Privacy notice overview

This overview contains some important information about the content and location of our Privacy Notice. It’s important that you take a moment to read our Privacy Notice as it will help to explain the following:

Our Identity

Who we are and how to contact us.

The Information

What information we collect and from whom.
How we use the information together with the reasons why.
The legal basis we rely on to use your information.
Who we share the information with including transfers of data outside of the European Union (EU).
How long we keep your information.

Your Rights

Your rights in relation to the information we will collect and hold about you.

Data Security

How we keep your personal data safe.

Further Details

To find further details about the items covered in this overview, please see our full Privacy Notice.

Introduction

New General Data Protection Regulation (’GDPR’)

Important changes to Data Protection

Protecting personal information is extremely important to Porthaven Care Homes. It's especially

important for a healthcare provider like us, as our residents trust us to look after a huge amount of sensitive information covering everything from their name and basic contact information, right through to their medical history.

The way we collect and share that information is equally important. Our residents expect us to manage their information privately and securely. If we don't, they'll lose their trust in us. This is a copy of our Privacy Notice, which sets out how we use and protect personal information.

If you are a resident in a Porthaven care home, this Privacy Notice replaces the existing privacy statement you agreed to when you signed your contract. Please take a few minutes to read it, and show it to anyone else connected to your care.

This Privacy Notice will take effect on 25th May 2018, and may be subject to change in the future. You can find the most recent version of this notice here:

www.porthaven.co.uk/privacy-policy/

About us

Porthaven Care Homes (‘Porthaven’ – see the list of companies at the end of this Notice) provides residential care services including nursing, respite and dementia care.

What is personal information?

When we talk about personal information we mean information about an individual that can identify them, like their name, address, email address, telephone number and health details. It can relate to residents, employees, shareholders, business contacts and suppliers. Any reference to ‘information’ or ‘data’ in this Notice is a reference to personal information about a living individual.

When do we collect personal data about you?

Stage
Description
New Resident Enquiry When you enquire about our range of care services by visiting our website, completing an enquiry form, speaking to us over the telephone or visiting one of our care homes
Care Home Visit When you or a responsible individual acting on your behalf comes to visit us for a residential tour and to discuss our care services in more detail
Care Assessment When we undertake a more detailed assessment of your medical and care home needs
Care Agreement When contract negotiations commence and / or agreement to proceed is obtained
Resident During your stay with us as a resident

What personal data may we collect from you and why?

The data we collect about you will likely be obtained from different sources. Some information will be given to us by you or a responsible individual acting on your behalf, some information will be given to us by medical or other professionals that we engage with during the various stages to assess and meet your needs.

New Resident Enquiry

During this stage we rely on our ‘legitimate interests’ to process your personal data.

Stage
Description
Personal Identifiers
Contact Details
To provide you with information about services that you request or that we feel may be of benefit to you
Personal Identifiers
Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
Personal Identifiers
Contact Details
Internal record keeping and administration
Online identifiers For system administration and internal tracking

Care Home Visit

During this stage we rely on our ‘legitimate interests’ to process your personal data.

Stage
Description
Personal Identifiers
Contact Details
To provide you with information about products and services that you request from us
Personal Identifiers
Contact Details
To provide you with information about products and services that we feel may be of benefit to you
Personal Identifiers
Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
Personal Information
Special Category Data
Third Party
Information
Other Information
To understand the level of care required (including any medical treatment(s) and specialist care)
Personal Identifiers
Contact Details
Personal Information
Special Category Data
Third Party Information
Other Information
Internal record keeping and administration

Assessment for Care

During this stage we will rely on our ‘legitimate interests’ to process your personal data.

Stage
Description
Personal Identifiers
Contact Details
To provide you with information about products that you request from us
Personal Identifiers
Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
Personal Information
Special Category Data
Third Party Information
Other Information
To understand the level of care required (including any medical treatment(s) and specialist care)
Personal Information
Special Category Data
Third Party Information
Other Information
Internal record keeping and administration

Care Agreement

During this stage we will rely on ‘contractual necessity’ to process your personal data.

Stage
Description
Personal Information
Special Category Data
Other Information
To determine the required pricing structure and prepare the contracts
Personal Information
Special Category Data
Other Information
Internal record keeping and administration

Resident Stage

During this stage we will rely on ‘contractual necessity’ to process your personal data with the exception of data marked with a (*) below where we will rely on ‘legal obligation’.

Stage
Description
Personal Identifiers
Contact Details
Personal Information
Other Information
To carry out our obligations to you arising from any contract
Responding to your queries and every day residential needs
Personal Identifiers
Contact Details
Personal Information
Other Information
To carry out our obligations to you arising from any contract
Supporting your medical treatment or care and other benefits
Personal Identifiers
Contact Details
Personal Information
Financial Information
Other Information
To carry out your obligations to us arising from any contract
Billing, accounting and payment services
Personal Identifiers*
Contact Details*
Personal Information*
Special Category Data*
Third Party Information*
Other Information*
Responding to requests where we have a legal or regulatory obligation to do so*
Personal Identifiers
Contact Details
Personal Information
Financial Information
Special Category
Third Party Information
Other Information
Assessing the quality and type of care you have received and any concerns or complaints you may raise
Personal Identifiers
Contact Details
Personal Information
Financial Information
Special Category
Third Party Information
Other Information
Internal record keeping and administration
Personal Identifiers
Contact Details
Personal Information
Financial Information
Special Category
Third Party Information
Other Information
For internal audit and accounting purposes together with the preparation and review of management information

For further details of the data types contained within each category please refer to the section called ‘Personal data types and items’ which can be found later in this Notice.

Your decision to provide any personal data described above to us is voluntary. If you choose not to provide any of the personal data requested, our ability to enter into a contract and or fulfil our obligations to you arising from any contract may be limited.

Data sharing and transfers

In the usual course of business Porthaven may disclose your personal data which will include health information as recorded below (to the extent necessary) to certain third party processors Porthaven has retained to perform services on its behalf and pursuant to its instructions. This may include sharing with:

  • Porthaven group companies for internal audit, reviews, management information and reporting. Full details of these companies can be found later in this Notice.
  • Business partners, suppliers and sub-contractors for the provision of the contracted services.
  • Organisations providing IT systems, hosting and support in relation to the IT systems on which your information is stored.
  • Third-party debt collectors for the purposes of debt collection.
  • Delivery companies for the purposes of transportation.
  • Third-party service providers who perform services on our behalf based on our instructions, for instance, for the purposes of storage of information and confidential destruction. We do not authorise these service providers to use or disclose the information except as necessary to perform services on our behalf or comply with applicable legal obligations.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their own obligations under Data Protection Laws.
Porthaven may also disclose your personal data if it is required to do so by law or legal process, or in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements. Porthaven also reserves the right to transfer personal data in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganisation, dissolution or liquidation).

Third country data transfers

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area ("EEA") to third-party suppliers, delegates or agents. We'll take all reasonably necessary steps to make sure that your data is treated securely and in accordance with this Privacy Notice. We'll only transfer your data to a recipient outside the EEA where we're permitted to do so by law, for instance, (A) where the transfer is based on standard data protection clauses adopted or approved by the European Commission, or (B) where the transfer is to a territory that is deemed adequate by the European Commission, or (C) where the recipient is subject to an approved certification mechanism and the personal information is subject to appropriate safeguards, etc.

Unfortunately, sending information via e-mail is not completely secure; anything you send is done so at your own risk. Once received, we will secure your information in accordance with our security procedures and controls.

Health information collected during provision of treatment or services

Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Notice. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies.

Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment and or care. It may also be provided to external service providers and regulatory bodies for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Medical professionals working with us: We may share clinical information about you with medical professionals as we think necessary for your treatment and care.

External practitioners: If we refer you externally for treatment, we may share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral. It will always be made clear to you when we do this.

Your GP: If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP.

The NHS: If you are required to attend hospital, we may share the details of your treatment with the part of the NHS, as necessary to perform further treatment and care.

Care home regulators: We may be requested, and in some cases required, to share certain information (including personal data and sensitive personal data) about you and your care with regulators such as the CQC.

From time to time we may also make information available on the basis of necessity for treatment, the provision of healthcare and payment.

In an emergency and if you are incapacitated, we may share your personal data (including sensitive personal data) to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

We will use your personal data in order to monitor the outcome of any treatment associated with your care.

How we protect your personal data

We maintain appropriate technical and organisational measures designed to protect your personal data against loss or accidental, unlawful or unauthorised, alteration, access, disclosure or use.

Retention period

We retain personal information for as long as we reasonably require it for legal and business purposes. In determining data retention periods, Porthaven also takes into consideration local laws, relevant regulations and contractual obligations.

Your rights as a data subject

You have rights under data protection law that relate to the way we process your personal data. These rights are summarised below, but more information on these rights can also be found on the Information Commissioner's website – www.ico.org.uk. If you wish to exercise any of these rights, please get in touch with the Home Manager or Client Services Manager at the care home where you first made contact with Porthaven. Alternatively, you can also use the ‘Contact Us’ section of our website at www.porthaven.co.uk/contact-us, or contact our Data Protection Officer directly via the details provided later in this Notice.

Your rights

The right to access the personal data that we hold about you.
The right to make us correct any inaccurate personal data we hold about you.
The right to make us erase any personal data we hold about you. This right will only apply where for example:

    1. We no longer need to use the personal data to achieve the purpose we collected it for
    2. You withdraw your consent if we're using your personal data based on that consent
    3. Where you object to the way we use your data, and there is no overriding legitimate interest

The right to restrict our processing of the personal data we hold about you. This right will only apply where for example:

    1. You dispute the accuracy of the personal data we hold
    2. You would like your data erased, but we require to hold it in order to stop its processing
    3. You have the right to require us to erase the personal data but would prefer that our processing is restricted instead

The right to object to our processing of personal data we hold about you (including for the purposes of sending marketing materials to you).
The right to receive personal data, which you have provided to us, in a structured, commonly used and machine-readable format. You also have the right to request us to transfer this personal data to another organisation.
The right to withdraw your consent, where we're relying on it to use your personal data (for example, to provide you with marketing information about our services).
The right to object to automated processing and profiling.
All of the above requests will be forwarded on should there be a third party also involved in the processing of your personal data.

Controller’s Contact Information

Porthaven Care Homes is the controller for the personal information we process, unless otherwise stated.
You can contact us in the following ways:
- By writing to us at Porthaven Care Homes, 1 High Street, Windsor, Berkshire SL4 1LD
- By telephoning us on 01753 314314.

Data Protection Officer

Our Data Protection Officer (‘DPO’) is Harriet Wilcox, located at the DPO Centre, 50 Liverpool Street, London, EC2M 7PR. You can contact her via telephone on +44 (0) 203 797 1289.

Please contact our DPO if you have any questions about our Privacy Notice or the information we hold about you.

Complaints

In the event that you wish to make a complaint about how your personal data is being processed by us (or third parties engaged by us) please contact our DPO via the contact methods detailed above.
If you are not satisfied with how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority:

First Contact Team
Information Commissioner's Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel 0303 123 1113 or 01625 5457

Personal data types & items

Data Type
Data Items
Personal Identifiers Residential Account Number
Enquiry ID Number
National Insurance Number
NHS Number
Online Identifiers (IP Address)
Contact Information Name
Address
Email
Telephone
Room Number
Community Name
Personal Information Date of Birth
Dietary Information
Gender
Marital Status
Photograph
Residential Status
Financial Information Bank Details
Personal Assets
Personal Liabilities
Residence Account Balance
Special Category Information Ethnic Origin
Health Information
Religion
Third Party Information Enquirer Details
GP Details
Guarantor Details
NOK Details
POA Details
Responsible Party Details
Spouse Details
Other Information Date of Admission
Details of Incidents

Use of cookies

In order to monitor and improve the experience of our website and services, we may use in-house and third-party tracking technologies and tools, such as cookies and the analysis of log files. A cookie is a small text file that is placed on the PC, smartphone, tablet or other device that you use to browse our site. Cookies are used to collect information about how you use our site. Our cookies do not contain any personally identifiable information. Common uses for cookies include:

  • collecting information about pages that are visited most often
  • finding out if visitors get any error messages from our web pages
  • seeing which links visitors follow or don’t follow

Google Analytics Cookies

Like many services, Google Analytics uses first-party cookies to report on visitor interactions. These cookies are used to store non-personally identifiable information, such as

  • What time the current visit occurred
  • Whether the visitor has been to the site before
  • What site referred the visitor to the web page

For more information about this cookie, visit the Google Advertising Privacy FAQ. To manage your settings for this cookie and opt-out of this feature, visit the Ads Preferences Manager.

Google Display Network also collects Interest-based advertising data such as age, gender and interests.

The data stored by these cookies never shows personal details from which your individual identity can be established.

Targeting cookies

These cookies are used so that we can show you our online advertising when you visit other sites that are part of a network that enables advertising to be shown in this way. This is why you may sometimes see a Porthaven Care Homes advertisement on other websites after you have visited our site. These cookies may also be used for ourmarket research and to help measure the effectiveness of an advertising campaign.

Why we use cookies

Cookies help us to make our site better suited to your needs. Our cookies do not store personal information - such as your name, address, or phone number - in a format that other people can read. Our cookies cannot look at, read or search any other information held on your device or your hard drive about you or your family. The website that places a cookie owns that cookie. This means only that particular website and other sites that it has agreed to share information with can read the information stored using a cookie.

How to manage cookies

Your web browser has settings that enable you to choose how to manage cookies or to switch them off. Switching off cookies may mean that you can no longer make use of all of the services on our website. You can find out more about managing and switching off cookies at an independent website: allaboutcookies.org

Links to external sites

Porthaven Care Homes cannot be held responsible for the privacy practices or content on external websites. If you visit an external site from a link on our site, we recommend that you read their privacy and cookie policies, as we are not responsible or liable for anything on that site.

Porthaven Companies

The Porthaven companies covered by this Privacy Notice:

Porthaven Entity
Care Homes Operated

Porthaven Care Homes LLP

Astbury Mere Care Home
Avondale Care Home
Prestbury House Care Home

Porthaven Care Homes Ltd

Chiltern Grange Care Home
Wiltshire Heights Care Home
Haddon Hall Care Home

Porthaven Care Homes No2 Ltd

Thirlestaine Park Care Home
Woodland Manor Care Home
Savernake View Care Home
Penhurst Gardens Care Home
Lavender Oaks Care Home
Bourne Wood Manor Care Home
Lincroft Meadow Care Home
Tonbridge House Care Home

Porthaven Care Homes No3 Ltd

Hartfield House Care Home
Upton Mill Care Home
Hartfield House Care Home
Deer Park and Falkland Grange

Porthaven Management Ltd

N/A

Porthaven Properties Ltd

N/A

Porthaven Properties No2 Ltd

N/A

Porthaven Properties No3 Ltd

N/A

Glossary of Terms in this Notice from the GDPR

Consent

In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities.
Article 4 of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." In plain language, this means that:
you have to give us your consent freely;
you have to know what you are consenting to;
you should have choice over which processing activities you consent to and which you don’t; and
you need to take positive and affirmative action in giving us your consent

We will keep records of the consents that we have received from you. 
You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found above.

Contractual necessity

Article 6 of the GDPR states that we can process your data on the basis that such processing is necessary in order to enter into or perform a contract with you. 
The "contractual performance" lawful basis permits the processing of personal data in two different scenarios:
Situations in which processing is necessary for the performance of a contract to which you, the data subject, is a party. This may include, for example, processing your health details for the provision of residential care. 
Situations that take place prior to entering into a contract such as pre-contractual relations. For example, a formal review of the health confirmation collected during the care package assessment to determine the level of care required and the associated residential costs.

From the point at which contract negotiations commence and throughout your stay with us we will rely on contractual necessity as the lawful basis for the majority of personal data processing activities.

Compliance with legal obligations

Article 6 of the GDPR states that we can process your data on the basis that we have a legal obligation to perform such processing. Processing is permitted if it is necessary for compliance with a legal obligation.

Legitimate Interests

Article 6 of the GDPR states that we can process your data where it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data.