Capital Carers will adhere to the following principles regarding your personal information:
- When we ask for your personal information, we will:
- Ensure you know why we need it
- Protect it and make sure the only people who can access it are those who need to do so
- Inform you of your choices about the information you give us and how it is handled
- Occasionally remind you about the information we hold on you to make sure it stays accurate and up to date, and that you’re still happy for us to have it
- Tell you if we need to share it with other organisations in order to ensure you get the service you require
- Make sure we don’t keep it any longer than is necessary
- In return, we ask you to:
- Give us true and accurate information
- Tell us as soon as possible of any changes to your personal information
- Tell us as soon as possible if there are any mistakes in the information we have about you so we can keep our information reliable and up to date
- At any time, you can ask us for further details on:
- Any agreements we have with other organisations for sharing information
- When we might be required to pass on information without telling you, for example, when a child is in need of protection, to prevent/detect crime, etc.
- Our instructions to staff on proper collection, use and deletion of your personal information
- How you can challenge the accuracy and use of the information we have about you
- How to get a copy of the information we hold about you
Types of data we collect
In order to deliver our services, we need to know who you are, how to contact you, and what kind of help you need from us. This means we need to handle personal information from you to be able to provide our services. The first time you meet us, one of our staff will give you a service-specific privacy and consent statement outlining the basic principles detailed above and asking for your consent to share your data with any other organisations needed to provide the best service we can. The staff member will explain the details of how your data will be used in the specific services you are interested in, and how and why it might be shared should you give us permission to do this. You can consent for us to share your data with anyone on a “need to know” basis, or to keep your information strictly private within our organisation. You may also give us qualified permission, where we can share your data with anyone on a “need to know” basis, excluding a list of named organisations, which we will require your separate and specific consent to share your data with.
Services provided to adults are varied, but examples of the data we hold may include your personal contact details (home address, telephone number and email address), date of birth, cohabitants’ names, emergency contact details, GP registration details, details of any medical conditions, medications or treatments being taken, dietary needs, risk assessments, personal history, hobbies and interests, personal preferences, financial situation, details of other professionals you have contact with, and information relating to your service assessment and personal outcome plan.
This covers all services offered to under 16’s. The same conditions apply to children’s services as to adult’s services, but additional details will be recorded including the child’s school and contact details for a parent or guardian.
Lawful Basis for Processing
Data protection law requires that we have a “lawful basis” for gathering, holding and processing your data. There are a number of valid reasons provided for in the law, and all of them are used by us in various situations, but the most important bases are legitimate interests, consent and legal obligations/vital interests. Our basic process is as follows:
- Referral – This includes both “Self-Referral” (where you have contacted us yourself) and “Third-Party Referral” (where another person or organisation has provided us with your contact details). We will contact you within 14 days of receiving a referral in order to confirm whether you are interested in receiving our services. If you decline our services at this stage, you will have the choice of asking us to contact you again at a future time of your choosing – in which case your details will be retained by us in order to fulfil your request. Alternatively, you may decline our offer, in which case by default, we will retain your details in order to prevent any further contact from potential future referrals. If you choose, you may ask us to dispose of your details permanently, but in this case, we may be unable to avoid further contact should a future referral be received. For all above purposes, legitimate interests are the lawful basis for us collecting, holding and processing your details, as we need to handle your data in this way in order to establish whether your referral is appropriate and how to proceed.
- Service Provision – This refers to the data we gather in the initial meeting, as well as the additional data we gather throughout the duration of our service delivery. In your initial meeting, your practitioner will explain what data we will be gathering as well as how and why it will be used, as well as the various legal bases for each piece of information gathered – you will then be given a service-specific privacy and consent statement which you will be asked to sign to indicate your consent to us gathering your data in this way. During this time we will make every effort to ensure your details remain up to date and accurate, and you will be periodically given the opportunity to review the data we hold on you and confirm its accuracy. If consent is withdrawn, any details held on that basis will be removed from our records immediately. Data held on the grounds of legitimate interests may be removed on request, unless there is a clear and valid reason for their continued retention – this will usually only be the case when there is a parallel basis for holding the information on the grounds of legal obligations and/or vital interests (e.g. service notes concerning disclosure to a member of our staff of an incident in which a person was harmed), in which case, you will receive a response from us informing you of our decision, and the full basis upon which your data is being held.
- End of Service – One way or another, the service we provide to you will eventually come to an end. Our next steps will normally be the same regardless of the way in which our relationship comes to a close. We will retain all of the data concerning our work with you for a minimum of two years after that point (the “retention period”), although we may be required to retain some information for longer than this by law. The specific retention periods for each type of data we hold can be found in our data retention policy. After the retention period for a particular piece of personal information has passed, the data will be destroyed securely. Data held on the grounds of consent may be destroyed before the conclusion of the retention period upon your request, and some data held on other grounds may also be deleted upon request, subject to review. Data held on the basis of legal obligations or vital interests may not be destroyed early under any circumstances.
Capacity and Consent
Wherever consent is used as grounds for gathering, holding and processing personal information, we will take steps to ensure that the person providing that information has “legal capacity” to do so. This basically means that we will try to ensure that you are aware and fully capable of understanding your rights regarding your data. The two main cases we check for reduced capacity are minority (individuals below the age of 16) and adult incapacity (individuals above the age of 16 who are subject to an active Power of Attorney or Guardianship Order). In each of these cases, additional or alternative consent may be sought from your legal guardian (e.g. a parent, guardian or attorney) before any action will be taken regarding your data. If the legal guardian chooses to withhold their consent and we believe you have indicated that you would prefer it to be provided, we will examine what alternative options may be available, including avoiding the gathering of data subject to consent, amending the details we hold on record to satisfy a guardian’s demands, pursuing an alternative guardian for consent, or bypassing consent requirements by gathering the data on an alternative basis (e.g. in certain situations where a child has a legal right to access our support regardless of parental consent, we could alternatively gather and process the child’s data on the basis of legitimate interests).
Photography and recorded images
We take photographs and record audio and video images at many of our events in order to promote our organisation, its services, and the role of unpaid carers in Edinburgh. We will always ask your permission before taking a photograph or making a recording which features your likeness in a way that could make you personally identifiable.
At every event where such images and recordings are being made, we will provide release forms which you may choose to sign. These forms give us explicit permission to use any and all images and recordings from that specific event for the purposes of promoting our organisation and its cause. If you choose not to sign a release form, we will do our best to avoid capturing your likeness in any of the media recorded at the event, and will make sure any accidental recordings or images are edited to remove your likeness or render it unrecognisable before using the media in publicly. If you change your mind during the event, you may request a release form at any point.
Likewise, if you choose to sign a release form and then later change your mind and decide to withdraw your permission, we will honour your request to the best of our ability. If you tell the staff at the event that you want to withdraw your permission, they will return your release form to you and will do their best to exclude you from any future recordings or photographs from the event. If you contact us at a later date (after the event) then we may not be able to prevent your image from being used publicly, as it may already have been used for promotional purposes, but we will make sure that any images associated with the event in question (that include a recognisable likeness of you) are removed from our media library so that they cannot be used in any future promotional media.
Capital Carers, like many other organisations, uses social media to keep in touch with our members and followers, as well as using it to reach new carers and help them to find out more about us and the services we offer. Our social media use adheres to the following principles:
- We do not use social media to track our members or the people who visit our page elsewhere on the web.
- We don’t report on or record social media interactions outside of the specific platform on which they occurred.
- All statistics taken from social media are 100% anonymised – we never report on individual activities, especially not if they could identify the person/people involved. The only exception to this is where we have a legal or ethical obligation to disclose (e.g. if a child is suspected of using our social media channels to bully another child in a young carers group)
- All people using social media to communicate with us are assumed to have permission to do so. We are not responsible for ensuring you comply with a given social network’s terms of service or other rules governing access and use of their service.
- Social media is not an official means of correspondence with Capital Carers – we make no guarantees about the availability, features or degree of privacy afforded by the social networks we use. It is up to you to decide whether to use a given social network or not, and use of a social network is at the users own risk.
In order to make it easier for you to manage multiple different services from ourselves and other organisations, Capital Carers may make and receive referrals on your behalf. We will always ask your permission before making a referral, and in each case you will be told what information will be included in the referral, which organisation the referral is being sent to.
Similarly, whenever we receive a referral, we will make sure that the referring organisation has permission to send us your details, and we will only use those details in order to contact you with more information about our services and to discuss how we can help you further. If you decide against using our services, we will offer to remove your details from our records, or to retain them in order to manage future contact with you. Please note that if you choose to have us remove your contact details from our records completely, we may still contact you again in the future if another referral is received. Alternatively, we can retain your details and make a note in our records regarding your contact preferences to prevent us from getting in touch again.
Like many charities, we work closely with a number of funding bodies and partner organisations (such as the City of Edinburgh Council) to deliver our services. From time to time, these organisations may request data on the people we provide services to. In these cases, any data we provide will be fully anonymised, except where we have asked for and obtained your explicit permission to share personally identifiable information. We will only share personally identifying information where necessary, and only with organisations you have explicitly authorised us to share your information with.
In some situations, especially where our staff feel there is or may be a risk of harm to yourself or another individual, or where they are under a legal obligation, our staff may use their professional judgement to pass information to a third-party without first seeking consent. In these cases, information will only be shared with an appropriate agency (such as Police Scotland or Social Care Direct) who can provide support regarding the issue at hand, and the information transferred will be kept to the minimum amount possible and used only for the sole purpose of reducing the risk of harm to yourself and others and/or fulfilling our obligations under the law.
Accessing your information
You are entitled to view, amend, or delete the personal information that we hold. Email your request to our team at firstname.lastname@example.org, call us on 0131 315 3130, or pop in to see us at our office in the Prentice Centre, 1 Granton Mains Avenue, EH4 4GA. Please note that we aim to respond to all requests within 1 working day of receiving them, but in some cases it may take us a little longer, particularly if you use more than one of our services. We promise to keep you fully informed of the progress of your request and to let you know if there are any issues or if we need more information to fulfil it.
Capital Carers Ltd. is registered with the ICO as a Data Controller under the Data Protection Act 1998.
Our appointed Data Protection Officer is Scott Williams.
This document was adopted on 25/05/2018.
Last reviewed 25/05/2018.
Next review due 18/06/2018.