Resident Privacy Notice
This notice applies to current and former living residents of the care home. This notice does not form part of any contract to provide services to you. We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and supervisory authorities in the event you have a complaint.
Who we are
Korian UK Ltd and Korian UK Estates Ltd (“we” or “Company”) are each a ‘controller’. This means that we are responsible for deciding how we hold and use personal information about you. In accordance with and as required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”) and the Data Protection Act 2018, we have implemented this privacy notice to inform you, as a resident of a care home run by the Company, of the types of data we process about you. We also include within this notice the reasons for processing your data, the lawful basis that permits us to process it, how long we keep your data for and your rights regarding your data.
Data Protection Principles
Under the UK GDPR, all personal data obtained and held by us must be processed according to a set of core principles. In accordance with these principles, we will ensure that:
a) processing is fair, lawful and transparent
b) data is collected for specific, explicit, and legitimate purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
c) data collected is adequate, relevant and limited to what is necessary for the purposes of processing
d) data is kept accurate and up to date. Data which is found to be inaccurate will be rectified or erased without delay
e) data is not kept for longer than is necessary for its given purpose
f) data is processed in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing, accidental loss, destruction or damage by using appropriate technical or organisation measures
g) we comply with the relevant UK GDPR procedures for international transferring of personal data.
The personal information we collect and use
Information collected by us
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
There are certain types of more sensitive personal data which require a higher level of protection, such as information about a person’s health or sexual orientation. Information about criminal convictions also warrants this higher level of protection. This is covered in a later section of this privacy notice.
In the course of providing residential and nursing care for our residents, we collect and keep several categories of personal information when you provide it to us. We keep this data in files relating to each resident and we also hold the data within our computer systems.
Specifically, we collect, hold and use the following types of data about you:
• Identity Data: your name, title, address, date of birth, telephone numbers, email addresses.
• Power of Attorney details.
• Family Data: name, title, address, telephone numbers and email addresses of family members that you or your Power of Attorney have requested we hold.
• Gender, marital status, political beliefs, ethnicity, religion or sexuality.
• Medical Data: name of your doctor, NHS number, full medical history (including information on any disability you have) and medication details.
• Dietary requirements.
• Criminal conviction data (if this is volunteered by you).
• Interests and hobbies.
• Financial Data: details of your personal finances, including bank account details.
• CCTV footage.
• Building access records.
• Acoustic Monitoring and audio recording (if consented to)
Information collected from other sources
As well as being provided with data by you to us directly, we also obtain personal information
from third party sources as follows:
• Full assessment data from social workers or local authorities.
• NHS or Clinical Commissioning Groups (CCGs)
• General Practitioners.
How we use your personal information
We use your personal information for the following purposes and activities:
• Creation of a pre-admission questionnaire and completion of an Admission Agreement with a view to providing an appropriate care package within our care home.
• Monitoring and evaluating health care received by you with regular updating of your care plan.
• Communication with local and statutory bodies.
• Contacting your family or power of attorney for notice of family/residents’ meetings, for emergency purposes, or other general reasons relating to your care.
• Undertaking a financial assessment of your ability to pay the care home fees.
• Obtaining payment for the care services we provide.
• Acoustic Monitoring so team members can be alerted when a resident may need
Who we share your personal information with
We will share your personal data where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so.
Data is shared with third parties for the following reasons:
• Where a family member assists or tends to health, property or financial matters for you, we will only share relevant personal information with that family member if we have obtained your specific consent or that of your duly appointed Power of Attorney.
• With social workers, relevant local authorities, NHS or CCG to carry out a care needs or financial assessment. This will ensure the most appropriate and effective care package is provided.
• With local or safeguarding authorities, including the Care Quality Commission, Local Authority Safeguarding Teams, the Police, the Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC), as required under the Care Act or applicable law.
• For audit purposes, the Company Statutory Auditors will review information containing personal information in order to comply with a legal obligation upon us
• With insurance companies for any claims made.
• The police or other law enforcement agencies if we have to by law or court order.
We may also share your data with third parties as part of a Company sale or restructure, or for other reasons to comply with a legal obligation upon us. Where your personal data is shared in the context of a Company sale or restructure, we will, so far as possible, share anonymised data with the other parties before the transaction completes. Once the transaction is completed, we will share your personal data with the other parties if and to the extent required under the terms of the transaction. We have a data processing agreement in place with such third parties to ensure data is not compromised. Third parties must implement appropriate technical and organisational measures to ensure the security of your data.
We will share your personal information with other entities in our group as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, or in order to provide services to us.
All our third-party service providers and other entities in the Company group are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
National Data Opt-Out
Berkley Care and all our associated subsidiaries reviews our data processing on an annual basis to assess if the national data opt-out applies. This is recorded in our Record of Processing Activities. All new processing is assessed to see if the national data opt-out applies. If any data processing falls within the scope of the National Data Opt-Out, we use MESH to check if any of our residents have opted out of their data being used for this purpose.
At this time, we do not share any data for planning or research purposes for which the national data opt out would apply. We review all the confidential resident information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose. You can find out more information at https://www.nhs.uk/your-nhs-data-matters/.
How long your personal information will be kept
We will hold your personal data for no longer than is necessary under applicable UK law to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Some data retention periods are set by the law. Retention periods can vary depending on why we need your personal data; however, under our standard policy, we will hold financial information relating to the invoicing for our care services for a period of 7 years, while all other personal information will be held for a period of 3 years after we have ceased to provide our care services to you. Personal data is deleted or securely destroyed at the end of its retention period.
Reasons we can collect and use your personal information
The law on data protection allows us to process your data for certain reasons only. In the main, we process your data in order to comply with a legal requirement; where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests; in order to perform the contract we have with you or in pursuit of our legitimate interests. We may also use your personal data where we need to protect you (or someone else’s) interests; or where it is needed in the public interest or for an official purpose.
The information below categorises the types of data processing we undertake and the lawful basis we rely on.
|Type of activity||Lawful basis|
|Collation of enquiry data, creation of pre-admission questionnaire and completion of an Admission Agreement||Performance of the contract|
|Creating and updating care plans including medication documentation, health and medical information, and risk assessments||Performance of the contract|
|Acoustic Monitoring and audio recording||Consent|
|Reporting to CQC and safeguarding authorities and making referrals to the Disclosure and Barring Service (DBS) and Nursing and Midwifery Council (NMC) when required||Legal obligation|
|Recording of specific incidents such as inspections, infection outbreaks, feedback and accidents/incidents, including any subsequent investigations||Legal obligation|
|Use of GP Connect systems to enable authorised staff to share and view GP practice clinical information and data between IT systems||o share and view GP practice clinical information and data between IT systems Legitimate Interests (to provide effective, joinedup and timely care and treatment to residents)|
|Maintaining a record of Power of Attorney’s appointed to individuals||Legal obligation|
|Complying with health and safety obligations||Legal obligation|
|Undertaking a needs assessment or financial assessment with local authority||Legitimate interest (to allow us to provide highquality care and support to residents)|
|Invoicing and collection of fees||Performance of contract|
|Process photos or videos for marketing purposes||Consent|
|Ensuring our administrative and IT systems are secure and robust against unauthorised access||Our legitimate interests (to ensure adequate security of IT systems and compliance with data protection and confidentiality requirements)|
|CCTV footage in communal and public areas of our homes||Our legitimate interests (safety management and risk reduction measures)|
|Dealing with legal claims made against us||Our legitimate interests (respond to and defend against legal claims)|
|Preventing fraud||Our legitimate interests (to prevent fraud and other illegal activity)|
Where we rely upon legitimate interest as a reason for processing personal data, we have considered whether or not those interests are overridden by the rights and freedoms of the contractor and have concluded that they are not.
Special Categories Of Personal Data
Special categories of personal data are data relating to your:
b) sex life
c) sexual orientation
e) ethnic origin
f) political opinion
h) trade union membership
i) genetic and biometric data.
These special categories of personal data require higher levels of protection. We need to have further justification for collecting, storing and using this type of personal information.
We may process special categories of data when the following applies:
a) in limited circumstances, where you have given explicit consent to the processing.
b) we must process the data in order to carry out our legal obligations or exercise rights in connection with employment.
c) we must process data for reasons of substantial public interest, such as for equal opportunities monitoring or in relation to an occupational pension scheme.
d) where it is necessary to protect you or another person from harm.
e) where it is needed in relation to legal claims.
f) where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent.
g) you have already made the data public.
In general, we will not process particularly sensitive personal data about you unless it is necessary for performing or exercising obligations or rights in connection with your residential care. On rare occasions, there may be other reasons for processing, such as it is in the public interest to do so. The situations in which we may process your particularly sensitive personal information are listed below:
a) We may use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sex life or sexual orientation, where we are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations, where it is necessary for us to provide and manage social care services or where we are required to do so in order to fulfil the contract we have with you.
b) We may use information about your physical or mental health, or disability status, to fulfil the contract we have with you or to provide and manage social care services.
c) If we reasonably believe that you or another person are at risk of harm and the processing is necessary to protect you or them from physical, mental or emotional harm or to protect physical, mental or emotional well-being.
We do not need your consent if we use special categories of your personal information to carry out our legal obligations or exercise specific rights. In limited circumstances, we may approach you for your written consent to allow us to process certain particularly sensitive data. If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of your contract with us that you agree to any request for consent from us.
We do not need your consent where the purpose of the processing is to protect you or another person from harm or to protect your well-being and if we reasonably believe that you need care and support, are at risk of harm and are unable to protect yourself.
Transfer of your information out of the EEA
We will transfer the personal information we collect about you to countries within the European Economic Area in order to perform our contract with you. There are adequacy regulations in respect of those countries within the European Economic Area. This means that the countries to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
Failure To Provide Data
Your failure to provide us with data may mean that we are unable to fulfil our requirements for entering into a contract with you to provide residential care home services. This could include being administer contractual benefits to you. We may also be prevented from complying with our legal obligations, such as to ensure the health and safety of our residents.
Criminal Conviction Data
We envisage that we may hold information about criminal convictions. We will only collect criminal conviction data where it is appropriate, where you have volunteered the information to us and where the law permits us. This data may be collected at any time prior to or during your residence at our care home facilities. We rely on legitimate interests (to allow us to provide high-quality care and support to residents) to process this data. We have in place appropriate safeguards which we are required by law to maintain when processing such data.
Change of Purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Automated Decision Making
Automated decision-making means making decision about you using no human involvement e.g. using computerised filtering equipment. We are allowed to use automated decisionmaking in the following circumstances:
1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.
If we make an automated decision on the basis of any particularly sensitive personal information, we must have either your explicit written consent or it must be justified in the public interest, and we must also put in place appropriate measures to safeguard your rights.
No decision will be made about you solely on the basis of automated decision making (where a decision is taken about you using an electronic system without human involvement) which has a significant impact on you, unless we have a lawful basis for doing so and we have notified you.
We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.
Under certain circumstances, you have a number of important rights in relation to the personal
data we hold on you. In summary, those include rights to:
• Fair processing of information and transparency over the personal data we hold on you and how we use your use personal information.
• Access to your personal information and to certain other supplementary information that this Privacy Notice is already designed to address (commonly known as a “data subject access request“). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Require us to correct any mistakes in your information which we hold, however they come to light. This is also known as ‘rectification’.
• Require the erasure of personal information concerning you in certain situations. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing. This is also known as ‘erasure’
• Data portability i.e., you have the right to receive the personal information concerning you which you have provided to us, in a structured, commonly used and machinereadable format and have the right to transmit that data to a third party in certain
• Object at any time to processing of personal information concerning you for direct marketing
• Object to profiling or decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
• Object in certain other situations to our continued processing of your personal information, including the right to object to the inclusion of any personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground
• Otherwise restrict our processing of your personal information in certain circumstances. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact the Data Protection Officer in writing.
Although subject access requests may be made verbally, we would advise that a request may be dealt with more efficiently and effectively if it is made in writing. If you wish to make a request, please use the Subject Access Request form.
Usually, we will comply with your request without delay and at the latest within one month. Where requests are complex or numerous, we may contact you to inform you that an extension of time is required. The maximum extension period is two months.
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We may refuse to deal with your subject access request if it is manifestly unfounded or excessive, or if it is repetitive. Where it is our decision to refuse your request, we will contact you without undue delay, and at the latest within one month of receipt, to inform you of this and to provide an explanation. You will be informed of your right to complain to the Information Commissioner and to a judicial remedy.
We may also refuse to deal with your request, or part of it, because of the types of information requested. For example, information which is subject to legal privilege or relates to management planning is not required to be disclosed. Where this is the case, we will inform you that your request cannot be complied with, and an explanation of the reason will be provided.
If you wish to exercise any of the rights explained above, please contact our Data Protection Officer, details of which are at the end of this policy.
Where you have provided consent to our collection, processing or transfer of your personal data for a specific purpose, you also have the right to withdraw that consent at any time. To withdraw your consent, please contact the Data Protection Officer. Once we have received notification that you have withdrawn your consent, we will stop processing your personal data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Compliance with the national data opt-out
The Department of Health and Social Care’s national data opt-out policy enables people to opt out from their health and care data being used for research or planning purposes. We only use your health/ care records for your individual care and not for research and planning. Consequently, you do not need to decide whether to opt out as your data is not being used for these purposes anyway.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a genuine business need to know it. Those processing your information will do so only in an authorised manner on our instructions and are subject to a duty of confidentiality. Details of these measures may be obtained from our Data Protection Officer.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
This notification will be made without undue delay and may, dependent on the circumstances, be made after the supervisory authority is notified.
The following information will be provided when a breach is notified to the affected individuals:
a) A description of the nature of the breach
b) The name and contact details of the data protection officer where more information can be obtained
c) A description of the likely consequences of the personal data breach
d) A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
How to complain
We hope that we can resolve any query or concern you raise about our use of your information.
The UK GDPR also gives you the right to lodge a complaint with the Information Commissioner (ICO). You can contact the ICO at https://ico.org.uk/concerns/ or Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF or telephone: 0303 123 1113
(local rate) or 01625 545 745.
Changes to this privacy notice
This privacy notice was last updated and published in July 2023. We may (and reserve the right to) change this privacy notice from time to time. When we do, we will inform you via your chosen stated method of communication with us and provide you with an updated copy of this notice as soon as reasonably practical. We may also notify you in other ways from time to time about the processing of your personal information.
How to contact us
We have appointed a Data Protection Officer to oversee compliance with this privacy notice.
If you have any questions about this privacy notice or the information we hold about you, or how we handle your personal information, please write to us at either
Berkley Care Group,
Berkhamsted, HP4 2ST