LHCC Privacy Notice Policy
Last Updated: June 27, 2025
This legal document was produced and published by LHCC LIMITED and Care London Ltd. We control the copyright in this document. This document is subject to change without prior notice, but you will be informed of any significant changes we have made. You reserve the right to either accept or reject our new Privacy Policy.
The current version of our terms and conditions is available at: https://lhccgroup.co.uk/privacypolicynotice.
- Introduction
1.1 We are committed to safeguarding the privacy of our service users, staff members, Multi-Disciplinary Team (MDT) members, and other external associates.
1.2 This policy applies where we are acting as a data controller with respect to the personal data of our service users, staff members, and other associates. This means we determine the purposes and means of processing that personal data.
1.3 We do not currently use cookies on our public website. If, in the future, we need to use cookies that are not strictly necessary for the provision of our website and services, we will ask for your explicit consent to our use of those cookies when you first visit our website.
1.4 Our internal systems incorporate privacy controls that affect how we will process your personal data. By using these privacy controls, you can specify whether you would like us to electronically store and process certain aspects of your personal data. You can access these privacy controls via our intranet (Carex.lhcc.co).
1.5 In this policy, “we”, “us” and “our” refer to LHCC LIMITED and/or Care London Ltd. For more information about us, please see Section 10.
- How We Use Your Personal Data
2.1 In this Section 2, we have set out:
(a) the general categories of personal data that we may process;
(b) in the case of personal data that we did not obtain directly from you, the source and specific categories of that data;
(c) the purposes for which we may process personal data; and
(d) the legal bases of the processing.
2.2 Usage Data: We may process data about your use of our website and services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, and timestamp of your visits. We do not use any third-party analytics tracking systems for marketing or profiling purposes. This usage data is processed solely for the purposes of analyzing technical errors, managing access to our systems, and ensuring their security. The legal basis for this processing is our legitimate interests, namely monitoring and improving the technical performance and security of our website and tracking access to our intranet.
2.3 Account Data (Carex.lhcc.co): We may process your account data (“Carex data”). The account data may include your name and email address. The source of the account data is either you directly or LHCC Limited/Care London Ltd. The account data may be processed for the purposes of operating our website, providing our services, ensuring the security and integrity of our website and services, maintaining back-ups of our databases, and communicating with you. The legal basis for this processing is our legitimate interests, namely the proper administration and security of our website and business operations.
2.4 Specific Categories of Data Processing
Service Users
To provide a safe, professional, and high-quality service, we need to keep certain records about you.
What data do we have?
We may process the following types of data:
- Basic details and contact information: e.g., your name, address, date of birth, and next of kin.
- Financial details: e.g., details of how you pay us for your care or your funding arrangements.
We also record the following data, which is classified as “special category” data under UK GDPR, requiring additional protection:
- Health and social care data: This includes both your physical and mental health data, medical diagnoses, treatment plans, and care needs.
- Other special categories (where relevant and with appropriate legal basis): We may also record data about your race, ethnic origin, sexual orientation, or religion, typically for diversity monitoring, ensuring culturally competent care, or where directly relevant to your care plan.
Why do we have this data?
We need this data to provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.
We process your personal data because:
- Legal Obligation: We have a legal obligation to do so, generally under the Health and Social Care Act 2012, the Mental Capacity Act 2005, or other relevant UK health and social care legislation.
- Contractual Necessity: The processing is necessary for the performance of a contract for care services with you, or to take steps at your request before entering into such a contract.
We process your special category data because:
- Provision of Health and Social Care: It is necessary for the purposes of the provision of health or social care or treatment or the management of health or social care systems and services (UK GDPR Article 9(2)(h), Data Protection Act 2018 Schedule 1, Part 1, Paragraph 2).
- Social Security and Social Protection Law: It is necessary for reasons of substantial public interest, such as social security and social protection law (e.g., in safeguarding instances) (UK GDPR Article 9(2)(g), Data Protection Act 2018 Schedule 1, Part 2, Paragraph 6).
- Public Interest Obligations: We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations (UK GDPR Article 6(1)(e)).
- Explicit Consent: We may also process your data with your explicit consent. If we need to ask for your permission, we will offer you a clear choice and explain clearly what data we need, why we need it, and how you can withdraw your consent at any time.
Where do we process your data?
To provide you with high-quality care and support, we collect specific data from or share it with:
- You or your legal representative(s).
- Third parties with a lawful basis for sharing.
We collect this data face-to-face, via phone, email, our website, post, application forms, and our web applications, including Carex.
Third parties are organisations we may lawfully share your data with. These include:
- Other parts of the health and care system: Such as local hospitals, your General Practitioner (GP), pharmacies, social workers, Clinical Commissioning Groups (CCGs) (or their successor bodies), and other health and care professionals involved in your care.
- The Local Authority: For purposes related to social care, funding, or safeguarding.
- Your family or friends: With your explicit permission or where it is in your vital interests.
- Organisations we have a legal obligation to share information with: e.g., for safeguarding concerns, or the CQC.
- The police or other law enforcement agencies: If we are legally required to do so by law or court order.
Staff
To provide a safe and professional service and fulfil our employment obligations, we need to keep certain records about you.
What data do we have?
We may record the following types of data:
- Basic details and contact information: e.g., your name, address, date of birth, National Insurance number, and next of kin.
- Financial details: e.g., details so that we can pay you, insurance, pension, and tax details.
- Employment details: e.g., job title, employment history, performance reviews.
- Training records.
We also record the following data, which is classified as “special category” data or relates to criminal convictions:
- Health and social care data: This might include both your physical and mental health data (e.g., fit notes, occupational health assessments), but only if it is necessary for us to know as your employer (e.g., for reasonable adjustments, sick pay, or statutory maternity/paternity pay).
- Other special categories (where relevant and with appropriate legal basis): We may, with your permission, record data about your race, ethnic origin, sexual orientation, or religion for diversity monitoring purposes.
- Criminal records data: As part of your application, you may – depending on your job role – be required to undergo an enhanced Disclosure and Barring Service (DBS) check (Criminal Record Check). We process this data where it is necessary for compliance with a legal obligation to which we are subject, or for reasons of substantial public interest (e.g., safeguarding vulnerable individuals), under specific conditions set out in the Data Protection Act 2018. We will retain a copy of your DBS certificate only where legally permitted and necessary, and in line with DBS guidance.
Why do we have this data?
We require this data so that we can contact you, pay you, and ensure you receive the training and support needed to perform your job. By law, we need to have a lawful basis for processing your personal data.
We process your personal data because:
- Legal Obligation: We have a legal obligation under UK employment law (e.g., regarding tax, national insurance, health and safety).
- Contractual Necessity: The processing is necessary for the performance of your employment contract with us.
- Legitimate Interests: We have a legitimate interest in processing your data – for example, providing data about your training to Skills for Care’s Adult Workforce Data Set, which allows Skills for Care to produce reports about workforce planning and development.
- Public Interest Obligations: We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.
We process your special category data (e.g., health data for sick pay/maternity pay) because:
- It is necessary for the purposes of carrying out our obligations and exercising our specific rights or your rights in the field of employment and social security law (UK GDPR Article 9(2)(b)).
If we process your criminal records data (e.g., DBS checks), it is because we have a legal obligation to do this due to the type of work you do, as set out in the Data Protection Act 2018 (Schedule 1, Part 1, Paragraph 1 or 2) and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975.
We may also process your data with your explicit consent where no other legal basis applies. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm your consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
Where do we process your data?
As your employer, we need specific data. This is collected from or shared with:
- You or your legal representative(s).
- Third parties with a legal reason to share your data with.
We do this face-to-face, via phone, email, our website, post, application forms, and our web applications, including Carex.
Third parties are organisations we have a legal reason to share your data with. These include:
- Her Majesty’s Revenue and Customs (HMRC).
- Our pension scheme: Namely NEST Pension.
- Our external payroll provider: John Lennard’s Accountants.
- Organisations we have a legal obligation to share information with: e.g., for safeguarding, or the CQC.
- The police or other law enforcement agencies: If we are legally required to do so by law or court order.
- The DBS Service.
- Skills for Care: For workforce planning and development purposes (based on legitimate interests).
Friends/Relatives
As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:
- Basic details and contact information: e.g., your name, telephone contact, email address, and address.
Why do we have this data?
By law, we need to have a lawful basis for processing your personal data.
We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff. This is essential for effective communication and emergency response.
We may also process your data with your consent where no other legal basis applies. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm your consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Where do we process your data?
To provide high-quality care and support, we collect specific data from or share it with:
- You or your legal representative(s).
- Third parties with a legal reason to share your data with.
We do this face-to-face, via phone, email, our website, post, application forms, and web applications.
Third parties are organisations we have a legal reason to share your data with. These may include:
- Other parts of the health and care system: Such as local hospitals, the GP, pharmacies, social workers, and other health and care professionals (e.g., if you are a designated next of kin or emergency contact).
- The Local Authority: For purposes related to safeguarding or care coordination where you are involved.
- The Police or other law enforcement agencies: If we are legally required to do so by law or court order.
Our Website
To provide you with the best experience while using our website, we may display some information about service users, staff, families, friends, and other professionals. This will only ever be done with the explicit consent of the individuals concerned.
We may also publish blogs or vlogs featuring stakeholders, always with their explicit, informed consent.
2.5 Correspondence Data: We may process information contained in or relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication, mostly from emails and contact forms on our website. Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our website and business, and effective communication with users.
2.6 Hard Copies/Other Documents: We may process information sent or handed over to us in hard copies, pamphlets, or any other documents. Information received from professionals regarding service users may be archived or processed and uploaded onto our online platform (Carex). Any such processing will be carried out in accordance with the legal bases and purposes outlined in Section 2.4 for Service Users.
- The National Data Opt-Out
3.1 Compliance with National Data Opt-Out: LHCC LIMITED and Care London Ltd. are health and adult social care organisations in England and are therefore required to comply with the National Data Opt-Out policy. This policy gives individuals the choice to opt out of their confidential patient information being used for research and planning purposes.
3.2 What is the National Data Opt-Out? The National Data Opt-Out is a service that allows individuals to prevent their confidential patient information from being used for purposes beyond their individual care and treatment. This includes uses for research and planning across the health and social care system in England.
3.3 How to Exercise Your Opt-Out Choice: You have the right to make a choice about whether confidential patient information is used in this way. If you are happy for your information to be used for research and planning, you do not need to do anything. If you wish to opt out, you can register your choice at any time by:
* Visiting the NHS website: www.nhs.uk/your-nhs-data-matters
* Using the NHS App (look for “Your Health” and then “Choose if data from your health records is shared for research and planning”).
* Calling the NHS Digital contact centre on 0300 303 5678.
3.4 What the Opt-Out Applies To: The National Data Opt-Out applies to confidential patient information where its use is for purposes beyond your individual care and treatment, such as for research, planning, or improving health and social care services. It does not apply to information used for your individual care and treatment, or where there is a legal requirement or an overriding public interest in the disclosure (e.g., for public health purposes like managing infectious diseases).
3.5 Our Commitment: We are committed to upholding your National Data Opt-Out choice where it applies. We will ensure that any confidential patient information we share for research and planning purposes is checked against the National Data Opt-Out register and that your preference is respected.
- Providing Your Personal Data to Others
4.1 We may disclose your personal data to our branches and various projects within LHCC Group. This is done insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy. All internal sharing is subject to strict confidentiality agreements and access controls.
4.2 In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
4.3 We will not disclose any other information without your specific authorisation to members of the public or if you have instructed us not to share your data with specific individual(s), unless there is a legal obligation or overriding public interest requirement to do so (e.g., safeguarding). You can use the “contact us” form on our website or communicate via Carex to send in your instructions regarding data sharing.
- Retaining and Deleting Personal Data
5.1 This Section 5 sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
5.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
5.3 We will retain your personal data as follows, in line with statutory requirements and best practice for health and social care records:
- Service User Records (including basic details, financial, health, and social care data): Retained for a minimum period of 8 years after the last entry or the death of the service user, whichever is later. For service users who were children when they received care, records will be retained until their 25th birthday, or 8 years after their death if earlier. These periods align with the NHS Records Management Code of Practice.
- Staff Records (including basic details, financial, employment, training, and relevant health data): Retained for a minimum period of 6 years after the termination of employment, and for a maximum period of 10 years after termination, to comply with employment law, tax regulations, and pension requirements. Records related to occupational health or serious incidents may be retained for longer periods as legally required.
- Account Data (Carex – First name, Middle name, Last name, and email address): Will be retained for a minimum period of 5 years following your contract start date, and for a maximum period of 10 years following the termination of your contract or last active use, whichever is later.
- Correspondence Data: Retained for a period of up to 7 years, to ensure proper record-keeping for communications and potential legal claims.
5.4 In some cases, it is not possible for us to specify in advance the exact periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
(a) The period of retention of your personal data will be determined based on relevant UK legal and regulatory requirements (e.g., CQC guidance, employment law, tax law), industry best practices (e.g., NHS Records Management Code of Practice), and the necessity for the establishment, exercise, or defence of legal claims.
5.5 Notwithstanding the other provisions of this Section 5, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person, and to ensure the security and integrity of our online systems.
- Amendments
6.1 We may update this policy from time to time by publishing a new version on our website.
6.2 You will be notified of any significant changes we make, and you will have the opportunity to review and ensure you are happy with any changes to this policy before you are asked to accept the updated policy.
6.3 We will notify you of significant changes to this policy by email or through the private messaging system on our intranet (Carex).
- Your Rights
7.1 In this Section 7, we have summarised the rights that you have under UK data protection law (UK GDPR and Data Protection Act 2018). Some of these rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the Information Commissioner’s Office (ICO) for a full explanation of these rights.
7.2 Your principal rights under data protection law are:
(a) The right to be informed;
(b) The right of access;
(c) The right to rectification;
(d) The right to erasure (‘the right to be forgotten’);
(e) The right to restrict processing;
(f) The right to object to processing;
(g) The right to data portability;
(h) The right to complain to a supervisory authority (the ICO); and
(i) The right to withdraw consent;
(j) The right not to be subject to automated decision-making, including profiling.
7.3 Right of Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned, and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. You can access much of your personal data by visiting Carex.lhcc.co and selecting your profile page.
7.4 Right to Rectification: You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
7.5 Right to Erasure: In some circumstances, you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions to the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise, or defence of legal claims.
7.6 Right to Restrict Processing: In some circumstances, you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise, or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise, or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
6.7 Right to Object to Processing: You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
6.8 Right to Object to Processing for Research/Statistical Purposes: You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
6.9 Right to Data Portability: To the extent that the legal basis for our processing of your personal data is:
(a) consent; or
(b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract,
and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used, and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
6.10 Right to Complain to a Supervisory Authority: If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. In the UK, this is the Information Commissioner’s Office (ICO). You may do so in the UK member state of your habitual residence, your place of work, or the place of the alleged infringement.
6.11 Right to Withdraw Consent: To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
6.12 How to Exercise Your Rights: You may exercise any of your rights in relation to your personal data by written notice to us, or directly from our intranet (Carex-MS) where applicable.
- Data Breaches
7.1 In the case of any personal data breach, we are required to notify the Information Commissioner’s Office (ICO) and, in some cases, the affected individuals.
7.2 The ICO will be notified of a breach where it is likely to result in a risk to the rights and freedoms of individuals – for example, if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
If you would like to complain about how we have dealt with your request or our data handling practices, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://ico.org.uk/global/contact-us/
- Data Protection Officers
8.1 We have a Data Protection Officers (DPOs) who are responsible for data protection compliance across the organisation:
- Our Details
9.1 This website is owned and operated by LHCC LIMITED.
9.2 We are registered in England and Wales under company registration number 04199578, and our registered office is at 4 Gainsborough Rd, Leytonstone, London, E11 1HT.
9.3 Our principal place of business is at the address above.
9.4 You can contact us:
(a) by post, addressed to HR, at our registered office address;
(b) using our website contact form;
(c) by telephone, on the contact number published on our website from time to time; or
(d) by email, using the email address published on our website from time to time (hr@lhccgroup.co.uk).
LHCC Privacy Notice Policy
Last Updated: June 27, 2025
This legal document was produced and published by LHCC LIMITED and Care London Ltd. We control the copyright in this document. This document is subject to change without prior notice, but you will be informed of any significant changes we have made. You reserve the right to either accept or reject our new Privacy Policy.
The current version of our terms and conditions is available at: https://lhccgroup.co.uk/privacypolicynotice.
1.1 We are committed to safeguarding the privacy of our service users, staff members, Multi-Disciplinary Team (MDT) members, and other external associates.
1.2 This policy applies where we are acting as a data controller with respect to the personal data of our service users, staff members, and other associates. This means we determine the purposes and means of processing that personal data.
1.3 We do not currently use cookies on our public website. If, in the future, we need to use cookies that are not strictly necessary for the provision of our website and services, we will ask for your explicit consent to our use of those cookies when you first visit our website.
1.4 Our internal systems incorporate privacy controls that affect how we will process your personal data. By using these privacy controls, you can specify whether you would like us to electronically store and process certain aspects of your personal data. You can access these privacy controls via our intranet (Carex.lhcc.co).
1.5 In this policy, “we”, “us” and “our” refer to LHCC LIMITED and/or Care London Ltd. For more information about us, please see Section 10.
2.1 In this Section 2, we have set out:
(a) the general categories of personal data that we may process;
(b) in the case of personal data that we did not obtain directly from you, the source and specific categories of that data;
(c) the purposes for which we may process personal data; and
(d) the legal bases of the processing.
2.2 Usage Data: We may process data about your use of our website and services (“usage data”). The usage data may include your IP address, geographical location, browser type and version, operating system, and timestamp of your visits. We do not use any third-party analytics tracking systems for marketing or profiling purposes. This usage data is processed solely for the purposes of analyzing technical errors, managing access to our systems, and ensuring their security. The legal basis for this processing is our legitimate interests, namely monitoring and improving the technical performance and security of our website and tracking access to our intranet.
2.3 Account Data (Carex.lhcc.co): We may process your account data (“Carex data”). The account data may include your name and email address. The source of the account data is either you directly or LHCC Limited/Care London Ltd. The account data may be processed for the purposes of operating our website, providing our services, ensuring the security and integrity of our website and services, maintaining back-ups of our databases, and communicating with you. The legal basis for this processing is our legitimate interests, namely the proper administration and security of our website and business operations.
2.4 Specific Categories of Data Processing
Service Users
To provide a safe, professional, and high-quality service, we need to keep certain records about you.
What data do we have?
We may process the following types of data:
We also record the following data, which is classified as “special category” data under UK GDPR, requiring additional protection:
Why do we have this data?
We need this data to provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.
We process your personal data because:
We process your special category data because:
Where do we process your data?
To provide you with high-quality care and support, we collect specific data from or share it with:
We collect this data face-to-face, via phone, email, our website, post, application forms, and our web applications, including Carex.
Third parties are organisations we may lawfully share your data with. These include:
Staff
To provide a safe and professional service and fulfil our employment obligations, we need to keep certain records about you.
What data do we have?
We may record the following types of data:
We also record the following data, which is classified as “special category” data or relates to criminal convictions:
Why do we have this data?
We require this data so that we can contact you, pay you, and ensure you receive the training and support needed to perform your job. By law, we need to have a lawful basis for processing your personal data.
We process your personal data because:
We process your special category data (e.g., health data for sick pay/maternity pay) because:
If we process your criminal records data (e.g., DBS checks), it is because we have a legal obligation to do this due to the type of work you do, as set out in the Data Protection Act 2018 (Schedule 1, Part 1, Paragraph 1 or 2) and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975.
We may also process your data with your explicit consent where no other legal basis applies. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm your consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.
Where do we process your data?
As your employer, we need specific data. This is collected from or shared with:
We do this face-to-face, via phone, email, our website, post, application forms, and our web applications, including Carex.
Third parties are organisations we have a legal reason to share your data with. These include:
Friends/Relatives
As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:
Why do we have this data?
By law, we need to have a lawful basis for processing your personal data.
We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff. This is essential for effective communication and emergency response.
We may also process your data with your consent where no other legal basis applies. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm your consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.
Where do we process your data?
To provide high-quality care and support, we collect specific data from or share it with:
We do this face-to-face, via phone, email, our website, post, application forms, and web applications.
Third parties are organisations we have a legal reason to share your data with. These may include:
Our Website
To provide you with the best experience while using our website, we may display some information about service users, staff, families, friends, and other professionals. This will only ever be done with the explicit consent of the individuals concerned.
We may also publish blogs or vlogs featuring stakeholders, always with their explicit, informed consent.
2.5 Correspondence Data: We may process information contained in or relating to any communication that you send to us (“correspondence data”). The correspondence data may include the communication content and metadata associated with the communication, mostly from emails and contact forms on our website. Our website will generate the metadata associated with communications made using the website contact forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our website and business, and effective communication with users.
2.6 Hard Copies/Other Documents: We may process information sent or handed over to us in hard copies, pamphlets, or any other documents. Information received from professionals regarding service users may be archived or processed and uploaded onto our online platform (Carex). Any such processing will be carried out in accordance with the legal bases and purposes outlined in Section 2.4 for Service Users.
3.1 Compliance with National Data Opt-Out: LHCC LIMITED and Care London Ltd. are health and adult social care organisations in England and are therefore required to comply with the National Data Opt-Out policy. This policy gives individuals the choice to opt out of their confidential patient information being used for research and planning purposes.
3.2 What is the National Data Opt-Out? The National Data Opt-Out is a service that allows individuals to prevent their confidential patient information from being used for purposes beyond their individual care and treatment. This includes uses for research and planning across the health and social care system in England.
3.3 How to Exercise Your Opt-Out Choice: You have the right to make a choice about whether confidential patient information is used in this way. If you are happy for your information to be used for research and planning, you do not need to do anything. If you wish to opt out, you can register your choice at any time by:
* Visiting the NHS website: www.nhs.uk/your-nhs-data-matters
* Using the NHS App (look for “Your Health” and then “Choose if data from your health records is shared for research and planning”).
* Calling the NHS Digital contact centre on 0300 303 5678.
3.4 What the Opt-Out Applies To: The National Data Opt-Out applies to confidential patient information where its use is for purposes beyond your individual care and treatment, such as for research, planning, or improving health and social care services. It does not apply to information used for your individual care and treatment, or where there is a legal requirement or an overriding public interest in the disclosure (e.g., for public health purposes like managing infectious diseases).
3.5 Our Commitment: We are committed to upholding your National Data Opt-Out choice where it applies. We will ensure that any confidential patient information we share for research and planning purposes is checked against the National Data Opt-Out register and that your preference is respected.
4.1 We may disclose your personal data to our branches and various projects within LHCC Group. This is done insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy. All internal sharing is subject to strict confidentiality agreements and access controls.
4.2 In addition to the specific disclosures of personal data set out in this Section 4, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person. We may also disclose your personal data where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure.
4.3 We will not disclose any other information without your specific authorisation to members of the public or if you have instructed us not to share your data with specific individual(s), unless there is a legal obligation or overriding public interest requirement to do so (e.g., safeguarding). You can use the “contact us” form on our website or communicate via Carex to send in your instructions regarding data sharing.
5.1 This Section 5 sets out our data retention policies and procedures, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.
5.2 Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
5.3 We will retain your personal data as follows, in line with statutory requirements and best practice for health and social care records:
5.4 In some cases, it is not possible for us to specify in advance the exact periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:
(a) The period of retention of your personal data will be determined based on relevant UK legal and regulatory requirements (e.g., CQC guidance, employment law, tax law), industry best practices (e.g., NHS Records Management Code of Practice), and the necessity for the establishment, exercise, or defence of legal claims.
5.5 Notwithstanding the other provisions of this Section 5, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person, and to ensure the security and integrity of our online systems.
6.1 We may update this policy from time to time by publishing a new version on our website.
6.2 You will be notified of any significant changes we make, and you will have the opportunity to review and ensure you are happy with any changes to this policy before you are asked to accept the updated policy.
6.3 We will notify you of significant changes to this policy by email or through the private messaging system on our intranet (Carex).
7.1 In this Section 7, we have summarised the rights that you have under UK data protection law (UK GDPR and Data Protection Act 2018). Some of these rights are complex, and not all of the details have been included in our summaries. Accordingly, you should read the relevant laws and guidance from the Information Commissioner’s Office (ICO) for a full explanation of these rights.
7.2 Your principal rights under data protection law are:
(a) The right to be informed;
(b) The right of access;
(c) The right to rectification;
(d) The right to erasure (‘the right to be forgotten’);
(e) The right to restrict processing;
(f) The right to object to processing;
(g) The right to data portability;
(h) The right to complain to a supervisory authority (the ICO); and
(i) The right to withdraw consent;
(j) The right not to be subject to automated decision-making, including profiling.
7.3 Right of Access: You have the right to confirmation as to whether or not we process your personal data and, where we do, access to the personal data, together with certain additional information. That additional information includes details of the purposes of the processing, the categories of personal data concerned, and the recipients of the personal data. Providing the rights and freedoms of others are not affected, we will supply to you a copy of your personal data. The first copy will be provided free of charge, but additional copies may be subject to a reasonable fee. You can access much of your personal data by visiting Carex.lhcc.co and selecting your profile page.
7.4 Right to Rectification: You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
7.5 Right to Erasure: In some circumstances, you have the right to the erasure of your personal data without undue delay. Those circumstances include: the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; you withdraw consent to consent-based processing; you object to the processing under certain rules of applicable data protection law; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are exclusions to the right to erasure. The general exclusions include where processing is necessary: for exercising the right of freedom of expression and information; for compliance with a legal obligation; or for the establishment, exercise, or defence of legal claims.
7.6 Right to Restrict Processing: In some circumstances, you have the right to restrict the processing of your personal data. Those circumstances are: you contest the accuracy of the personal data; processing is unlawful but you oppose erasure; we no longer need the personal data for the purposes of our processing, but you require personal data for the establishment, exercise, or defence of legal claims; and you have objected to processing, pending the verification of that objection. Where processing has been restricted on this basis, we may continue to store your personal data. However, we will only otherwise process it: with your consent; for the establishment, exercise, or defence of legal claims; for the protection of the rights of another natural or legal person; or for reasons of important public interest.
6.7 Right to Object to Processing: You have the right to object to our processing of your personal data on grounds relating to your particular situation, but only to the extent that the legal basis for the processing is that the processing is necessary for: the performance of a task carried out in the public interest or in the exercise of any official authority vested in us; or the purposes of the legitimate interests pursued by us or by a third party. If you make such an objection, we will cease to process the personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defence of legal claims.
6.8 Right to Object to Processing for Research/Statistical Purposes: You have the right to object to our processing of your personal data for scientific or historical research purposes or statistical purposes on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
6.9 Right to Data Portability: To the extent that the legal basis for our processing of your personal data is:
(a) consent; or
(b) that the processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract,
and such processing is carried out by automated means, you have the right to receive your personal data from us in a structured, commonly used, and machine-readable format. However, this right does not apply where it would adversely affect the rights and freedoms of others.
6.10 Right to Complain to a Supervisory Authority: If you consider that our processing of your personal information infringes data protection laws, you have a legal right to lodge a complaint with a supervisory authority responsible for data protection. In the UK, this is the Information Commissioner’s Office (ICO). You may do so in the UK member state of your habitual residence, your place of work, or the place of the alleged infringement.
6.11 Right to Withdraw Consent: To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
6.12 How to Exercise Your Rights: You may exercise any of your rights in relation to your personal data by written notice to us, or directly from our intranet (Carex-MS) where applicable.
7.1 In the case of any personal data breach, we are required to notify the Information Commissioner’s Office (ICO) and, in some cases, the affected individuals.
7.2 The ICO will be notified of a breach where it is likely to result in a risk to the rights and freedoms of individuals – for example, if it could result in discrimination, damage to reputation, financial loss, loss of confidentiality, or any other significant economic or social disadvantage. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
If you would like to complain about how we have dealt with your request or our data handling practices, please contact:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: https://ico.org.uk/global/contact-us/
8.1 We have a Data Protection Officers (DPOs) who are responsible for data protection compliance across the organisation:
9.1 This website is owned and operated by LHCC LIMITED.
9.2 We are registered in England and Wales under company registration number 04199578, and our registered office is at 4 Gainsborough Rd, Leytonstone, London, E11 1HT.
9.3 Our principal place of business is at the address above.
9.4 You can contact us:
(a) by post, addressed to HR, at our registered office address;
(b) using our website contact form;
(c) by telephone, on the contact number published on our website from time to time; or
(d) by email, using the email address published on our website from time to time (hr@lhccgroup.co.uk).