What is the lawful basis for LifeCare’s processing activities?
We will only process personal information where we believe we have a lawful basis to do so. The basis for processing will vary from activity to activity. In some instances, processing may have more than one lawful basis.
The following information below summarises the basis on which we process personal information.
||Examples of processing activities
|Processing is necessary for us to meet our legitimate interests as a care service provider, including:
The maintenance of our customer / service user database, the promotion and monitoring of professional standards, and delivery of services we provide to customers / service users.
- General administration for maintaining our customer / service user database.
- Corresponding with customers / service users in respect of the delivery of services within the terms of our specific contracts
- Regulatory activity (e.g. complying with the requirements of OSCR and the Care Inspectorate, and fulfilling our responsibilities with regards applicable legislation).
- Providing customers / service users with relevant news and updates which may be of interest to them
|Processing carried out in the public interest
||Regulatory activity (e.g. complying with requirements of OSCR and the Care Inspectorate and fulfilling our responsibilities with regards applicable legislation).
|Processing necessary for us to comply with our legal obligations.
- Providing information to oversight regulators (including OSCR and the Care Inspectorate).
- Providing information to statutory bodies (e.g. HMRC).
- Providing information to law enforcement agencies.
- Providing customers / service users and donors with relevant news and updates, marketing and other information.
- Use of financial and other information relevant to the delivery of services provided to our customers / service users.
Do we share personal data with third parties?
We will not sell or rent your information to third parties.
We will not share your information with third parties for marketing purposes.
However, in certain circumstances some of the processing activities set out above require us to share personal information with third parties. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.
We may pass your information to our third party service providers working on our behalf, including: agents, subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example to process donations and send you mailings). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes. Please be reassured that we will not release your information to third parties for them to use for their own purposes, unless you have requested us to do so, or we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime.
Third Party Product Providers we work in association with
When you are using our secure online donation pages, your donation is processed by a third party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us.
The following is a list of the main third parties with whom we share personal information:
- Oversight regulators and statutory bodies (e.g. HMRC, OSCR and the Care Inspectorate).
- Local authorities and health care agencies, such as the NHS,
- Software providers which allow us to operate efficient digital processes, including:
- Xero (accounting software)
- eTapestry (fund raising database)
For practical reasons, this is an indicative, but not exhaustive list. Please also note that the list may be updated from time to time.
How long do we retain personal information?
The periods for which we retain personal information depends on the purpose for which the information was obtained but, in general terms, we will retain personal data for so long as required by law, or as may be required for record keeping and legal claims purposes.
Where do we store personal information?
Personal information is mostly processed by our staff at our premises in Edinburgh. To allow us to operate efficient digital processes, we sometimes need to store information in servers located outside of the European Economic Area (‘EEA’), but in the majority of cases your data will remain within the UK. By way of example, this may happen if any of our servers are from time to time located in a country outside of the EEA. These countries may not have similar data protection laws to the UK. By submitting your personal data, you’re agreeing to this transfer, storing or processing. If we transfer your information outside of the EEA in this way, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this Policy.
We may hold your information on our cloud based funding system where the servers are located in the United States. There is an adequacy decision by the European Commission in respect of the United States. This means that the United States to which we transfer your data are deemed to provide an adequate level of protection for your personal information.
However, to ensure that your personal information does receive an adequate level of protection we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the EU and UK laws on data protection: For example, a binding service contract which includes data access, data security and information sharing clauses. If you require further information about these protective measures, you can request it using the contact details below.
We may collect information about the computer or device which is used to access our website. We use this information to improve the user experience and to help us better understand the ways in which our website is used. This may include information about:
- The computer or device type.
- IP address.
- Operating system.
- Browser type and version.
- Time zone setting and browser plug-in types and versions.
This is statistical data about our users’ browsing actions and patterns. It is collected on an anonymous, aggregated basis, and does not identify individual users.
Security precautions in place to protect the loss, misuse or alteration of your information
When you give us personal information, we take steps to ensure that it’s treated securely. Any personal information provided to us via our website is encrypted and protected using SSL encryption. When you are on a secure page, a lock icon will appear on the URL bar of the web browser such as Microsoft Internet Explorer, or the web address will start https://
Non-sensitive details (your email address etc.) are transmitted normally over the Internet, and this can never be guaranteed to be 100% secure. As a result, while we strive to protect your personal information, we cannot guarantee the security of any information you transmit to us, and you do so at your own risk. Once we receive your information, we make our best effort to ensure its security on our systems. Where we have given (or where you have chosen) a password which enables you to access certain parts of our websites, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
We may analyse the personal information which you have submitted to create a profile of your interests and preferences so that we can contact you with information relevant to you. We do not make use of additional information about you from external sources. In some circumstances we may use your personal information to detect and reduce fraud and credit risk.