Privacy notice overview

New General Data Protection Regulation (’GDPR’)

Important changes to Data Protection

Protecting personal information is extremely important to Porthaven Care Homes. It's especially

important for a healthcare provider like us, as our residents trust us to look after a huge amount of sensitive information covering everything from their name and basic contact information, right through to their medical history.

The way we collect and share that information is equally important. Our residents expect us to manage their information privately and securely. If we don't, they'll lose their trust in us. This is a copy of our Privacy Notice, which sets out how we use and protect personal information.

If you are a resident in a Porthaven care home, this Privacy Notice replaces the existing privacy statement you agreed to when you signed your contract. Please take a few minutes to read it, and show it to anyone else connected to your care.

This Privacy Notice will take effect on 25th May 2018, and may be subject to change in the future. You can find the most recent version of this notice here:

www.porthaven.co.uk/privacy-policy/

Porthaven Care Homes (‘Porthaven’ – see the list of companies at the end of this Notice) provides residential care services including nursing, respite and dementia care.

When we talk about personal information we mean information about an individual that can identify them, like their name, address, email address, telephone number and health details. It can relate to residents, employees, shareholders, business contacts and suppliers. Any reference to ‘information’ or ‘data’ in this Notice is a reference to personal information about a living individual.

Stage	Description
New Resident Enquiry	When you enquire about our range of care services by visiting our website, completing an enquiry form, speaking to us over the telephone or visiting one of our care homes
Care Home Visit	When you or a responsible individual acting on your behalf comes to visit us for a residential tour and to discuss our care services in more detail
Care Assessment	When we undertake a more detailed assessment of your medical and care home needs
Care Agreement	When contract negotiations commence and / or agreement to proceed is obtained
Resident	During your stay with us as a resident

The data we collect about you will likely be obtained from different sources. Some information will be given to us by you or a responsible individual acting on your behalf, some information will be given to us by medical or other professionals that we engage with during the various stages to assess and meet your needs.

New Resident Enquiry

During this stage we rely on our ‘legitimate interests’ to process your personal data.

Stage	Description
Personal Identifiers Contact Details	To provide you with information about services that you request or that we feel may be of benefit to you
Personal Identifiers Contact Details	To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
Personal Identifiers Contact Details	Internal record keeping and administration
Online identifiers	For system administration and internal tracking

Care Home Visit

During this stage we rely on our ‘legitimate interests’ to process your personal data.

Stage	Description
Personal Identifiers Contact Details	To provide you with information about products and services that you request from us
Personal Identifiers Contact Details	To provide you with information about products and services that we feel may be of benefit to you
Personal Identifiers Contact Details	To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
Personal Information Special Category Data Third Party Information Other Information	To understand the level of care required (including any medical treatment(s) and specialist care)
Personal Identifiers Contact Details Personal Information Special Category Data Third Party Information Other Information	Internal record keeping and administration

Assessment for Care

During this stage we will rely on our ‘legitimate interests’ to process your personal data.

Stage	Description
Personal Identifiers Contact Details	To provide you with information about products that you request from us
Personal Identifiers Contact Details	To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
Personal Information Special Category Data Third Party Information Other Information	To understand the level of care required (including any medical treatment(s) and specialist care)
Personal Information Special Category Data Third Party Information Other Information	Internal record keeping and administration

Care Agreement

During this stage we will rely on ‘contractual necessity’ to process your personal data.

Stage	Description
Personal Information Special Category Data Other Information	To determine the required pricing structure and prepare the contracts
Personal Information Special Category Data Other Information	Internal record keeping and administration

Resident Stage

During this stage we will rely on ‘contractual necessity’ to process your personal data with the exception of data marked with a (*) below where we will rely on ‘legal obligation’.

Stage	Description
Personal Identifiers Contact Details Personal Information Other Information	To carry out our obligations to you arising from any contract Responding to your queries and every day residential needs
Personal Identifiers Contact Details Personal Information Other Information	To carry out our obligations to you arising from any contract Supporting your medical treatment or care and other benefits
Personal Identifiers Contact Details Personal Information Financial Information Other Information	To carry out your obligations to us arising from any contract Billing, accounting and payment services
Personal Identifiers* Contact Details* Personal Information* Special Category Data* Third Party Information* Other Information*	Responding to requests where we have a legal or regulatory obligation to do so*
Personal Identifiers Contact Details Personal Information Financial Information Special Category Third Party Information Other Information	Assessing the quality and type of care you have received and any concerns or complaints you may raise
Personal Identifiers Contact Details Personal Information Financial Information Special Category Third Party Information Other Information	Internal record keeping and administration
Personal Identifiers Contact Details Personal Information Financial Information Special Category Third Party Information Other Information	For internal audit and accounting purposes together with the preparation and review of management information

For further details of the data types contained within each category please refer to the section called ‘Personal data types and items’ which can be found later in this Notice.

Your decision to provide any personal data described above to us is voluntary. If you choose not to provide any of the personal data requested, our ability to enter into a contract and or fulfil our obligations to you arising from any contract may be limited.

In the usual course of business Porthaven may disclose your personal data which will include health information as recorded below (to the extent necessary) to certain third party processors Porthaven has retained to perform services on its behalf and pursuant to its instructions. This may include sharing with:

• Porthaven group companies for internal audit, reviews, management information and reporting. Full details of these companies can be found later in this Notice.
• Business partners, suppliers and sub-contractors for the provision of the contracted services.
• Organisations providing IT systems, hosting and support in relation to the IT systems on which your information is stored.
• Third-party debt collectors for the purposes of debt collection.
• Delivery companies for the purposes of transportation.
• Third-party service providers who perform services on our behalf based on our instructions, for instance, for the purposes of storage of information and confidential destruction. We do not authorise these service providers to use or disclose the information except as necessary to perform services on our behalf or comply with applicable legal obligations.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their own obligations under Data Protection Laws.
Porthaven may also disclose your personal data if it is required to do so by law or legal process, or in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Porthaven also reserves the right to transfer personal data in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganisation, dissolution or liquidation).

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") to third-party suppliers, delegates or agents. We'll take all reasonably necessary steps to make sure that your data is treated securely and in accordance with this Privacy Notice. We'll only transfer your data to a recipient outside the EEA where we're permitted to do so by law, for instance, (A) where the transfer is based on standard data protection clauses adopted or approved by the European Commission, or (B) where the transfer is to a territory that is deemed adequate by the European Commission, or (C) where the recipient is subject to an approved certification mechanism and the personal information is subject to appropriate safeguards, etc.

Unfortunately, sending information via e-mail is not completely secure; anything you send is done so at your own risk. Once received, we will secure your information in accordance with our security procedures and controls.

Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Notice. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies.

Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment and or care. It may also be provided to external service providers and regulatory bodies for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Medical professionals working with us: We may share clinical information about you with medical professionals as we think necessary for your treatment and care.

External practitioners: If we refer you externally for treatment, we may share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral. It will always be made clear to you when we do this.

Your GP: If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP.

The NHS: If you are required to attend hospital, we may share the details of your treatment with the part of the NHS, as necessary to perform further treatment and care.

Care home regulators: We may be requested, and in some cases required, to share certain information (including personal data and sensitive personal data) about you and your care with regulators such as the CQC.

From time to time we may also make information available on the basis of necessity for treatment, the provision of healthcare and payment.

In an emergency and if you are incapacitated, we may share your personal data (including sensitive personal data) to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

We will use your personal data in order to monitor the outcome of any treatment associated with your care.

We maintain appropriate technical and organisational measures designed to protect your personal data against loss or accidental, unlawful or unauthorised, alteration, access, disclosure or use.

We retain personal information for as long as we reasonably require it for legal and business purposes. In determining data retention periods, Porthaven also takes into consideration local laws, relevant regulations and contractual obligations.

You have rights under data protection law that relate to the way we process your personal data. These rights are summarised below, but more information on these rights can also be found on the Information Commissioner's website – www.ico.org.uk. If you wish to exercise any of these rights, please get in touch with the Home Manager or Client Services Manager at the care home where you first made contact with Porthaven. Alternatively, you can also use the ‘Contact Us’ section of our website at www.porthaven.co.uk/contact-us, or contact our Data Protection Officer directly via the details provided later in this Notice.

Your rights

The right to access the personal data that we hold about you.
The right to make us correct any inaccurate personal data we hold about you.
The right to make us erase any personal data we hold about you. This right will only apply where for example:

1. We no longer need to use the personal data to achieve the purpose we collected it for
2. You withdraw your consent if we're using your personal data based on that consent
3. Where you object to the way we use your data, and there is no overriding legitimate interest

The right to restrict our processing of the personal data we hold about you. This right will only apply where for example:

1. You dispute the accuracy of the personal data we hold
2. You would like your data erased, but we require to hold it in order to stop its processing
3. You have the right to require us to erase the personal data but would prefer that our processing is restricted instead

The right to object to our processing of personal data we hold about you (including for the purposes of sending marketing materials to you).
The right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to request us to transfer this personal data to another organisation.
The right to withdraw your consent, where we're relying on it to use your personal data (for example, to provide you with marketing information about our services).
The right to object to automated processing and profiling.
All of the above requests will be forwarded on should there be a third party also involved in the processing of your personal data.

Porthaven Care Homes is the controller for the personal information we process, unless otherwise stated.
You can contact us in the following ways:
- By writing to us at Porthaven Care Homes, 1 High Street, Windsor, Berkshire SL4 1LD
- By telephoning us on 01753 314314.

Our Data Protection Officer (‘DPO’) is Harriet Wilcox, located at the DPO Centre, 50 Liverpool Street, London, EC2M 7PR. You can contact her via telephone on +44 (0) 203 797 1289.

Please contact our DPO if you have any questions about our Privacy Notice or the information we hold about you.

In the event that you wish to make a complaint about how your personal data is being processed by us (or third parties engaged by us) please contact our DPO via the contact methods detailed above.
If you are not satisfied with how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority:

First Contact Team
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel 0303 123 1113 or 01625 5457

Data Type	Data Items
Personal Identifiers	Residential Account Number Enquiry ID Number National Insurance Number NHS Number Online Identifiers (IP Address)
Contact Information	Name Address Email Telephone Room Number Community Name
Personal Information	Date of Birth Dietary Information Gender Marital Status Photograph Residential Status
Financial Information	Bank Details Personal Assets Personal Liabilities Residence Account Balance
Special Category Information	Ethnic Origin Health Information Religion
Third Party Information	Enquirer Details GP Details Guarantor Details NOK Details POA Details Responsible Party Details Spouse Details
Other Information	Date of Admission Details of Incidents

In order to monitor and improve the experience of our website and services, we may use in-house and third-party tracking technologies and tools, such as cookies and the analysis of log files. A cookie is a small text file that is placed on the PC, smartphone, tablet or other device that you use to browse our site. Cookies are used to collect information about how you use our site. Our cookies do not contain any personally identifiable information. Common uses for cookies include:

• collecting information about pages that are visited most often
• finding out if visitors get any error messages from our web pages
• seeing which links visitors follow or don’t follow

Google Analytics Cookies

Like many services, Google Analytics uses first-party cookies to report on visitor interactions. These cookies are used to store non-personally identifiable information, such as

• What time the current visit occurred
• Whether the visitor has been to the site before
• What site referred the visitor to the web page

For more information about this cookie, visit the Google Advertising Privacy FAQ. To manage your settings for this cookie and opt-out of this feature, visit the Ads Preferences Manager.

Google Display Network also collects Interest-based advertising data such as age, gender and interests.

The data stored by these cookies never shows personal details from which your individual identity can be established.

Targeting cookies

These cookies are used so that we can show you our online advertising when you visit other sites that are part of a network that enables advertising to be shown in this way. This is why you may sometimes see a Porthaven Care Homes advertisement on other websites after you have visited our site. These cookies may also be used for ourmarket research and to help measure the effectiveness of an advertising campaign.

Why we use cookies

Cookies help us to make our site better suited to your needs. Our cookies do not store personal information - such as your name, address, or phone number - in a format that other people can read. Our cookies cannot look at, read or search any other information held on your device or your hard drive about you or your family. The website that places a cookie owns that cookie. This means only that particular website and other sites that it has agreed to share information with can read the information stored using a cookie.

How to manage cookies

Your web browser has settings that enable you to choose how to manage cookies or to switch them off. Switching off cookies may mean that you can no longer make use of all of the services on our website. You can find out more about managing and switching off cookies at an independent website: allaboutcookies.org

Links to external sites

Porthaven Care Homes cannot be held responsible for the privacy practices or content on external websites. If you visit an external site from a link on our site, we recommend that you read their privacy and cookie policies, as we are not responsible or liable for anything on that site.

The Porthaven companies covered by this Privacy Notice:

Porthaven Entity	Care Homes Operated
Porthaven Care Homes LLP	Astbury Mere Care Home Avondale Care Home Prestbury House Care Home
Porthaven Care Homes Ltd	Chiltern Grange Care Home Wiltshire Heights Care Home Haddon Hall Care Home
Porthaven Care Homes No2 Ltd	Thirlestaine Park Care Home Woodland Manor Care Home Savernake View Care Home Penhurst Gardens Care Home Lavender Oaks Care Home Bourne Wood Manor Care Home Lincroft Meadow Care Home Tonbridge House Care Home
Porthaven Care Homes No3 Ltd	Hartfield House Care Home Upton Mill Care Home Hartfield House Care Home Deer Park and Falkland Grange
Porthaven Management Ltd	N/A
Porthaven Properties Ltd	N/A
Porthaven Properties No2 Ltd	N/A
Porthaven Properties No3 Ltd	N/A

Consent

In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities.
Article 4 of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." In plain language, this means that:
you have to give us your consent freely;
you have to know what you are consenting to;
you should have choice over which processing activities you consent to and which you don’t; and
you need to take positive and affirmative action in giving us your consent

We will keep records of the consents that we have received from you. 
You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found above.

Contractual necessity

Article 6 of the GDPR states that we can process your data on the basis that such processing is necessary in order to enter into or perform a contract with you. 
The "contractual performance" lawful basis permits the processing of personal data in two different scenarios:
Situations in which processing is necessary for the performance of a contract to which you, the data subject, is a party. This may include, for example, processing your health details for the provision of residential care. 
Situations that take place prior to entering into a contract such as pre-contractual relations. For example, a formal review of the health confirmation collected during the care package assessment to determine the level of care required and the associated residential costs.

From the point at which contract negotiations commence and throughout your stay with us we will rely on contractual necessity as the lawful basis for the majority of personal data processing activities.

Compliance with legal obligations

Article 6 of the GDPR states that we can process your data on the basis that we have a legal obligation to perform such processing. Processing is permitted if it is necessary for compliance with a legal obligation.

Legitimate Interests

Article 6 of the GDPR states that we can process your data where it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data.