank details stored securely, so that we can contact them if they win a prize and to make the payment of that prize to their bank accounts.
Customers of our contract gardening service have their contact details stored securely, so that we can perform the gardening service, contact them if necessary if arrangements need to change and also for invoicing them for the service.
Complaint and Enquiry Processes
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. We will only use the personal information we collect to process the complaint.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for either two years from closure, or, if appropriate, two years after the person has left our care and support provision. It will be retained in a secure environment and access to it will be restricted.
Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.
If you want to make a complaint about the way we have processed your personal information, you can contact the Information Commissioner’s Office (ICO), the organisation which oversees data protection law, at https://ico.org.uk/concerns
All of the information you provide during the process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
We will ask you for your personal details including name and contact details. We will also ask you about your employment history, your education and training, your driving licence details, your referees, a criminal records declaration to declare any unspent convictions and your right to work in the UK.
We might ask you to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information is held by the Apuldram Centre.
If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff, their right to work in the United Kingdom and seek assurance as to their trustworthiness, integrity and reliability.
You will therefore be required to provide:
- Proof of your identity – you will be asked to attend our office with original documents, we will take copies
- Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies
- We use a third party provider, ARC, to complete an application for an enhanced disclosure check on yourself using the Disclosure and Barring Service, which will also verify your declaration of unspent convictions
- We will contact your referees, using the details you provide in your application, to obtain your references.
If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- General Practitioner’s details – in case we need to contact them
- Emergency contact details – so we know who to contact in case you have an emergency at work.
Final recruitment decisions are made by the hiring managers. All of the information gathered during the application process is taken into account.
You are able to ask about decisions made about your application by contacting the hiring manager.
If you are unsuccessful for the position you have applied for, we may ask if you would like your details to be retained in our talent pool for a period of six months. If you say yes, we may proactively contact you should any further suitable vacancies arise.
Information Retention Period
If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 6 years following the end of your employment. This includes your criminal records declaration, fitness to work, records of any security checks and references.
If you are unsuccessful at any stage of the process, the information you have provided and any information generated throughout the assessment process, for example interview notes, will be retained for 6 months from the closure of the campaign.
Payroll and Pension Services
If you are employed by the Apuldram Centre, relevant details about you will be provided to HJS who provide payroll and pension services to the Apuldram Centre. This will include your name, bank details, address, date of birth, National Insurance Number and salary.
You will be auto-enrolled into the NEST stakeholder pension scheme if you meet the qualifying criteria.
For some vacancies, we may advertise through a third party recruitment agency. They will collect the application information and might ask you to complete a work preference questionnaire which is used to assess your suitability for the role you have applied for, the results of which are assessed by recruiters. Information collected by them will be retained in line with their retention periods.
Data processors are third parties who provide elements of our service for us. We have contracts in place with our Data Processors, which means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct.
Under the General Data Protection Regulations you have rights as an individual which you can exercise in relation to the information we hold about you.
You can read more about these rights here:
Access to Personal Information
The Apuldram Centre tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form.
To make a request to the Apuldram Centre for any personal information we may hold you need to put the request in writing addressing it to our Data Protection Officer using the address provided below. We may charge a small administration fee to process this request.
If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.
If we do hold information about you, you can ask us to correct any mistakes by contacting the Data Protection Officer.
Disclosure of Personal Information
In many circumstances we will not disclose personal data without your consent, however, when we investigate a complaint or a safeguarding concern, for example, we may need to share personal information with the person concerned.
Where it is legally required or necessary, we may share your personal data with:
- West Sussex County Council – to meet contractual and safeguarding requirements
- Our regulator CQC – to allow them to undertake their inspection work
- Our auditors – as required as part of their audit processes
- Police forces, courts, reconciliation services, tribunals – to assist in their work
- The DBS – in respect of our safeguarding responsibilities
- Suppliers, designated professionals and service providers – to enable them to provide their service.
We will not share any of the information you provide with any third parties for marketing purposes.
We may process your personal information using web services hosted outside the European Economic Area (EEA), but the organisations we use for this are compliant with GDPR. The information you provide will be held securely by us and/or our Data Processors, whether the information is in electronic or physical format.
If you want to request further information about our Privacy Notice you can either email us at email@example.com or write to the Data Protection Officer at:
The Apuldram Centre
Appledram Lane South
We keep our Privacy Notice under regular review and it was last updated on 27th October 2020.