PRIVACY NOTICE FOR WILLIAM SIMPSONS SERVICE USERS,THEIR RELATIVES AND GUARDIANS AND MEMBERS OF THE PUBLIC

What is the purpose of this document?

We are committed to protecting the privacy and security of your personal data.

This privacy notice describes how we collect and use personal data about you during and after your working relationship with us, in accordance with data protection legislation.

This notice applies to all personal data processed by William Simpsons. It will apply to you if you:

• Use our services.
• Visit our Main Home or Respite Centre.
• Receive care from our Day Care Centre.
• If you communicate with William Simpsons in person, by telephone, or in writing,
• visit our website (https://www.williamsimpsons.org.uk), or
• if we process your personal data for any other purpose.

Whenever we collect your personal data, we will respect your right to privacy, and we undertake to collect only the information we need to provide the best standards of care and service and to ensure your personal data is retained securely until it is no longer required.

The information we collect will be used only in accordance with applicable data protection laws, including the Data Protection Act 2018 (“DPA 2018”), the General Data Protection Regulation (EU 2016/679) (“GDPR”) (to the extent that the GDPR shall continue to have force following exit of the UK from the EU) together with all applicable legislation, regulations, guidance and codes of practice in force from time to time relating to the processing of personal data and the privacy of individuals in the UK (together, the “data protection laws”).

This notice explains who we are, what data we collect, how we collect, use and store your personal data, the purpose for which it is collected, who we share it with and what rights you have in relation to our handling of your personal data.

We may update this notice at any time but if we do so, we endeavour to provide you with an updated copy of this notice as soon as is reasonably practical.

Who we are

William Simpsons is a Scottish charity with registered number SC000485 and a Scottish company limited by guarantee with company number SC377149. Our registered office is at Main Street, Old Plean, Stirling, FK7 8BQ.

We are a “data controller” of all personal data collected and used for the purposes set out in this privacy notice. This means that we are responsible for deciding how we hold and use personal data about you. This privacy notice makes you aware of how and why your personal data will be used. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information and what your rights are under data protection legislation.

We are committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal data about you during and after your working relationship with us, in accordance with data protection legislation.

Data protection principles

We will comply with data protection law. This says that your personal data must be:

1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
3. Relevant to the purpose we have told you about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told you about.
6. Kept securely.

The kind of data we hold about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

There are special categories of personal data that require a higher level of protection, such as data about a person’s health, sexual orientation or criminal convictions.

If you are a service user:

We will collect, store and use the following categories of personal information about you:

• Personal identifiers, such as your name, address, date of birth, your national insurance number and CHI number.
• Reports and information about you from your social worker and/or local authority, and doctors and medical practitioners.
• Your next of kin or emergency contact.
• Financial information, which may include your bank account details, military service information for grant purposes, pension details, DWP pension and support payments and financial assessment
• details.

If you are a relative, guardian, attorney or advocate of a service user:

We may need to collect some of the following categories of personal data about you:

• Your name, address and contact details including telephone and email address.
• Your relationship to the service user.
• If you are a financial and/or welfare guardian, a copy of the Office of the Public Guardian paperwork.
• If you are acting under a power of attorney, a copy the legal paperwork.

If you donate to WS or are involved in our fundraising:

We may collect some or all of the following categories of personal data about you:

• Your name, email and contact address.
• Any relationship you have to a service user or to WS that you tell us about.

If you provide services to William Simpsons:

We may collect some or all of the following categories of personal data about you:

• Name, contact address and telephone number.
• Your bank account details.
• Where necessary, any data relating to checks, criminal records, references and ID verification.
• Insurance details.

If you send an enquiry, visit us or get in touch:

We may collect some or all of the following categories of personal data about you:

• Your IP address where you make an online enquiry.
• Your name and contact information including email address, telephone number and contact address.
• Other information you provide relating to your query or communication.

For information on the terms and conditions of our website: Terms and Conditions

Data collected from other sources

We may also collect information about you from other sources or persons who are authorised or are required by law to share the information with William Simpsons, or where you provide your consent to share your personal data. This may include:

• If you are a service user: your representatives, relatives, general practitioner and other health professionals, social worker, local authority or other person with whom William Simpsons engages to provide the service to you;
• For both relatives and service users; examples may include your lawyer, care provider, MP or other professional advisor or advocate.
• Governmental bodies such as the Department of Work and Pensions.
• Where you are a veteran, the Armed Services.
• Any supplier or service provider engaged by us or on your behalf in relation to the service.

The above are examples and is not an exhaustive list, and for further information, please contact us using the details below.

Special category personal data

We may also process special category personal data relating to you as is necessary to provide our services or for the establishment, exercise or defence of legal claims.

This includes the following personal data revealing:

• Religious or philosophical beliefs, for the purpose of arranging activities or outings and funeral plans.
• An individual’s health for care planning purposes.
• A natural person's sex life or sexual orientation for care planning purposes.
• Criminal convictions or offences for care planning purposes.

We ensure that we meet all legal requirements in relation to the collection, use and storage or any special category personal data including any additional protections or measures that may be required.

How we will use your personal data

We will use your personal data only when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

1. Where we need to perform the contract we have entered into with you.

2. Where we need to comply with a legal obligation.

3. Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests.

4. Where we need to protect your interests (or someone else’s interests).

5. Where it is needed in the public interest or for official purposes.

Situations in which we will use your personal data

The situations in which we will process your personal data are listed below.

• Making a decision about your care and needs and providing our service.
• Administering funding for our services.
• Liaising with local authorities, health care professionals, service providers and our other partners who support William Simpsons services.
• Arranging any follow on care package for service users.
• Working with suppliers providing products or services relating to your care.
• Engaging with representatives of service users – guardians, next of kin, attorneys and advocates.
• Facilitating birth or death certificates with the Registrar.
• Assisting with funeral arrangements.
• Engaging with and reporting to professional and regulatory bodies such as the CI or OSCR.
• Business management and planning, including accounting and auditing.
• Conducting performance reviews, risk assessments, audits and determining performance requirements.
• Dealing with legal disputes involving you, or other service users or their relatives or representatives, or our staff.
• Contacting you when you get in touch, or provide consent for direct communications.

If you fail to provide personal information:

If you fail to provide certain information when requested, we may not be able to perform the respective contracts we have entered into with you or the service user, or we may be prevented from complying with our respective legal obligations to you or a service user.

Protection of your personal data

The Data Protection Laws are clear: the protection of personal data is paramount. As a result, we must meet certain clear and robust obligations. In short, your personal data must be:

• Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.
• Relevant to the purposes we have told you about and limited only to those purposes.
• Used lawfully, fairly and in a transparent way.
• Accurate and kept up to date.
• Kept only as long as necessary for the purposes we have told you about; and
• Kept securely and protected against unauthorised or unlawful use and against loss, destruction or damage using appropriate technology and procedures.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you where this is required or permitted by law.

Special Category (Sensitive) Personal Data

Additional rules apply to “Special category personal data” that is particularly sensitive information under the Data Protection Laws. Special category personal data means data about you that relates to your religious or philosophical beliefs, health conditions, data concerning your sex life and sexual orientation and data concerning criminal convictions or offenses. These categories all require higher levels of protection.

We treat your sensitive personal data with particular care. It is essential that we have such data: particularly data about health conditions – to provide care to service users. William Simpsons have in place appropriate safeguards which we are required by law to maintain when processing such data.

 We may process special category personal data in the following circumstances:

1. For the provision of health and social care and the management of health and social care services and assessment of service users’ capacities and needs.

2. When it is necessary for reasons of public health including ensuring high quality care standards.

3. To protect your vital interests in the event of a medical or other emergency or to protect your vital interests or those of another individual where you or the other individual is incapable of giving consent.

4. The processing is necessary for reasons of substantial public interest.

Less commonly, we may process this type of information where it is needed in relation to legal claims or where you have already made the information public.

We will hold and process data about criminal convictions given the nature of our service and maintain appropriate safeguards to protect such data from wrongful disclosure.

Do we need your consent?

We do not need your consent if we process special categories of your personal data in accordance with our written policy to carry out our legal obligations or exercise specific legal rights which are outlined above. In limited circumstances, we may approach you for your written consent to allow us to process such data. If we do so, we will provide you with full details of the data that we would like to process and the reason for doing so, to allow you to carefully consider whether you wish to consent. You should be aware that it is not a condition of any contract you have with us that you agree to any request for consent from us.

Sharing personal data with third parties

We may have to share personal data with third parties, including third-party service providers.

We require all third parties with whom we need to share any data to respect the security of your personal data and to treat it in accordance with the law.

Why might we share personal data with third parties?

We will share personal data with third parties where required by law, where it is necessary to perform our contract and our obligations to you or where we have another legitimate interest in doing so.

Which third-party service providers process your personal data?

“Third parties” may include third-party service providers (including contractors and designated agents, professional advisors, local authorities and regulatory bodies. This shall include processing by the following third parties for the following purposes:

• Local authorities, the DWP and the military – for funding reasons.
• Regulatory bodies – for ensuring compliance and the safety and welfare of service users.
• HMRC – for taxation purposes.
• Private pension providers.
• Governmental and judicial authorities such as the courts, tribunals and the police – in the event of criminal investigation or legal claims.
• Researchers, providers of statistical or analytical services – for reviews, planning and assessment (and we will in such cases anonymise all data where possible prior to sharing).
• Service providers who provide services essential for the running of our business and provision of our services.

We will share personal data regarding your participation in line with our policies. When we need to share your personal data with third party service providers, we do not allow the service provider to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions and provided that they apply appropriate measures of security that comply with our policies and the Data Protection Laws.

Data Security

We have put in place and shall maintain appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. All paper files are kept in locked secure cabinets when not in use and personal data stored electronically is protected by up to date IT security software. We ensure that we update our systems to continuously improve security and
resolve any issues which may or could occur, and comply with guidance of our regulators.

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. All our staff are required to undergo and complete training and are obliged to ensure the highest levels of confidentiality. Only persons authorised to enter our Care Home and Respite and Day Care Centre may do so and are required to notify their identity and follow our security procedures and requirements for entry.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. Please contact our Business Manager if you have any queries on our personal data breach procedures.

Retaining your personal data

How long will we use your personal data for?

We only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements, or for defence or pursuit of a legal claim. Details of retention periods for different aspects of your personal information are available in our Data Retention Policy, which is available from the Business Manager.

To determine the appropriate retention period for personal data, we consider the relevant facts including the amount, nature and sensitivity of the personal data, the purposes for which we process or store that personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances and to the extent that this is possible, we may anonymise your personal data so that it can no longer be associated with you as an individual and can no longer be used identify you, in which case we may use such data without further notice to you.

Once the purpose for which we collected your personal data is completed or at an end, or the data is no longer required, we will retain and where appropriate securely destroy your personal information in accordance with our data retention policy and applicable laws and regulations.

Rights of access, correction, erasure and restriction of personal data

Your duty to inform us of changes:

It is important that the personal information we hold about you or the service user for whom you are responsible is accurate and current. Please keep us informed if your personal data changes during your working relationship with us.

Your rights in connection with personal information:

Under certain circumstances, by law you have the right to:

• Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact the Business Manager in writing.

No fee usually required:

You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

Your right to withdraw consent to processing

In the limited circumstances where you have provided your consent to the collection, processing and transfer of your personal data for a specific purpose, you may have the right to withdraw your consent for that specified processing at any time. To withdraw your consent, please contact the Business Manager. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data, unless we have another legitimate basis for doing so in law.

What we may need from you

We may need to request specific information from you or your nominated representative to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is an appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Data protection complaints

If you have any questions about this privacy notice or how we handle your personal data, please contact us. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (ico.org.uk).