Our commitment to protecting your privacy - Apollo Home Healthcare

Our commitment to protecting your privacy

Apollo Home Healthcare is the ‘controller’ of the information (‘personal data’) that we collect about, website userscandidates, staff, service users and suppliers, which means we are responsible for how your data is processed. The word ‘process’ covers the things that can be done with personal data, including collection, storage, use and destruction.

This privacy notice explains why and how we process your personal data, and explains the rights you have, including among others, the right to access your data, and to object to the way it is processed. Please see the section on ‘Your rights as a data subject’ for more details on your rights and how to exercise them.

Apollo Home Healthcare Limited is registered with the Care Quality Commission to provide complex care to service users in their homes. We have seven registered locations across England delivering care services within the community. Our central registered office is detailed below.

Our contact details are:

Address: Apollo Home Healthcare, Unit 5 Oaktree House, Oaktree Rise, Codsall, Wolverhampton, WV8 1DP
Email: info@apollohomehealthcare.com
Telephone number: 01902 847111

If you have any queries about this notice or anything related to data protection, you can contact our Data Protection Officer, Amanda Swift, at amandaswift@apollohomehealthcare.com. Alternatively, please use the contact details provided above.

Personal data

‘Personal data’ is any information that relates to a living, identifiable person. This will usually include your name, address, contact details, and other information we collect as part of our relationship with you.

It can also include ‘special categories’ of data, which is the official term for information about a person’s race or ethnic origin, religious, political or other beliefs, physical or mental health, trade union membership, genetic or biometric data, sex life or sexual orientation.

The use of this type of data, and of information about criminal convictions and offences, is subject to strict legal controls.

We are committed to protecting your privacy and all your personal data. We only process data if we need to for a specific purpose, as explained below. Most often, we collect your personal data directly from you, through our contact with you.

Your data and how and why we process it

Our data processing allows us to manage and support our relationship with you, comply with legal obligations, improve our services, and achieve our legitimate business aims. The information below gives more details about our purposes for processing data, and the legal basis for each type of processing.

Service Users

As a registered care provider, we must collect personal and health information on our service users. The information is contained in individual files (paper and electronic) and other record systems, all of which are subject to strict security and authorised access policies. Personal information that becomes inactive, e.g. from enquiries or prospective users who do not enter the service, is also kept securely for as long as it is needed, before being safely disposed of.

We process the following data:-

  • General contact details
  • Key code information
  • Next of kin and emergency contacts.
  • Health and medical information
  • Daily logs whilst delivering care
  • Medical protocols
  • Medication information
  • Care plan documentation.
  • Meeting minutes
  • Discharge information
  • Therapy Plans
  • Biometric Data
  • Please note this is not an exhaustive list

The bulk of service user’s data is collected directly from them or through the manual completion of forms where consent is given. We also receive data from other medical professionals involved in their care. This can include continuing care assessments, reports on conditions and care needs, and matters such as feed regimes and vent settings for their care delivery.

The data that we collect is limited to the information we require to deliver a safe care service within the community. The processing of your data is to enable Apollo Home Healthcare to fulfill its contractual requirements in line with the contract to deliver care. See appendix 1 from article 6 of GDPR.

We also process specific health information, which is in line with ‘special categories’ to provide a health and social care service. See Article 9 of the GDPR under Appendix 1- Processing conditions.

As a service user of Apollo Home Healthcare, we will hold information on your medical condition and needs in relation to the care service we deliver. This is known as a special category of personal data under the law, meaning that it must be handled even more sensitively. This data will include the following:

  • Details of your current or former medical conditions and health needs. This may include information about any care you receive, and medicines administered.
  • Details of services you have received from us
  • Details of your nationality, race and/or ethnicity
  • Details of any genetic data or biometric data relating to you

Website Users

We collect a limited amount of data from our website users which we use to help us to improve your experience when using our website and to help us manage the services we provide. This includes information such as how you use our website, the frequency with which you access our website, and the times that our website is most popular.

We may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer. Cookies contain information that is transferred to your computer’s hard drive. They help us to improve our site and to deliver a better and more personalised service. They enable us:

  • To estimate our audience size and usage pattern.
  • To store information about your preferences, and so allow us to customise our site according to your individual interests.
  • To speed up your searches.
  • To recognise you when you return to our site.
  • You may refuse to accept cookies by activating the setting on your browser which allows you to refuse the setting of cookies. However, if you select this setting you may be unable to access certain parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you log on to our site.

Candidates and Employees

Candidate information is collected directly through the completion of electronic and paper application and consent forms during the initial recruitment process. We also receive data from referees, criminal records checks, and our service users. The information we collect is in relation to recruiting you to deliver a regulated activity to vulnerable service users in their own home. We operate a safe recruitment policy to comply with the Care Quality Commission (CQC) regulation.

We collect the following data:-

  • Name
  • Age/date of birth
  • Sex/gender
  • Photograph
  • Marital status
  • Contact details
  • Education details
  • Employment history
  • Emergency contacts and details of any dependants
  • Referee details*
  • Immigration status
  • Nationality/citizenship/place of birth
  • A copy of your driving licence and/or passport/identity card
  • Financial information (where we need to carry out financial background checks)
  • Social security number (or equivalent in your country) and any other tax-related information
  • Diversity information including racial or ethnic origin, religious or other similar beliefs, and physical or mental health, including disability-related information
  • Details of any criminal convictions, if it is required for a role that you are interested in applying for
  • Extra information that you choose to tell us
  • Extra information that your referees chooses to tell us about you
  • Extra information that our service users may tell us about you, or that we find from other third-party sources such as job sites
  • IP address
  • CCTV footage if you attend our premises or service user premises
  • Bank Details
  • Tax code Information
  • DBS update service access*
  • Health Information to certify fitness to work
  • Information from HMRC
  • Signatory information
  • PIN information for Registered Nurses
  • Professional indemnity insurance

Please note that the above list of categories of personal data we may collect is not exhaustive.

Other trusted third parties that we may share your data with are as follows: HM Revenue and Customs, pension scheme providers, legal advisors, and other companies for the purpose of undertaking pre-engagement checks and ensuring your personnel file is compliant for your role, or in order for payments to be administered to you or on your behalf.

Personal data we receive from other sources

We also receive personal data about candidates from other sources. These may include personal data received in the following situations:

  • Your referees may disclose personal information about you
  • Our service users may share personal information about you with us
  • We may obtain information about you from searching for potential candidate from third party sources, such as LinkedIn and other job sites
  • If you ‘like’ our page on Facebook or ‘follow’ us on Twitter we will receive your personal information from those sites

The processing of your data is to enable Apollo Home Healthcare to provide a safe care service to vulnerable adults and children within the community.

We have a legal obligation to gain full employment history, education and carry out full pre-employment checks in line with CQC regulation.

We use your diversity information to collect Equal Opportunities data and report this to our regulator, CQC.

We will rely on your consent to process the information marked with an * above, which is collected at the outset of the recruitment process.

We collect information and documentation to establish your right to work as we are legally obliged to do so.

In respect of medical information, it is necessary to for us to ensure you are ‘fit to work’ and that there are no restrictions on your practice.

Information in relation to criminal record checks, which are relevant for all care delivery roles, will be processed on the basis that it is necessary for us to comply with the law, or consent will be obtained, if required.

Once you work for Apollo Home Healthcare, we will process your personal data, including financial information, to enable you to fulfil your role and for payroll processing, depending on the specific contractual arrangements and circumstances.

For the purposes of payroll processing, where relevant, we are legally obliged to provide information to HMRC.

Once you work for Apollo Home Healthcare, we may also process your data to fulfil our legitimate interests, i.e. for administrative purposes.

If you leave Apollo Home Healthcare we will hold your data to help us to provide reference details and establish, exercise or defend any actual, threatened or potential legal claims.

See Appendix 1 – Process Conditions

Suppliers

We may require certain information from our suppliers to enable the organisation to run smoothly. We need contact details of relevant individuals at your organisation so that we can communicate with you. We also need other information such as your bank details so that we can pay for the services you provide, if this is part of the contractual arrangement between both parties. We may collect personal data during the course of our work with you.

The main reasons for using your personal data are to ensure that the contractual arrangements between us can properly be implemented and to comply with legal requirements.

We will seek consent if we are required to share your information with any of our associated third parties, such as our service providers and organisations to whom we provide services.

Who we share your data with

Sometimes we share the data we process with other organisations. This table below explains who we share it with, and why.

Data Subject Data Type Shared With Sharing Purpose
Service Users Contact details Employees, care team & commissioners To enable delivery of care
Key code information Employees, care team & commissioners To enable delivery of care
Emergency contact Employees, care team & commissioners To enable delivery of care
Health and medical information Employees, care team & commissioners To enable delivery of care
Daily logs Employees, care team & commissioners To enable delivery of care
Medical protocols Employees, care team & commissioners To enable delivery of care
Medication Employees, care team & commissioners To enable delivery of care
Care plan document Employees, care team & commissioners To enable delivery of care
Meeting minutes Employees, care team & commissioners To enable delivery of care
Discharge information Employees, care team & commissioners To enable delivery of care
Therapy plans Employees, care team & commissioners To enable delivery of care
Biometric data Employees, care team & commissioners To enable delivery of care
Candidates & Employees Name Employees, regulator & government bodies Regulatory requirement
Date of birth Employees, regulator & government bodies Regulatory requirement
Sex/gender Employees, regulator & government bodies Regulatory requirement
Photograph Employees, regulator & government bodies Regulatory requirement
Marital status Employees, regulator & government bodies Regulatory requirement
Contact details Employees, regulator & government bodies Regulatory requirement
Education Employees, regulator & government bodies Regulatory requirement
Employment history Employees, regulator & government bodies Regulatory requirement
Emergency contact Employees, regulator & government bodies Regulatory requirement
Referee details (with consent) Employees & regulator Regulatory requirement
Immigration status Employees, regulator & government bodies Regulatory requirement
Nationality Employees, regulator & government bodies Regulatory requirement
Driving licence / identity card Employees, regulator & government bodies Regulatory requirement
Financial information HMRC and government bodies (DWP) To process payroll and meet financial reporting requirements
Social security number or equivalent Employees, regulator & government bodies Regulatory requirement
Diversity information Employees, regulator & government bodies Regulatory requirement
Criminal convictions Employees, regulator & government bodies Regulatory requirement
Extra information Employees, regulator & government bodies Regulatory requirement
IP address Employees To understand candidate location & application activity
CCTV footage Managers of business To investigate any reported concerns
Bank details HMRC and government bodies (DWP) To process payroll and meet financial reporting requirements
Tax code information HMRC and government bodies (DWP) To process payroll and meet financial reporting requirements
DBS update service access (with consent) Employees, regulator and service user (where requested) Regulatory requirement
Health information for fitness to work Employees and regulator To ascertain fitness to work
HMRC information HMRC and government bodies (DWP) To process payroll and meet financial reporting requirements
Signatory information Employees, regulator & government bodies Regulatory requirement
PIN for Registered Nurse Employees, regulator & government bodies Regulatory requirement
Professional indemnity insurance Employees, regulator & government bodies Regulatory requirement
Suppliers Contact details Employees To fulfill contractual requirement
Bank details Employees To enable payment
Address details Employees To enable payment
Employee details Supplier To fulfill contractual requirement

How we store your data

Your personal data is held in both hard copy and electronic formats.

Electronic data, including emails, is stored on our cloud-based servers, which are located in the UK/European Union on our software suppliers’ servers.

Manual records of personal data are not routinely kept, and any manual records are scanned and converted to an electronic format as soon as possible. All manual records are cross-shredded and disposed of on a weekly basis.

How long we keep your data

Information about how long we hold your data for can be found in our retention schedule detailed below.

Some of our retention periods are based on legal requirements, and others are based on the practical reasons we need to keep the data for a certain period of time.

Once we reach the retention period, we will securely delete the relevant data, unless we are legally required to keep it longer, or there are legal reasons why we should keep it longer.

 

Employment records  
Record Type Retention period
Applicant records (unsuccessful). 6 months unless preferences updated.
Candidate and staff working records. 7 years after employment ceases unless document executed as a deed, in which case 13 years.
Criminal records information. 12 months after last use.
Identification documents. Not less than 2 years from date after employment ceases.
 

 

Payroll and Salary records  
Record Retention period
P.A.Y.E. records, Income tax, NI records and HMRC correspondence. 3 years after the end of the tax year to which they relate.
Records demonstrating compliance with national minimum wage requirements, including hours worked. 3 years beginning with the day upon which the pay reference period immediately following that to which they relate ends.
Details of benefits in kind, income tax records, (P45, P60, P58, P48 etc), annual return of taxable pay and tax paid 6 years
Employee income tax and national insurance returns and associated HMRC correspondence. 3 years from end of tax year to which they relate.
Statutory sick pay (SSP) records. 3 years after the end of the tax year to which they relate.
Wage or salary records (including overtime, bonuses and expenses). 7 years
Records relating to hours worked and payments made to workers. 3 years
Statutory maternity, paternity and shared parental pay records, calculations, certificates or other evidence. 3 years after the end of the tax year in which the period of statutory pay ends.
Health and Safety records  
Record Retention period
Records of reportable injuries, diseases or dangerous occurrences.

Reportable incidents, diagnoses.

Injuries arising our of accident at work (including Apollo Home Healthcare’s accident book).

3 years from date of the entry.
Lists or register of employees who have been exposed to asbestos dust, including health records of each employee. 40 years from the date of the last entry made in the record.
Medical records and details of biological tests under the Control of Lead at Work Regulations. 40 years from the date of the last entry made in the record.
Medical records as specified by the Control of Substances Hazardous to Health Regulations (COSHH). 40 years from the date of the last entry made in the record.
Records of monitoring of exposures to hazardous substances (where exposure monitoring is required under COSHH). Where the record is representative of the personal exposures of identifiable employee—40 years from the date of the last entry made in the record.

Otherwise, five years from the date of the last entry made in the record.

Records of tests and examinations of control systems and protective equipment under COSHH. 5 years from the date on which the record was made.
 

 

Financial records  
Record Retention period
All money received and spent by the company, including grants and payments from coronavirus support schemes.

Details of assets owned by the company.

Debts the company owes or is owed.

Stock the company owns at the end of the financial year.

The stock takings you used to work out the stock figure.

All goods bought and sold.

Who you bought and sold them to and from.

Financial records, information and calculations we need to prepare and file annual accounts and company tax return including:

All money spent by the company, for example receipts, petty cash books, orders and delivery notes.

All money received by the company, for example invoices, contracts, sales books.

Any other relevant documents, for example bank statements and correspondence.

All records stated in this section for 6 years from the end of the last company financial year they relate to.
 

Health records

Record Retention period
Adult health records. 8 years
Adult social care records (including care plans). 8 years
Children’s records (including midwifery, health visiting and school nursing) – can include medical illustrations, as well as video and audio formats. Up to 25th or 26th Birthday.
Clinical audit. 5 years
Clinical diaries. 2 years
Clinical protocols. 20 years
Equipment maintenance logs.. 11 years
Inspection of equipment records. 11 years
Incidents – serious. 20 years
Incidents – not serious. 10 years
Non-clinical QA records. 12 years
Patient surveys – individual returns and analysis. 1 year after return.
Patient surveys – final report. 10 years
Policies, strategies and operating procedures – including business plans. Life of organisation plus 6 years.
Quarterly reviews from NHS Trusts. 6 years
Risk registers. 6 years
Staff surveys – individual returns and analysis. 1 year after return.
Staff surveys – final report. 10 years
Occupational health reports. Keep until 75th birthday or 6 years after the staff member leaves whichever is sooner.

Your rights as a data subject

As a data subject, you have the following rights in relation to your personal data:

  • To be informed about how your data is handled;
  • To gain access to your personal data;
  • To have errors or inaccuracies in your data changed;
  • To have your personal data erased, in limited circumstances (sometimes known as the ‘right to be forgotten’);
  • To object to the processing of your personal data for marketing purposes or when the processing is based on the public interest or other legitimate interests;
  • To restrict the processing of your personal data, in limited circumstances;
  • To obtain a copy of some of your data in a commonly used electronic form, in limited circumstances;
  • Rights around how you are affected by any profiling or automated decisions.

If you wish to exercise any of these rights, please contact us.

For more information about these rights, please see the ICO’s website or contact: Apollo Home Healthcare, Unit 5 Oaktree House, Oaktree Rise, Codsall, Wolverhampton, WV8 1DP

Withdrawing consent

If we are relying on your consent to process your data, you may withdraw your consent at any time by contacting us.

Complaints to the Information Commissioner

You have a right to complain to the Information Commissioner’s Office (ICO) about the way in which we process your personal data. You can make a complaint on the ICO’s website.

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. However, we advise that you check this page regularly to keep up to date with any necessary changes.

Appendix 1 – Processing Conditions

Legal conditions for processing (Article 6 of the GDPR):

Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.

Special categories data:

Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

Legal conditions for processing special categories data (Article 9 of the GDPR):

Processing of special categories of personal data is prohibited unless one of the following applies:

(a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

(b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

(d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

(e) processing relates to personal data which are manifestly made public by the data subject;

(f) processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

(i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy; 4.5.2016 L 119/38 Official Journal of the European Union EN

(j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Special categories personal data may be processed for the purposes referred to in point (h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies or by another person also subject to an obligation of secrecy under Union or Member State law or rules established by national competent bodies.

Talk to us about your individual care needs