PRIVACY STATEMENT FOR RELATIVES, FRIENDS AND CARERS OF FAMILY MEMBERS

INTRODUCTION

At Hatherleigh Care Village, we are more than just a care provider, we are a community committed to providing compassionate care that supports a meaningful continuation of life for individuals living with a Dementia.

Our approach is rooted in the principles established by Thomas Kitwood, placing each individual at the heart of everything we do. We are guided by the five core emotional needs identified by Kitwood “comfort, attachment, inclusion, occupation, identity” ensuring that every person experiences the human qualities essential for both emotional and physical well-being.

We create homely households/environments that feel familiar and comforting, where those we support are known as Family Members. This reflects the respect and warmth at the heart of our commitment to truly seeing the person, not the diagnosis. Every aspect of daily life is tailored to understand each Family Member’s history, identity and individuality.

Our approach doesn’t focus solely on the clinical aspects of Dementia, it embraces the whole person. Through meaningful connection, activity and a nurturing environment, we support well-being in all its forms. Comfort, belonging, inclusion and purpose are central to life at Hatherleigh Care Village, where every day is an opportunity to live with choice, independence and dignity.

At Hatherleigh Care Village we are committed to protecting your personal data and the personal data of the Family Member living in the home and handling it responsibly. Our Privacy Statement for Relatives, Friends and Stakeholders of Family Members explains how we collect and manage your data.

WHAT IS THE PURPOSE OF THIS PRIVACY STATEMENT

  • Under the UK GDPR and Data Protection Act 2018, we are required to explain to you why we collect your information, how we intend to use that information and whether we will share this information with anyone else. This statement applies to all relatives/friends/stakeholders/visitors with a vested interest in our Family Members (past and present).
  • It is important that you read this Privacy Statement for Relatives, Friends and Carers of Family Members so that you know how and why we use your information. We may update this Privacy Statement for Relatives, Friends and Stakeholders of Family Members at any time. It is also important that you inform us of any changes to the personal information we hold about you so that the information is accurate and up to date.

WHO ARE WE

2.1         We are Hatherleigh Care Village, Homes Limited (Hatherleigh Care Village Limited), a company registered in England and Wales under company number 09807631 and with our registered office at Beech House, Brotherswood Court, Bradley Stoke, Bristol, EX32 4QW.

2.2         Hatherleigh Care Village is a subsidiary of Evolve Care Group, and as part of our integrated business operations, employees of Evolve Care Group, may access the personal data and information held by Hatherleigh Care Village where necessary for legitimate business purposes. All data processing activities will adhere to applicable data protection laws, including the UK GDPR and the Data Protection Act 2018, ensuring appropriate safeguards and security measures to protect individuals’ rights and privacy.

2.3         Hatherleigh Care Village is the “Data Controller” for the information which we hold about you. This means that we are responsible for deciding how and why we hold your personal information.

OUR DATA PROTECTION OFFICER

3.1         Our Data Protection Officer (DPO) is responsible for overseeing what we do with your information and monitoring our compliance with the Data Protection Laws.

3.2         Our DPO is Mark Reed, Chief Operating Officer. If you have any concerns or questions about our use of your personal data, you can contact raise these by emailing info@hatherleighnursinghome.com or writing to Data Protection Officer, Beech House, Brotherswood Court, Bradley Stoke, Bristol, EX32 4QW. Alternatively, if you wish to make contact but are unable to use any of the above methods, please contact the Registered Manager who will be able to put your queries forward to the team.

TYPES OF PERSONAL INFORMATION WE USE AND OUR LAWFUL BASIS FOR DOING SO

4.1         We process your personal information for a number of reasons. This is to ensure that we can offer our Family Members with whom you are associated the best care, protection and support possible and regulate the care we provide (for example, in ensuring that our Family Member needs/preferences can be met, and in relation to complaints raised by or in respect of you in order to regulate the care provided or your conduct or concerns about you which may put Family Member/our team members at risk); in order to contact you where necessary in relation to their care (for example, in the event of an emergency); and in order to make any necessary decisions around a Family Member’s placement (including in considering making an offer of, or decision around the sustainability of, a placement). Without this information, we may not be able to offer a Family Member a placement or sustain the Family Member’s placement at Hatherleigh Care Village

4.2         In accordance with the Data Protection Laws, we need a lawful basis for collecting and using information about you. These lawful bases are set out in Article 6 of the UK GDPR and, depending on the type of data, may require reliance on additional safeguards set out in Articles 9 and 10 of the UK GDPR and within the Data Protection Act 2018.

Standard personal data:

4.3         We will process standard personal data about you. Please refer to the Appendix to see the types of data we might process about you.

4.4          Our Article 6 GDPR lawful basis for processing this type of data will depend on the circumstances, but will include the following (as appropriate):

4.4.1     You have given us clear consent to process your personal data (in the circumstances where consent is the only available lawful basis) (Article 6(1)(a)) of the UK GDPR); or

4.4.2     It is necessary in order for us to perform our contract with the Family Member/you/the Family Member’s commissioning body (Article 6(1)(b) of the UK GDPR); or

4.4.3     It is necessary to meet legal / regulatory obligations (Article 6(1)(c) of the UK GDPR); or

4.4.4     It is necessary for our legitimate interests (where they are not overridden by your rights) (Article 6(1)(f) UK GDPR).

Special categories of personal data:

4.5         Some of the information which we may process about you will be “special category personal data” and criminal activity data. Special category personal data and criminal activity data (see further below) require a greater level of protection than standard personal data. Please refer to the Appendix to see the types of special category personal data and criminal activity data we might process about you.

TYPES OF PERSONAL INFROAMTION WE USE AND OUR LAWFUL BASIS FOR DOING SO

4.6         Our Article 6 UK GDPR lawful basis for processing this type of data will depend on the circumstances, but will include the following (as appropriate):

4.6.1      You have given us consent to process your personal data (in the circumstances where consent is the only available lawful basis) (Article 6(1)(a)) of the UK GDPR); or

4.6.2      It is necessary in order for us to perform our contract with the Family Member/you/the Family Member’s commissioning body (Article 6(1)(b) of the UK GDPR); or

4.6.3      It is necessary to meet legal / regulatory obligations (Article 6(1)(c) of the UK GDPR); Or

4.6.4      It is necessary to protect your life (Article 6(1)(d) of the UK GDPR); or

4.6.5      It is necessary for our legitimate interests (where they are not overridden by your rights) (Article 6(1)(f) UK GDPR).

4.7         We also require an Article 9 UK GDPR basis and must meet other additional conditions specified within the Data Protection Act 2018 to process this type of data.

Criminal activity data:

4.8         We may process information about you in relation to details of criminal activity in relation to proven and unproven criminal offences (including allegations of criminal activity, investigations into criminal activity, details of proceedings and outcomes of proceedings). Please refer to the Appendix for more details of the data we might process about you.

Our Article 6 UK GDPR lawful basis for processing this type of data will depend on the circumstances, but will include the following (as appropriate):

4.8.1      You have given us consent to process your personal data (in the circumstances where consent is the only available lawful basis) (Article 6(1)(a)) of the UK GDPR); or

4.8.2      It is necessary in order for us to perform our contract with the Family Member/you/the Family Member’s commissioning body (Article 6(1)(b) of the UK GDPR); or

4.8.3      It is necessary to meet legal / regulatory obligations (Article 6(1)(c) of the UK GDPR); or

4.8.4      It is necessary for our legitimate interests (where they are not overridden by your rights) (Article 6(1)(f) UK GDPR)

4.9         We also require an additional Article 10 UK GDPR condition for processing this type of data, and must meet other additional conditions specified within Schedule 1 of the Data Protection Act 2018 to process this type of data.

SOURCE OF YOUR PERSONAL INFORMATION

5.1         The information described at section 4 which we collect about you will be obtained through a variety of sources which may include:

5.1.1      From you directly prior to, during or after the Family Member/’s stay with us;

5.1.2      From others prior to, during or after the Family Member’s/’s stay with us;

5.1.3      Information created about you in the course of the Family Member/’s stay with us (for example, data recorded within the Family Member’s care records, care planning records or other ancillary documentation, such as details or your visits or involvement in meetings in relation to their interests and details of any complaints that you have raised);

5.1.4      Information which you have otherwise made public;

5.1.5      From social media activity (such as Facebook, Linkedin etc.);

5.1.6      From external healthcare providers such as the NHS, your GP, hospital staff etc. and multi-disciplinary teams;

5.1.7      From safeguarding authorities / commissioning bodies and Integrated Care Boards / social services and other regulators (such as the Nursing and Midwifery Council and Information Commissioner’s Office) (and in some circumstances, their professional advisors or authorised representatives).

5.1.8      From the Police and other law enforcement agencies (for example, the Home Office), the courts, the Office of the Public Guardian and coroners.

5.1.9      From auditors / professional advisors (including solicitors and insurers).

5.1.10   From other entities/persons which fall outside of this list which is made known to us which may be related to the Family Member and their residency; and

5.1.11   Because circumstances are variable and change with time there may in some instances be situations outside the list above and we regularly review our Privacy Statement for Relatives, Friends and Carers to assess whether any updates are required.

COMPLYING WITH DATA PROTECTION LAW

6.1         We will comply with the Data Protection Laws when using your personal information. At the heart of the Data Protection Laws are the data protection principles (Article 5(1) of the UK GDPR) which say that the personal information we hold about you must be:

6.1.1      Processed lawfully, fairly and in a transparent way;

6.1.2      Collected only for specified, explicit and legitimate purposes and not used in any way that is incompatible with those purposes;

6.1.3      Adequate and relevant to the purposes we have told you about and limited only to those purposes;

6.1.4      Accurate and, where necessary, kept up to date;

6.1.5      Kept only as long as necessary for the purposes we have told you about; and

6.1.6      Processed in a manner that ensures appropriate security.

SHARING YOUR INFORMATION

7.1         We will share your personal information with third parties where we have a lawful basis for doing so.

7.2         The types of organisations/persons with which we may share your personal data are as follows:

7.2.1      External healthcare providers and multi-disciplinary teams healthcare providers such as your GP, hospital staff, dentists, other care providers etc;

7.2.2      Safeguarding authorities / commissioning bodies and Integrated Care Boards / social services / other regulators (such as the Nursing and Midwifery Council and the Information Commissioner’s Office) (and in some circumstances, their professional advisors or authorised representatives);

7.2.3      The Police and other law enforcement agencies (for example, the Home Office), the courts, the Office of the Public Guardian and coroners;

7.2.4      IT service providers: we may use external IT or software providers who may have access to your personal data from time to time as is necessary to perform their services;

7.2.5      Attorneys/Deputies or others who are acting in your best interests (including complainants who have a vested interest in a Family Member’s/’s care, or bodies commissioned for the investigation of complaints, such as the Local Government and Social Care Ombudsman);

7.2.6      Auditors / professional advisors (including solicitors and insurers).

TRANSFERRING INFORMATION OUTSIDE OF THE UK AND THE EUROPOEAN ECONOMIC AREA (EEA)

8.1         We strive to ensure that any data necessary to be shared with the companies we work with (i.e. our supply chains) remains within the UK or the EEA in the first instance. However, some companies that provide services to us are located in, or run their services from, countries outside of these areas and resultantly, on occasion, your personal data may be transferred to countries outside of these areas.

CAN WE USE YOUR INFORMATION FOR ANY OTHER PURPOSE

9.1         We typically will only use your personal information for the purposes for which we collect it. It is possible that we will use your information for other purposes as long as those other purposes are compatible with those set out in this Privacy Statement for Relatives, Friends and Carers. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.

STORING YOUR INFORMATION AND DELETING IT

10.1       To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We will only retain your personal information in line with periods calculated using such criteria and in consideration of how long it is reasonable to keep records to show we have met the obligations we have to you and by law, any time limits for making a claim, any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations.

10.2       In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

YOUR RIGHTS

11.1       Under certain circumstances, you have the right to:

11.1.1   Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

11.1.2   Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

11.1.3   Request erasure of your personal information in certain circumstances. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

11.1.4   Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) or public interest as our lawful basis for processing and there is something about your particular situation which leads you to object to processing on this ground. You also have the right to object if we are processing your personal information for direct marketing purposes.

11.1.5   In the limited circumstances where we are relying on your consent as our lawful basis to process your data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. If you withdraw your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another lawful basis for doing so.

11.1.6   Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

11.1.7   Request the transfer of your personal information to another party.

11.2       If you wish to exercise any of the above rights, please contact our Data Protection Officer whose details are set out in Section 3.

AUTOMATED DECISION MAKING

12.1       You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.

RIGHT TO COMPLAIN TO THE ICO

13.1       You have the right to complain to the Information Commissioner’s Office (the “ICO”) if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF or ico.org.uk.

CHANGES TO THE PRIVACY STATEMENT

14.1       We reserve the right to update this Privacy Statement for Relatives, Friends and Carers at any time where appropriate.

APPENDIX A – STANDARD PERSONAL DATA

The standard personal data we may process about you includes:

  1. Personal details (such as name, date of birth, gender, nationality), contact details (such as your address, personal telephone number and personal email address) in order for us to contact you in relation to your loved one’s residency and in the event that we need to contact you in a emergency in which you/your loved one could be affected;
  2. To allow us to assess that you are the correct person to be communicating with in respect of a Family Member/ before, during and after their residency with us (for example, details of and evidence of your status as their Power of Attorney/Deputy and photographic verification documents);
  3. Financial information (such as bank account details, details about your financial assets (for example, details of any property you own) for the purpose of making necessary checks to ensure that the care and accommodation is affordable for you (if you are making payments relating to the Family Member/’s care), and for the purposes administering payments/refunds relating to the Family Member’s/’s stay with us;
  4. Information about your family and others (such as dependants, next of kin and emergency contact numbers) so we know who to contact if required in connection to the Family Member’s/’s placement;
  5. Security information images/audio of you (such as CCTV footage etc.) in order to ensure public safety i.e. the safety and security of our Family Member and employees and those who visit our premises, as well as identify and help to deter criminal activity (such as vandalism/damage to the property and theft) and create an overall secure living environment for our Family Members, and working environment for our staff;
  6. Information created about you in the course of the Family Member/’s stay with us (for example, data recorded within the Family Member’s care records, care planning records or other ancillary documentation, such as details or your visits or involvement in meetings in relation to their interests and details of any complaints that you have raised, or others have raised about you or the /Family Member which relate to you, and information about you within a Family Member/’s day to day activity documentation required in order to provide them with safe, appropriate and personalised care and accommodation and ensure that we meet their individual requirements);
  7. Communications we have had with you in order to maintain an accurate record of our care and treatment of our Family Member/;
  8. Information about you which would directly impact the Family Member’s/’s residency with us or allow us to properly carry out any necessary disciplinary processes with employees/others, make decisions around your residency, or provide evidence for legal proceedings (including instigating or responding to any claims) and for safeguarding and regulation of care purposes, including for the purposes of responding to complaints;
  9. We may also process your data by sending you email or text message communications in relation to your residency and ask for your views on the ways in which we could improve our services and improve the employment environment pursuant to our care contract;
  10. We may also ask for your consent for information about you to be featured in our marketing material, including (but not limited to) brochures and other such printed and electronic publications, the Hatherleigh Care Village website and social media pages and other promotional pages linked to Hatherleigh Care Village; and
  11. Because circumstances are variable and change with time, there may in some instances be situations outside the list above, and we regularly review our privacy statements to assess whether any updates are required.

APPENDIX B – SPECIAL CATEGORY DATA

The special category personal data which we may process about you (in order to provide you with safe, appropriate and personalised care and accommodation) includes the following:

  1. information about your racial or ethnic origin;
  2. information about your religious beliefs;
  3. information about your sexual orientation, relationship history and political opinions; and
  4. information about your health, including any disabilities or special requirements which you may have (for example, in order to make suitable access arrangements when visiting a care home/hospital), medical condition, vaccination status (in permitted circumstances), records required by care home regulations.

APPEDIX C – CRIMINAL ACTIVITY DATA

We may process criminal activity data about you. This may include;

  1. information in relation to allegations of criminality, investigations and proceedings.
  2. We will only this type of information if it is appropriate and where we are legally able and / or required to do so. Where appropriate, we will collect information about criminal convictions as part of the admission process or we may be notified of such information directly by you/others in the course of the Family Members residency with us. We will use information about criminal convictions and offences in the following ways:
  3. To protect our Family Members and staff from the risk of assault, abuse, theft or possession or any other detriment;
  4. In order to meet legal / regulatory obligations.
  5. Less commonly, we may use information relating to criminal convictions where it is necessary in relation to legal claims, where it is necessary to protect your interests (or someone else’s interests), or where you have already made the information public.
  6. We may also process such information in the course of legitimate business activities with the appropriate safeguards.

APPENDIX D – EXCEPTIONS TO THIS PRIVACY NOTICE

Hatherleigh Care Village is committed to ensuring the lawful, transparent, and secure processing of personal data relating to our Family Members (residents). In accordance with

Article 9(2)(h) of the UK GDPR, we process special category personal data for the provision of health or social care services, ensuring that our Family Members receive safe, effective, and person-centred care.

This appendix outlines our approach to the sharing of personal data in exceptional circumstances outside of this process, ensuring compliance with data protection laws while supporting the health, well-being, and dignity of those in our care.

  1. Legal Basis for Processing and Sharing Personal Data

Under Article 9(2)(h) of the UK GDPR, we are permitted to process special category personal data when necessary for:

  • Preventive or occupational medicine
  • Medical diagnosis
  • Provision of health or social care
  • Treatment or the management of health or social care systems

The Data Protection Act 2018 also requires that appropriate safeguards are in place to protect the rights and freedoms of Family Members.

  1. Scope of Data Sharing

Personal data may be shared lawfully and responsibly with relevant parties where necessary for the continuity of care, safeguarding, regulatory compliance, and risk management. This may include:

Healthcare and Social Care Professionals

  • General Practitioners (GPs)
  • Hospital staff and specialist clinicians
  • Community nurses and district nursing teams
  • Occupational therapists, physiotherapists, and mental health practitioners
  • Safeguarding teams and Adult Social Care services

Emergency and Crisis Support

  • Ambulance services
  • Law enforcement agencies (e.g., police and coroner services in cases of safeguarding or mortality reviews)
  • Crisis intervention teams

Regulatory Bodies and Legal Representatives

  • Care Quality Commission (CQC)
  • Local Government and Social Care Ombudsman
  • Professional regulatory bodies (e.g., Nursing and Midwifery Council)
  • Solicitors acting on behalf of Family Members in legal or safeguarding matters

Family Members and Legal Deputies

  • Next of kin, attorneys, or deputies with relevant permissions under Lasting Power of Attorney (LPA)
  • Appointed advocates or representatives

Internal Staff and Service Providers

  • Nursing home employees involved in direct care delivery
  • IT service providers responsible for secure health record management
  • Data protection and compliance officers
  1. Examples of Personal Data That May Be Shared

We may process and share the following categories of special category personal data when necessary for the provision of care:

  • Health Records: Medical history, current conditions, treatment plans, medication details, MAR charts, TEP forms, care plans, and risk assessments.
  • Clinical Assessments: Occupational therapy reports, falls risk assessments, and nutritional screening.
  • Mental Capacity and Consent Documentation: Information regarding capacity assessments and best-interest decisions.
  • Incident Reports and Safeguarding Concerns: Documentation related to health deterioration, behavioural concerns, and investigations into safeguarding risks.
  • Legal Documentation: Copies of Power of Attorney or deputyship orders when relevant to a Family Member’s care.
  • End-of-Life Care Directives: Advance care plans and decisions regarding resuscitation or palliative care.

This list is not designed to be a comprehensive list but serves as a guide. Any data shared outside this list will only be shared within the specific remit of paragraph 1 above.

Data Protection Measures and Safeguards

To ensure lawful and ethical data sharing, Hatherleigh Care Village adheres to the following safeguards:

  • Strict access controls: Personal data is shared only with authorized individuals with a clear need to know.
  • Secure storage and transmission: Encrypted databases and secure communication channels are used for transmitting sensitive information.
  • Regular audits and training: All staff handling Family Member data undergo GDPR and confidentiality training.
  • Clear consent procedures: Where applicable, Family Members or their legal representatives are informed about data sharing practices.
  • Retention and disposal policies: Personal data is stored only for as long as necessary under legal and operational guidelines and securely disposed of when no longer required.

Compliance and Review

Hatherleigh Care Village ensures compliance with the UK GDPR, the Data Protection Act 2018, and relevant health and social care regulations. This policy is subject to regular review to align with legislative updates and best practices in data protection, safeguarding, and ethical care delivery.