Independent Care Review Privacy Notice
How we gather and use personal data
Where there is a word in bold in this document, we have explained what it means in the Glossary at the end.
Who we are
The Independent Care Review is based at the University of Strathclyde. Our address is 94 Cathedral Street, Glasgow, G4 0LG. The University of Strathclyde have a dedicated Data Protection Officer. Any enquiries on the data protection legislation which underpins this document can be made to dataprotection@strath.ac.uk.
The Independent Care Review gather and use personal data about the individuals and organisations it works with. This document explains why it does this and what it does with the information it has. Gathering and using personal information like this means the Independent Care Review are a ‘data controller’.
If you have any questions about this document, or how we use information and data, you can write to us at:
Independent Care Review, 94 Cathedral Street, Glasgow, G4 0LG
email us at:
or call us on:
0141 444 8527
All of the personal data we hold will be treated in accordance with the terms of GDPR. We will regularly check this document covers everything we need it to and update it when necessary.
The types of personal data we collect
The work of the Independent Care Review means it gathers different types of information. These are outlined below:
- Your name
- Your email address
- The organisation you work for
- Any other relevant contact details, such as telephone or post
- The events we have run which you have attended
- Information on the areas of our work you are interested in
- Information on how you have used our website
GDPR says some types of information are sensitive information. This information is given special protection. We will only collect it if we need it for insurance purposes, we need to know it to keep you safe at a meeting or event (such as allergies or health needs) and you have given us your consent to store and use it. Information we routinely gather which counts as sensitive information is:
- Information on your dietary and access requirements
- Information on your health needs
- Information on your support needs
How we collect personal data
Some of the personal data held by the Independent Care Review is given by people themselves. When people register for any of our events, conferences or meetings, they give us their name, the name of the organisation they work for, their contact details and sometimes their personal preferences, like what they would like to eat, or whether they need any help with access or support. People might also provide these details when they get in contact through the website or social media, or by filling out the forms on the website to get involved.
If personal information is collected from you directly, you will be told what it will be used for and asked for your consent to do this.
Personal information is also gathered through the course of the work the Independent Care Review does. If you are involved in any of the participation work, creatives in residence group, workgroups or other methods of engagement, information on who you are might be stored. This would include your name, the name of the organisation you work for, how you have been contacted, your contact details and which areas of work you are interested in.
This document does not cover the data gathered on your experiences or opinions through research, participation or engagement projects. Exemptions from GDPR mean these have their own Privacy Notices. If you are involved in any of the research, participation or engagement projects, you will receive a copy of the relevant document.
Where you have been involved with work directly, or had contact with members of the Independent Care Review Secretariat or Chair, and the details you have given have been stored, you will told and asked for your consent.
When you use the website www.carereview.scot, information is automatically collected on the pages you have visited, how long you have spent on them, the links you have clicked and the documents you have downloaded. One way this is done is by using cookies which help us to know more about website users. You will be asked whether you consent to us using cookies when you visit the website. You can view our Cookie Policy here.
Our how we store personal data
All data collected and stored by the Independent Care Review is transferred to secure servers hosted by the University of Strathclyde. Where removable hardware is used, such as laptops or hard drives, it is fully encrypted and password protected.
Our legal basis for gathering and using personal data
GDPR sets out the lawful bases organisations must meet to store and use personal data. The personal data the Independent Care Review use will have been collected under the lawful basis of consent. This means where your personal data is being stored or used, you will have been given an explanation of how this is done and asked for your consent. You can withdraw your consent at any time, for all or part of your information, by contacting us using any of the methods above.
If the Independent Care Review have purchased a service from you or there is a contract in place between us, the personal data collected relating to this will be stored under the lawful basis of contractual obligation. This means this data is necessary to be able to carry out our work with you and will only be used in this way.
How we use personal data
Personal data will be used to:
- Let you know about news, events and activities the Independent Care Review Secretariat think you might like to hear about.
- Better understand the types of organisations being reached and engaged with.
- Ensure we are engaging with as diverse and representative a group of people as possible.
- Help us to provide you with specific support when you engage with us.
Personal data will not be used to:
- Use a computer or software to make any decisions about you based only on the personal data held.
If the Independent Care Review Secretariat want to use the personal data held on you for a new purpose not covered above we will contact you and explain this new use. This will be done and you will be asked for your consent before your personal data is used in the new way.
Who personal data is shared with
The personal data we have is treated as confidential and only shared with organisations whose services and software are needed to help us provide the best possible service. To do this, other organisations are sometimes used to help process data, such as event bookings or how our website is used. This will only be done after you have given consent. Each of these organisations has provided us with details of their own GDPR compliance. If you would like to see the privacy policy of an organisation we work with, please contact us using any of the methods above.
How long we keep personal data for
Personal data is kept for as long as is necessary to carry out the work it relates to. This depends on the reason your personal data is stored in the first place.
When data is collected for the purposes of events or meetings, it is held until the end of our events process and then deleted from our records, unless you have an ongoing relationship with us and we have consent to keep your information.
When an individual makes a specific information request to or from the Independent Care Review, their data will be held until the completion of this information request and then deleted from our records, unless the individual has made a further request to stay involved.
How we will keep in touch
If you have given us your personal data to register for an event, meeting or conference we will use the contact details you have given us to keep in touch with information about the event you are attending, and any further work you might be interested in if you have given us consent to do that. This might be by post, email or telephone.
If you have given us your personal data and are actively involved with the Independent Care Review through its workgroups or other groups, your information will be stored until the end of the work, unless you withdraw consent sooner.
Your rights and who to contact
You have the right to:
- Ask for a copy of the personal data held about you. You will not be charged for this.
- Ask that we correct any personal data we hold about you which is incorrect or out of date.
- Ask that we delete the personal data we hold about you.
- Withdraw consent to us using your personal data in the ways you’ve said we can.
- Ask that we send all the personal data we hold on you to another company or organisation.
- Ask us to stop using your personal data until you’re happy it is correct and being used in a way you are comfortable with.
- Object to the ways we use personal data.
- Complain to the Information Commissioners Office about the ways we gather or use personal data.
To do any of the above, you can write to us at:
Independent Care Review, 94 Cathedral Street, Glasgow, G4 0LG
email us at:
or call us on:
0141 444 8527.
If you would like to request access to the data that the website holds about you as a website user, please also use the contact details above.
The Information Commissioners Office can be written to at:
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
or called on:
0303 123 1113
Independent Care Review
Participation and Engagement Privacy Notice
All methods of participation and engagement undertaken by the Independent Care Review Secretariat are covered under this Privacy Notice, which should be read in conjunction with our Privacy Policy.
Who we are
The Independent Care Review is based at the University of Strathclyde. Our address is 94 Cathedral Street, Glasgow, G4 0LG. The University of Strathclyde have a dedicated Data Protection Officer. Any enquiries on the data protection legislation which underpins this document can be made to dataprotection@strath.ac.uk.
If you have any questions about this document, or how we use information and data, you can write to us at:
Independent Care Review, 94 Cathedral Street, Glasgow, G4 0LG
Email us at:
info@carereview.scot
or call us on:
0141 444 8527
What we do within Participation and Engagement
The Independent Care Review Secretariat (the Review) undertake a variety of participation and engagement activity across the sector. This is designed to ensure the Review hears from a population of people with care experience, the workforce (paid and unpaid) and families which is as representative as possible. It involves collecting personal data such as name, date of birth and location. The Review may also collect special category (sensitive) personal data as defined under Data Protection legislation such as information about racial or ethnic origin, health and your personal beliefs or opinions. These personal beliefs and opinions form a major part of the Review’s Participation and Engagement.
The Review collects this information in a variety of ways. For example, it might be collected via
surveys or questionnaires, through interviews or focus groups, or by taking photographs, audio or video recordings. For each individual Participation and Engagement activity you will be provided with a Participant Information Sheet and Consent Form, which explains in more detail the kind of information that will be collected, and how this will be done.
Our legal basis for gathering and using this information
Undertaking participation and engagement are a core element of the work of the Review. The Review generally uses the lawful basis of consent to undertake this work. This means where your personal data and/or information you’ve given is being stored or used, you will have been given an explanation of how this is done and asked for your consent. You can withdraw your consent at any time, for all or part of your information, by contacting us using any of the methods above.
Some types of Participation and Engagement work will require the collection of personal data including, where appropriate, special category personal data, in order that the aims of the Review can be achieved. More information on the work we do and our overall aims is available at www.carereview.scot. You will be told of the purpose of the Participation and Engagement work you are involved in before it begins.
The Review will only collect the information that is necessary to undertake each specific piece of Participation and Engagement. It is up to every participant to decide the information they want to share. There is no statutory or contractual requirement to provide your personal data or information to the Review through participating in Participation and Engagement.
The Review will not use your personal data for automated decision making or profiling about you as an individual.
How and where your information will be held
All data collected and stored by the Independent Care Review Secretariat is transferred to secure servers hosted by the University of Strathclyde. Where removable hardware is used, such as laptops or hard drives, it is fully encrypted and password protected. If we are able to anonymise or pseudonymise the personal data you provide we will do this, and will endeavour to minimise the processing of personal data wherever possible.
Who has access to my information?
Your data will be accessed by members of the Review Secretariat, in particular the Participation and Data teams. Before publication in any reports, your data and information will be fully anonymised. On rare occasions, we may ask for your consent to share or use your data and information if we cannot be sure you will not be identified from its publication.
In the course of our Participation and Engagement work, the Independent Care Review work with a small number of Data Processors. These are the 1000 Voices team based at Who Cares? Scotland. Each of these groups/organisations have their own set of data protection policies and protocols which can be found on their websites. We can also make these available on request. It may sometimes be necessary to share your personal information with some of our Data Processors to allow it to be analysed. We will ask for your consent to do this. If you give consent, the information shared will be on a need to know basis, not excessive and with all appropriate safeguards in place to ensure the security of your information.
If, in the course of engaging with us, you tell us something that makes us concerned for your safety or that of others, we will offer you support to help you with that situation. This support will involve passing information on to other organisations about the risks to safety. This might mean we have to pass information on which identifies you. We will always tell you when we’re doing this; we will tell you who is receiving the information and we will make sure they don’t share it any further than is absolutely necessary.
How long is my information kept?
Any data or information shared with the Review will be stored until the end of the Review process in summer 2020, unless you have withdrawn consent for us to store and use your data.
Your rights and who to contact
You have the right to:
- Ask for a copy of the personal data held about you. You will not be charged for this.
- Ask that we correct any personal data we hold about you which is incorrect or out of date.
- Ask that we delete the personal data we hold about you.
- Withdraw consent to us using your personal data in the ways you’ve said we can.
- Ask that we send all the personal data we hold on you to another company or organisation.
- Ask us to stop using your personal data until you’re happy it is correct and being used in a way you are comfortable with.
- Object to the ways we use personal data.
- Complain to the Information Commissioners Office about the ways we gather or use personal data.
To do any of the above, you can write to us at:
Independent Care Review, 94 Cathedral Street, Glasgow, G4 0LG
Email us at:
or call us on:
0141 444 8527.
Glossary
personal data
Personal data is information about a person which could be used to identify them. We might know who you are from the information itself, or by linking that data to other information we have access to. GDPR tells us the rules we must obey when gathering and using personal data.
data controller
GDPR identifies organisations as data controllers. Being a data controller for GDPR means we decide what personal data we collect and how we will use it.
sensitive information
GDPR says some personal data is sensitive information. This data is information we would think of as personal, such as your health, your religion and your ethnicity.
consent
If you have given us consent, you have said we are allowed to use your personal data. To get your consent, we will always tell you what personal data we will be gathering and how we will be using it.
cookies
Cookies are small pieces of data sent from our website to your computer. They remember useful information and tell organisations more about the people using their website.
exemptions from GDPR
Certain information we collect is not covered by GDPR and we are required to treat this differently. Where this is the case, there will be a separate Privacy Notice advising you of how this is done.
privacy notices
GDPR says organisation must give information about how they obey the laws on gathering and using data. The document containing this information is called a privacy notice.
lawful bases
GDPR sets out the lawful bases we must use to gather and use personal data. These are the reasons we must give whenever we want to do this.
legitimate interests
Refers to the lawful basis on which we process data. To comply with the GDPR 2018 we must evaluate the purpose and necessity of processing any personal data before processing takes place. We must also balance any data processing activity with the rights and freedoms of the individual (e.g. ensure that data processing does not infringe rights) before processing data.
If these three conditions are satisfied, legitimate interest is proved and we can therefore process the data in question.
confidential
Information and data that is confidential will be kept private. If information is confidential, we won’t share it with anyone.
withdraw consent
If you withdraw consent, you are telling us that we are not allowed to use your personal data any more. You can withdraw consent at any time.