B&M Care Privacy Policy

B&M Care and its subsidiaries (“B&M”, “we”, “us”, “our”) is committed to protecting the privacy and security of your personal data. We are the data controller for the information we hold about you. A data controller is the organisation that makes decisions about the personal data that is being collected and processed and we are ultimately in charge of and responsible for the processing.

As required by the UK General Data Protection Regulations (“GDPR”) and Data Protection Act 2018, this privacy policy sets out important details about information we may collect and hold about you, how that information may be used and your legal rights. This applies to all of the residents in our care homes including prospective, current and former residents as well as family members, representatives, legal guardians and anyone who may assist you with communications with the home. The Regulations also relate to visitors to our website and to the protection of their personal information.

If you have any queries or concerns in relation to this policy or the use of your data, or you wish to exercise your rights in relation to the data we hold about you, or you wish to make a complaint, please contact our Data Protection Officer through any of the following means:

Address: B&M Care, Old Town Court, 70 Queensway, Hemel Hempstead, Hertfordshire, HP2 5HD
Phone: 01442 236020
Email: info@bmcare.co.uk

The Information Commissioners Office (“ICO”) is the UK’s independent regulator for data protection, you can make a complaint at any time to the ICO, however if appropriate, we hope that you would contact us in the first instance.

B&M Care recognises the importance of protecting the privacy of information collected about visitors to our web site, in particular information that is capable of identifying an individual (“personal information”). This Internet Privacy Policy governs the manner in which our personal information, obtained through the web site, will be dealt with.

We are committed to protecting and preserving the privacy of our visitors when visiting our website or communicating electronically with us. This Privacy Policy contains an explanation of what happens to personal data that you choose to provide to us, or that we collect from you whilst you visit this site.

This Internet Privacy Policy will be reviewed periodically so that you are updated on any changes. We welcome your comments and feedback.

Personal information about visitors to our site is collected only when knowingly and voluntarily submitted. For example, we may need to collect such information to provide you with further Services or to answer or forward any requests or enquiries. It is our intention that this policy will protect your personal information from being dealt with in a way that is inconsistent with applicable privacy laws in the United Kingdom.

Personal information that visitors submit to our site is used only for the purpose for which it is submitted.

In the operation of our website we may collect and process certain data and information relating to you and your use of this site. This data and information is detailed below:

  • Details of visits to our website and the pages and resources that are accessed, including, but not limited to, traffic data, location data and other communication data that may assist us in understanding how visitors use this website.
  • Information that visitors provide to us as a result of filling in forms on our website, such as when a visitor registers for information to be provided.
  • Information provided to us when our visitors communicate with us electronically for any reason.

Apart from where you have consented or disclosure is necessary to achieve the purpose for which it was submitted, personal information may be disclosed in special situations where we have reason to believe that doing so is necessary to identify, contact or bring legal action against anyone damaging, injuring, or interfering (intentionally or unintentionally) with our rights or property, users, or anyone else who could be harmed by such activities. Also, we may disclose personal information when we believe in good faith that the law requires disclosure.

B&M Care strives to ensure the security, integrity and privacy of personal information submitted to our sites, and we review and update our security measures in light of current technologies. Unfortunately, no data transmission over the Internet can be guaranteed to be totally secure.

However, we will endeavour to take all reasonable steps to protect the personal information you may transmit to us or from the use of our site. Once we do receive your transmission, we will also make our best efforts to ensure its security on our systems.

In addition, our employees and the contractors who provide services related to our information systems are obliged to respect the confidentiality of any personal information held by us. However, we will not be held responsible for events arising from unauthorised access to your personal information.

B&M Care uses cookies to provide you with a better experience. These cookies allow us to increase your security by storing your session ID and a way of monitoring single user access.

This aggregate, non-personal information is collated and provided to us to assist in analysing the usage of the site.

B&M Care will endeavour to take all reasonable steps to keep secure any information which we hold about you, and to keep this information accurate and up to date. If, at any time, you discover that information held about you is incorrect, you may contact us to have the information corrected.

In addition, our employees and the contractors who provide services related to our information systems are obliged to respect the confidentiality of any personal information held by us.

When we collect data from you, we take reasonably necessary steps to ensure that it is stored securely on our systems and treated in accordance with this privacy policy and the requirements of GDPR.

The B&M Care Website contains links to other websites which are outside of our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their privacy policy, which may differ from ours. We do not accept any responsibility or liability for these policies.

We will take all reasonable and proportionate steps to ensure that any requests for access to any personal details are handled quickly and efficiently and we comply with the ICO’s Code of Practice on Subject Access Requests.

It is important that the personal data we hold about you is accurate and up to date. Please notify us of any changes to your personal data during your relationship with us by speaking directly with the Care Home you are connected with.

What Information Does B&M Care Hold About You?
We hold 2 types of data about you.

The GDPR applies to personal data meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Identifiers can include:

  • Identity – your name, title, address, date of birth, telephone numbers, email address, gender, nationality, marital status, national insurance number, driving license data, passport data and photographs
  • Contacts – name, title, address, telephone numbers and email address
  • Next of kin – relationship, name, title, address, telephone numbers and email address
  • Care home – your care home, move in date, details of services received from us, leaving date, leaving date reason
  • Financial data – bank account details, details of assets, copies of financial documentation (including but not limited to bank statements), Department for Work and Pensions details and details on your funding arrangements
  • Transaction information – details of payments to and from us and notes for said payments
  • Feedback – any compliments, complaints or general feedback you provide
  • CCTV footage – in areas of the home where CCTV is operational and clearly signed
  • Building access records – includes entry and exit times from visitor books
  • Online data – includes IP address and cookies

Please note that anonymous data cannot be associated to specific individuals. Once data is anonymised and individuals are no longer identifiable, the data will not fall within the scope of the GDPR.

Article 9 of the GDPR refers to sensitive personal data as special categories of personal data, examples include:

  • Health data – details of your physical and mental health. This can include medical history, diagnosis, treatment, DNACPR, test results, GP records, vaccination records and information you provide during your enquiry, registration or time in our homes
  • Sexual orientation data – any information regarding your sexual orientation, sex life or sexual health
  • Race and ethnicity data
  • Religious and philosophical data
  • Genetic data
  • Biometric data – where used for identification purposes

The information we collect and process about you has either been provided by you when:

  • You contact us via telephone which may be recorded and retained for a limited period for training and monitoring purposes and to help improve our services;
  • You communicate with us via email, social media or our website;
  • You visit one of our homes for an appointment;
  • You engage any of our services;
  • You receive care from us;
  • You subscribe to our publications;
  • You submit a complaint, compliment or general feedback.

Or by third parties which can include:

  • others involved in your care and treatment, for example your GP or the hospital;
  • other health care providers;
  • by third parties such as family, friends and authorised representatives;
  • credit reference agencies;
  • debt collection agencies;
  • government agencies such as HMRC or the Home Office.

As per Article 5(1) of the GDPR, we will ensure that your data is:

  • processed lawfully, fairly and in a transparent way;
  • collected for specified, explicit and legitimate purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes we have told you about;
  • accurate and, where necessary, kept up to date;
  • kept no longer than is necessary for the purposes we have told you about;
  • processed in a manner that ensures appropriate security against unauthorised or unlawful processing and against accidental loss, destruction or damage.

We process your personal data to ensure we offer the best care, support and protection. In order to process your data, we must have a legal basis to do so.

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

As per article 6(1) of the GDPR, the use of your data shall be lawful only if and to the extent that one of the following conditions is met:

  • the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • processing is necessary for compliance with a legal obligation to which the controller is subject;
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Occasionally it will be necessary to process your special category data. This data has a higher level of protection and requires greater justification in order to be used. As per article 9(2) of the GDPR, the use of your special category data will be lawful if one of the following applies:

  • the data subject has given explicit consent to the processing of personal data for one or more specified purposes;
  • we must process the data in order to carry out our legal obligations or exercise rights in connection with employment;
  • processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  • where it is needed in relation to legal claims;
  • where it is needed to protect your interests (or someone else’s interests) and you are not capable of giving your consent;
  • processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional;
  • you have already made the data public.

Your data will be treated as strictly confidential at all times. Occasionally we will need to share your data with third parties, but this will only be when we have a lawful basis to do so.

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

Examples of organisations and persons we may share your data with include:

  • Regulatory authorities such as the Care Quality Commission (CQC) and the Information Commissioner’s Office (ICO);
  • Healthcare professionals – including your GP, dentist, hospital staff, emergency services staff and other care providers;
  • Law enforcement agencies – including the Police, Home Office, Courts and the Office of Public Guardians;
  • Your nominated contacts.

We do not transfer your data outside of the EEA.

We do not use any form of automated decision making in our business.

If we wish to use your personal data for a new purpose, not covered by this privacy policy, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions.

We will keep your personal data for no longer than reasonably necessary in order to satisfy potential enquiries relating to your use of the service. To determine the retention period we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, whether we can achieve those purposes through other means and the applicable legal, regulatory, tax and accounting requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

We have installed CCTV to:

  • ensure the security of our and your property and the security of our residents and staff;
  • monitor the security of our premises.

All CCTV is maintained and overseen by our home managers, they along with senior management are responsible for carrying out compliance audits and reviewing the need for CCTV. CCTV footage may be shared for the detection and/or prevention of crime or fraud.

Further information can be found in our separate CCTV policy.

In certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you. If you wish to exercise any of your rights, please contact us using the contact details set out above.

12.1. The right to be informed – this privacy notice forms part of that, but we also aim to keep you fully informed during your enquiry and length of stay with us.

12.2. The right to access your personal information (commonly known as a subject access request or SAR) – you are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in the form of your request, if we are unable to do that, we will inform you. If you have made the request electronically (e.g. by email) the information will be provided to you by electronic means where possible.

Under data protection law we must confirm whether we have personal information about you. If we do hold personal information about you, we usually need to explain to you:

  • the purposes for which we use your personal information;
  • the types of personal information we hold about you;
  • who your personal information has been or will be shared with;
  • where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for;
  • if the personal data we hold about you was not provided by you, where we obtained the information from;
  • your right to ask us to amend or delete your personal information (if appropriate);
  • your right to ask us to restrict how your personal information is used or to object to our use of your personal information (if appropriate);
  • your right to complain to the Information Commissioner’s Office;
  • we also need to provide you with a copy of your personal information.

You will not generally have to pay a fee to access your personal data or to exercise any your other rights, however, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity (this will be proportionate) and ensure your right to access your personal information (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.

We aim to respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

12.3. The right to request correction of your personal information – we take reasonable steps to ensure that the personal information we hold about you is accurate and complete and up to date. However, if you do not believe this is the case, you can ask us to update or amend it.

12.4. The right to request erasure of your personal information – in some circumstances, you have the right to request the erasure of the personal information that we hold about you. This is also known as the ‘right to be forgotten’. However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.

12.5. The right to object to the processing of your personal information – in some circumstances, you have the right to object to the processing of your personal information. This would usually apply to processing for other purposes other than your direct health and care i.e., research and marketing.

12.6. The right to request a transfer of your personal information – in some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

12.7. The right to request restriction of processing of your personal data – this enables you to ask us to suspend the processing of your personal data in the following scenarios:

  • If you want us to establish the data’s accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

12.8. The right to withdraw your consent – you have the right to withdraw your consent where we rely upon this as a legal ground for processing your information.

12.9. The right to complain to the Information Commissioner’s Office – you have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

Making a complaint will not affect any other legal rights or remedies that you have.

More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ and the Information Commissioner’s Office can be contacted through any of the following means:

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate number)
Fax: 01625 524 510
Email: casework@ico.org.uk

Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our privacy policy.