Privacy Policy

Privacy Policy


When Chiron Healthcare At Home Limited processes your personal data, it is required to comply with the
Data Protection Act 2018 (“DPA”) and the UK GDPR (the DPA and UK GDPR are together referred to as the
“Data Protection Legislation”).

Your personal data includes all the information we hold that identifies you or is about you, for example,
your name, email address, postal address, date of birth, location data and in some cases opinions that
we document about you; as well as special categories of data, including but not limited to, medical and
health records, Care Plans and information about your religious beliefs, ethnic origin and race, and
sexual orientation.

Everything we do with your personal data counts as processing it – including collecting, storing, amending,
transferring and deleting it. We are, therefore, required to comply with the Data Protection Legislation to
make sure that your information is properly protected and used appropriately.

This privacy policy provides information about the personal data we process, why we process it and how
we process it.


Our responsibilities


Chiron Healthcare At Home Limited is the data controller of the personal data you provide. We have
appointed Fiona Watt as our Data Protection Officer and they will have day to day responsibility for
ensuring that we comply with the Data Protection Legislation and for dealing with any requests we
receive from individuals exercising their rights under the Data Protection Legislation.


What personal data do we process about you?


We process your personal data in order to fulfil the contract we have entered into with you. We may also
process your personal data to respond to any queries or comments you submit to us and to correspond
with you on a day-to-day basis.

We may need personal data from you to be able to provide services to you, to meet our legal obligations, to
enter into a contract with you and/or to provide you with all the information you need. If we do not receive
the personal data from you, we may be unable to fulfil our obligations to you.

More information about the personal data we may process about you is set out below:

• Identity data such as your first name, middle names, last name, marital status, title, date of birth
and gender;
• Contact data such as your address, email address and telephone numbers;
• Financial data including your bank account and payment card details;
• Transaction data including details about payments made by you;
• Special categories of data including information about your medical background and health; and
diversity/equality information such as your race and ethnicity.

We process most of your information on the grounds of consent from you, legitimate interests (such as
performance of a contract we have entered into with you, protection of the vital interests of a Data Subject
or, in the case of special categories of data, processing for the provision of health or social care or
treatment or the management of health or social care systems or services.

If we obtain consent from you to the processing of your personal data, you can withdraw your consent
at any time. This will not affect the lawfulness of any processing we carried out prior to you
withdrawing your consent.


Who will receive your personal data?


We only transfer your personal data to the extent we need to. Recipients of your personal data include:

• Our Care Management software and it’s hosted data centre
• Our staff (to the extent needed for them to perform their jobs)
• Our financial software system and the relevant hosted data centre
• Healthcare and other professionals involved in your care
• Adult Social Care if they fund part or all of your services.

We do not transfer your personal data outside of the EEA.


How long will we keep your personal data?


We will retain your personal data for 7 years or as mandated by our insurance provider.
Your information will be kept securely at all times. Following the end of the relevant retention period, your
files and the personal data covered by the retention period will be permanently deleted or destroyed.


What are your rights?


You benefit from a number of rights in respect of the personal data we hold about you. We have
summarised the rights which may be available to you below, depending on the grounds on which we
process your data. More information is available from the Information Commissioner’s Office website
(https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-
rights/).

These rights apply for the period in which we process your data.


1. Access to your data


You have the right to ask us to confirm that we process your personal data, as well as having the right
to request access to/copies of your personal data. You can also ask us to provide a range of information,
although most of that information corresponds to the information set out in this privacy policy.

We will provide the information free of charge unless your request is manifestly unfounded or excessive or
repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request
more than one copy of the same information.

We will provide the information you request as soon as possible and in any event within one month of
receiving your request. If we need more information to comply with your request, we will let you know.


2. Rectification of your data


If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that
information. We will comply with your request within one month of receiving it unless we do not feel it is
appropriate, in which case we will let you know why. We will also let you know if we need more time to
comply with your request.


3. Right to be forgotten


In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is
available to you:

• Where we no longer need your personal data for the purpose for which we collected it
• Where we have collected your personal data on the grounds of consent and you withdraw that
consent
• Where you object to the processing and we do not have any overriding legitimate interests
to continue processing the data
• Where we have unlawfully processed your personal data (i.e. we have failed to comply with UK GDPR);
and
• Where the personal data has to be deleted to comply with a legal obligation

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply,
we will let you know.


4. Right to restrict processing


In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means
we will stop actively processing your personal data but we do not have to delete it. This right is available to
you:

• If you believe the personal data we hold is not accurate – we will cease processing it until we can verify
its accuracy
• If you have objected to us processing the data – we will cease processing it until we have
determined whether our legitimate interests override your objection
• If the processing is unlawful; or
• If we no longer need the data but you would like us to keep it because you need it to establish,
exercise or defend a legal claim


5. Data portability


You have the right to ask us to provide your personal data in a structured, commonly used and machine-
readable format so that you are able to transmit the personal data to another data controller. This right
only applies to personal data you provide to us:

• Where processing is based on your consent or for performance of a contract (i.e. the right does not
apply if we process your personal data on the grounds of legitimate interests); and
• Where we carry out the processing by automated means

We will respond to your request as soon as possible and in any event within one month from the date we
receive it. If we need more time, we will let you know.


6. Right to object


You are entitled to object to us processing your personal data:
If the processing is based on legitimate interests or performance of a task in the public interest or
exercise of official authority

• For direct marketing purposes (including profiling); and/or
• For the purposes of scientific or historical research and statistics

In order to object, you must have grounds for doing so based on your particular situation. We will stop
processing your data unless we can demonstrate that there are compelling, legitimate grounds which
override your interests, rights and freedoms or the processing is for the establishment, exercise or defense
of legal claims.


Automated decision making


Automated decision making means making a decision solely by automated means without any human
involvement. This would include, for example, an online credit reference check that makes a decision
based on information you input without any human involvement. It would also include the use of an
automated clocking-in system that automatically issues a warning if a person is late a certain number of
times (without any input from HR, for example).

We do not carry out any automated decision making using your personal data.


Your right to complain about our processing


If you think we have processed your personal data unlawfully or that we have not complied with UK GDPR,
you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority
in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in
touch via other means, as set out on the ICO website: https://ico.org.uk/concerns/.


Any questions?


If you have any questions or would like more information about the ways in which we process your
data, please contact gdpr@chironhealthcareathome.org.uk