Privacy Policy

Healthcare Homes Privacy Notice – Relating to users of our services, their families and healthcare professionals

 

We provide residential care services to 48 homes under the Healthcare Homes brand through 3 operating companies, Healthcare Homes Group Limited (‘HHG’) , Healthcare Homes (LSC) Limited (‘LSC’) and Healthcare Homes (Spring) Limited (‘Spring’).

We also provide domiciliary care services through 8 branches to about 2,800 clients through 6 operating companies (the ‘Domiciliary OPCOs’).

HHG, LSC, Spring and the Domiciliary OPCOs have the same ownership and senior management. In the rest of this Privacy Notice we shall refer to HHG, LSC, Spring and the Domiciliary OPCOs collectively as “we” and where we use the term “residents”, “clients” or “you” in this notice, we refer to residents in our 48 residential care homes and our domiciliary care clients.

If you are one of our residents, at Appendix 1 you will see which of HHG, LSC and Spring operates your home.

If you are one of our domiciliary care clients, Appendix 2 identifies which Domiciliary OPCO operates your service by reference to the relevant branch.

These Appendices also serve to confirm which Healthcare Homes company is the controller of your personal data and provide the relevant registration we hold for your personal data with the Information Commissioner’s Office (‘ICO’).

We recognise the privacy and security of personal information is of great importance to our residents and clients, their families and friends, our workers and others such as GPs and all those involved in looking after the welfare of our residents and clients.

This notice sets out why we need to collect personal information relating to our residents and clients, and their families, friends and representatives, how we use it and how we protect it. As appropriate, references to ‘you’ include your next of kin, other family, your visitors and your representatives such as attorneys you have appointed under a registered Lasting Power of Attorney or Deputies appointed by the Court of Protection.

Our privacy policy is governed by the overarching principles of collecting and using personal details when they help us provide a better service to you and to meet legitimate interests including to protect you and our workers, lawfully, fairly and transparently.

Since January 2021 your and our data protection rights and obligations are set out in what is known as the United Kingdom General Data Protection Regulation (UK GDPR), which in all material respects replicates EU data protection laws.

The personal information we refer to in this notice includes information that can be used to identify you.

Set out below is the personal information we collect and the reasons why we need it, but if you have any queries, let us know. We have appointed a Data Protection Officer who is responsible for overseeing questions relating to your data protection rights and this notice. Please refer to the “How to Contact Us” section below.

 

How do we collect information from you?

We collect information about you when you or someone on your behalf enquire about our care services, use our website, and become a resident in one of our care homes or start using our domiciliary services. We also collect information when you voluntarily complete customer surveys or provide feedback about our services. As mentioned above this can include information about family, visitors and representatives.

 

What types of information do we collect from you?

Personal data or personal information can be any information about an individual from which that person can be identified. We may collect, use, store and transfer different types of personal data about you which we have grouped together as follows:

When you enquire about our care services

• Personal information including your name, address, telephone numbers and email address.

When you use our website or interact with our digital marketing communications

• Any personal details you knowingly provide us with through calls, forms or email, such as your name, address, telephone numbers and email address. We use the information that you provide so we can respond to your requests and communicate with you.
• Your preferences and use of email updates, recorded by emails we send you (if you select to receive email updates)
• Your IP Address: this is a string of numbers unique to your computer that is recorded by our web server when you request any page or component on the website. This information is used to measure your usage of the website.
• When you interact with our websites, we may collect and share certain personal data, including email addresses and phone numbers, with Google to enable ‘Enhanced Conversions’ tracking, which helps us measure the effectiveness of our online advertising campaigns more accurately. This data is securely hashed (encrypted) before being shared with Google to protect your privacy, and we only do so with your explicit consent as required by UK GDPR. You can manage your consent in your privacy settings.
• We use Google Ads and Google tag Manager which means, if you call us direct from our website, Facebook page, Google or an advert, we can combine information collected during that call with information about your browsing session. We use this to better understand our customers’ experiences, to tailor the sales experience for all those involved in your becoming one of our residents or clients. We have various providers who supply us with facilities which host data including in relation to our infrastructure, development and support applications such as services software, call centres and our Helpdesk.

Where you are resident in one of our residential care homes or receiving domiciliary care services

• Personal details including your title, full name, maiden name, marital status, date of birth, gender, contact details including address (billing address or correspondence address), telephone numbers, email addresses (including contact details for your next of kin and representative), NHS number, National Insurance number, your GP and other allied health professionals.
• Financial information including funding source and bank account information to enable payment of services.
• Transaction data including details of payments from you for services we provide.
• Information about your life, including social history, health and wellbeing, treatment and care. This may also include information about your marital status, ethnicity, religion, and sexual orientation and details of medical treatments.
• Notes and reports about your health and care provision including case assessments, photos and medication provided.
• Compliments, complaints, accidents and incidents information.
• Contributions to resident and client questionnaires and surveys.

Where you are the relative, next of kin, attorney or deputy to one of our residents or clients

• Personal details including title, full name, relationship to the resident or client, contact details including address, telephone numbers, email addresses.

When you visit one of our care homes

• Name of the visitor, purpose of their visit and car registration details if car parking was used.
• Information relating to the prevention and detection of crime and the safety of residents and workers including CCTV recording.
• Information related to the prevention and detection of falls including monitoring of movement and respiration and capturing images and speed of movement.

What technologies do we use in relation to residents, domiciliary clients and their loved ones when delivering our services?

• We have (and are continuing to develop) a Digital Social Care record system which records your needs and the care we deliver.
• We have quality and compliance systems, in particular one which is focused on auditing, and another on accidents, incidents, complaints and compliments.
• We operate a Customer Relationship Management and marketing system.
• We have a billing system, and we operate a reporting and business intelligence system.

 

What information do we get from or supply to other sources?

• We work closely with NHS Integrated Care Boards (ICBs, formerly known as CCGs, which are responsible for your health needs), other health authorities, medical professionals, local authorities (who may have responsibilities for your care needs) and regulators to deliver our care services. We will receive information from them regarding your health and care including admission details, care records and medical records.
• We also work with other companies who provide professional services (including IT service providers), advertising and marketing services.

 

How do we use the information about you?

• We process your personal data to manage the services we provide you, to carry out our obligations arising from any contracts entered into between us and you, to provide you with information or services you have requested and to process payments and refunds.
• Your care record will contain detailed information about your health and well-being including illnesses, medical appointments and treatments. This information is critical to ensure that from the outset your needs are assessed and set out in your care record, and so that we can adjust your care plan as and when your needs change. We will share these with medical and allied health professionals who have a legal and legitimate need to use the information to support the care provided to you.
• We also collect details of your attorney, deputies, family and your visitors, as aside all else we need to ensure we best safeguard the welfare and security of you, other residents and clients, their families and visitors and our employees.
• We share information within Healthcare Homes to provide necessary administrative and managerial support and to suppliers who help deliver products or services on our behalf.
• We use either personal or anonymised data to review the performance of our care services as part of our continuing work to improve our services and meet the needs of our residents.
• We may use details obtained to contact you (and your representative and family) about any changes to your needs and our care services.
• We may use your personal data to send you, your representative and family marketing information describing services that may be of interest where we have prior consent to do so. You and they may opt out of receiving this information at any time.
• We share information with ICBs, other health and local authorities, medical professionals and regulators regarding your health and care including admission details, care records and medical records.
• There is a scheme run by the NHS for using shared confidential resident data for the purposes of NHS planning or research. The provider of our Digital Social Care record system shares anonymised resident data with the NHS for such purposes, but annually we review all confidential resident data, amongst other things, to vouchsafe that it is anonymised (thus ensuring confidentiality) and is only being used by the NHS for these purposes. More details of this scheme can be found at https://www.nhs.uk/your-nhs-data-matters/  which includes how at any time you can stop your confidential resident or client data being used for such purposes. Your care will not be adversely affected even if you opt out from the NHS being able to use information for these purposes. When you use our website, we use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below. The cookies that are categorised as “Necessary” are stored on your browser as they are essential for enabling the basic functionalities of the site. We also use third-party cookies that help us analyse how you use our website, store your preferences, and provide the content and advertisements that are relevant to you. These cookies will only be stored in your browser with your prior consent. You can choose to enable or disable some or all of these cookies but disabling some of them may affect your browsing experience.
• When you contact our enquiries service, calls may be recorded for training and quality purposes. Our inbound calls and associated data capture is processed securely via a software called 8 x8 a contracted third party, who adhere to our standards with extended data protection and detection systems. We also use this software to improve the sales experience for both parties.

Circumstances which override data protection obligations we might otherwise apply and which compel us to provide specific information include:

• Reporting health or safety issues including infectious diseases;
• Where there is a legal or statutory requirement, court order or public authority instructs us to do so;
• Supporting police investigations, professional conduct hearings and safeguarding investigations in the public interest; where a serious crime or fraud has been committed; if there is a serious risk to the public, resident or employees;

• Where there is a need to protect children or vulnerable adults who are not able to decide if their personal data should be shared.

In exceptional circumstances, we may be required to share information without your or your representative’s consent. Circumstances may include:

• Where a serious crime or fraud has been committed.
• If there is a serious risk to the public, resident or employees.
• Where there is a need to protect children or vulnerable adults who are not able to decide if their personal data should be shared.

 

Standard Personal Information and Special Category Information

• Much of the above information is called standard personal information, such as names, addresses, contact details (for you, family, friends and your GP), identification paperwork, financial details and information, and how you use our website and other IT technologies.
• There is also what is called special category information, which tends to be more sensitive and results in additional protection being afforded to it.
• Special category information comprises race, ethnic origin, sex life and sexual orientation, religious, cultural and philosophical beliefs, marital status and healthcare.
• Healthcare information covers both physical and mental aspects and includes genetic and biometric information, medical history and records including of disabilities or special requirements, our care plans, risk assessments and records of the care and support we provide for you.

 

Lawful basis for processing

We care for vulnerable adults in providing our services. These are heavily regulated activities that require collection, processing and storage of a considerable large amount of data about the residents, visitors, domiciliary care clients, contractors and in general any person with whom we come into contact that is relevant to the regulated activities we perform.

Article 6 of the UK GDPR sets out the bases for our processing standard personal information, and article 9 likewise for special category information. Different stages and aspects of our relationship with you gives different bases. For example, when assessing whether we can meet your needs if you are admitted into a home and how we should contract with you, there will be bases of considering your healthcare requirements, to meet legal and regulatory requirements, and to enable us to contract with you.

To quote the UK GDPR, ‘’processing is necessary”

• For the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract…”
• For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller….”
• For the purposes of preventive or occupational medicine… medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law …” For example, we are subject to The Care Homes Regulations 2001 as well as other statutes and regulations.
• Other bases include the necessity to protect your vital interests and our legitimate interests in managing our relationship with you, and where you have provided us with your unambiguous consent: but all bases are prescribed by and confined to the specific purposes for the lawful processing of the particular information.

When we process special category of data under article 9 of the UK GDPR, we will do so with your express consent: unless the processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional.

 

How we store, process and protect your data

• We take the privacy and security of your personal data very seriously. We ensure we handle your data with the highest level of care by having clear internal policies and procedures, physical security to our premises and IT security technologies to prevent the unauthorised access, damage and loss of your data.
• The personal data that we collect from you is only stored inside the UK, the European Economic Area (EEA), the USA (in accordance with the data bridge that permits certified US companies to receive UK personal data (the ‘UK-US data bridge’) (see https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents), and countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020) such as Canada, or any other country or international organisation outside of the UK, EEA or USA where we have provided appropriate safeguards in accordance with Article 46 of the UK GDPR, thereby ensuring we achieve the maximum privacy and security in line with UK Data Protection Laws.

 

 Credit card and Online Payments via Elavon

• Credit card payments are processed securely via our third party payment processing partners, who we have vetted and who have agreed to provide a level of data protection no less than ours.
• All our website financial transactions are handled through our payment services provider Elavon.
• We will share information with Elavon only to the extent necessary for the purposes of processing payments you make via our website, refunding such payments and dealing with complaints and queries relating to such payments and refunds.
• You should only provide your personal information to Elavon after reviewing the Elavon privacy notice

 

How long will we hold your personal data

• We will only keep your information for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, contractual or reporting requirements. How long we keep the data for is determined by necessity and law. For example, our regulator the CQC has many record retention requirements.  Once your information is no longer required it will be securely destroyed.

 

The right to get your data deleted

• This is known as the ‘right to erasure’ or the ‘right to be forgotten’.
• You can ask us to delete your data where retaining it is no longer necessary.
• Whilst at all times compliant with legislation and acting reasonably, we reserve the right to judge what information we must continue to hold to be able to fulfil our legal and contractual obligations to you and others.
• We may anonymise your personal data (so that you can no longer be identified) for research and analysis purposes in which case we may use this information indefinitely without further notice to you.
• Where we process data based solely on your consent, it will only be processed for the purposes prescribed in your consent, and you have the right to withdraw that consent at any time.

 

Market research and feedback

• We are committed to protecting the privacy of all persons’ personal information we collect for research purposes. This covers all research participant data we house and make available to market research partner organisations. Any third party that receives personal information is obliged to follow all of the same privacy protection regulations as we do.
• All responses to our research are completely confidential. We collect data in our studies for research purposes only, and our use of that information will be limited to that purpose. Research participant answers will not be used by any entity as an aid for sales or marketing activities unless permission has been expressly granted by research participants.
• Research participation is voluntary and participants always have the opportunity to decline involvement or to “opt out” of the research after agreeing to participate. We do not collect personal information without research participant consent.
• At their request, we give research participants access to the personal information we have collected about them. We correct any information that is inaccurate or incomplete, change their consent status, or have their personal information deleted.

 

Marketing

• We would like to send you (including your representatives and family) information about the services we provide which may be of interest.
• You and they have a right at any time to request that we stop contacting you and them for marketing purposes or sharing your information internally. If you have recently contacted us regarding our services or are an existing customer or resident, we may contact you to ask for your consent to continue sending you marketing information. If you no longer wish to be contacted for marketing purposes, please contact us at [email protected]

 

Access to your information, portability, and correction

• You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email or write to us at the address set out in the “How to Contact Us” section below.
• We try to respond to all legitimate requests within one month. It may take us longer if your request is particularly complex or you have made a number of requests, in which case, we will notify you and keep you updated.
• You will not have to pay a fee to access your personal data, and you are entitled to receive a copy of your personal data within one calendar month of receipt of your request and once we have verified your identity.
• It may take us longer if your request is particularly complex or you have made a number of requests.  In which case, we will notify you and keep you updated.
• You have the right to receive the personal data you provided to us in a structured, commonly used and machine-readable format or to request from us to transmit this data directly to another controller. This portability right only applies when our lawful basis for processing your information is consent, or for the performance of a contract; and we are carrying out the processing by automated means (i.e. excluding paper files). We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.
• We may ask for proof of identity before we share your personal data with you or your representative.

 

Request restriction of processing

You have the right to request us to suspend the processing of your personal data where:

• You want us to establish the data’s accuracy or
• Where our use might be unlawful, but you do not want us to erase it or
• You need us to hold the data even if we no longer require it as you need it returned to establish and exercise any legal claims or;
• You have objected to our use of your data, but you need to verify whether we can lawfully use it.

If possible, we will inform any third parties to whom your data has been disclosed of your requirement.

 

Automated decision making

• You have the right not to be subject to decisions made solely on automated data processing if the decisions have legal impact or significantly affects you.
• A number of our care assessment systems employ a scoring system to provide an indication of the care delivery that may be required. However, in all cases, human intervention is required when deciding on the care to be provided.

 

Other websites

Our website contains links to other websites.  This privacy policy only applies to this website so when you link to other sites, please read their own Privacy Notices.

 

Changes to our privacy policy

• We regularly review our privacy policy and will place any updates on this webpage.
• This policy was last updated in September 2025.

 

How to contact us

Please contact us if you want to exercise any of your rights or if you have any questions about our privacy policy or information we hold about you.

Oliver Westmancott

Data Protection Officer

The Beeches, Apex 12, Old Ipswich Road, Ardleigh,

Colchester, Essex,

Email: [email protected]

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, like to have the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance.

 

APPENDIX 1

Residential care home operators home by home and their ICO registrations

 

Healthcare Homes Group Limited

Z1204127

1. Beaumont Park
2. Home Close
3. Home Meadow
4. Park House
5. Hillings
6. The Malthouse
7. Old Vicarage
8. Bilney Hall
9. Claremont
10. Meadow House
11. Olive House
12. Overbury
13. Saxlingham
14. Shipdham
15. St Leonards
16. The Gables
17. Manor House
18. Walcot Hall
19. Aldringham Court
20. Barking Hall
21. Fornham House
22. Foxgrove
23. Haughgate
24. Hillcroft
25. Maynell
26. Mill Lane
27. Oaklands
28. White House
29. Uvedale Hall

 

Healthcare Homes (LSC) Limited

ZA070204

1. Sandown Park
2. Avon Lodge
3. Ashley Court
4. Blandford Grange
5. Sovereign Lodge
6. Bedhampton
7. Tenchley Manor
8. The Chase
9. Ashley Gardens
10. Kingsley Court
11. Cedar Court
12. Foxearth Lodge
13. Handford House

 

Healthcare Homes (Spring) Limited

ZA695862

1. Oaktree
2. Romford Grange
3. Alexandra
4. Albany
5. Kingsmead
6. Ladymead

 

 

APPENDIX 2

Domiciliary care branches, their operating companies and their ICO registrations

 

Norwich branch

Manorcourt Care (Norfolk) Limited

Z5305810

 

Lowestoft branch

Anglia Home Care Limited

Z1558886

 

Thetford branch

Premier Homecare (East) Limited

Z5440099

 

Brooke Branch

South Norfolk Carers Limited

Z524590X

 

Saffron Walden branch

Care Plus (Essex) Limited

ZA082230

 

Healthcare Homes Privacy Notice – For our employees

 

We recognise the privacy and security of personal information is of great importance to the people we care for, their families and friends, our employees and others such as GPs and all those involved in looking after the welfare of our residents and clients.

Employees and volunteers who work for us can be assured that we value your privacy and want you to understand the choices and control you have over your information that we hold. This notice helps explain both choices and control.

As you are aware the group has been expanding over recent years, and we now have 48 residential care homes run via 3 operating companies and provide about 2,800 hours of domiciliary care services via 8 branches, all under the Healthcare Homes brand through 6 operating companies. Our 3,500 employees are employed by one of these companies, and in this notice, we will refer to them as ‘Healthcare Homes’ or ‘we’.

You can confirm which Healthcare Homes company is your employer by checking your employment contract. It is that company which is the controller of your personal data. At Appendix 1 is a list of the Healthcare Homes companies and the relevant registration of your employer company which holds your personal data with the Information Commissioner’s Office (‘ICO’).

In this notice we set out why we need to collect your personal information, how we use it and how we protect it. As appropriate, references to ‘you’ include your next of kin and other family.

Our privacy policy is governed by the overarching principles of collecting and using personal details when they help us provide a better service to the people we care for and to meet legitimate interests including to protect them and you, lawfully, fairly and transparently.

Since January 2021 your and our data protection rights and obligations are set out in what is known as the United Kingdom General Data Protection Regulation (UK GDPR), which in all material respects replicates EU data protection laws.

The personal information we refer to in this notice includes information that can be used to identify you.

Set out below is the personal information we collect and the reasons why we need it, but if you have any queries, let us know. We have appointed a Data Protection Officer who is ultimately responsible for overseeing questions relating to your data protection rights and this notice. Please refer to the “How to Contact Us” section below.

  

Categories of personal data

Much of the information we hold will primarily have been provided by you and by third parties such as employment agencies, when applying for your job, supplemented by information generated in the course of your employment.

Some may come from other internal sources, such as your line manager, or in some cases, external sources, such as referees.

The types of data we will hold and process for you include:

• your name
• your contact details
• unique personal identifiers and biographical information (e.g. date of birth)
• photographs of you
• personal data provided by you for a specific purpose or purposes (for example, disability, marital status and biometric data)
• information related to the prevention and detection of crime and the safety of employees, residents and clients, including, but not limited to, CCTV recording, images, GPS tracking and IT network activities.

Also:

• financial information gathered for the purposes of administering payroll, expenses, pension schemes, employee benefits and life insurance
• your right to work in the UK; copies of passports, visas, DBS Checks and other documents required to ensure compliance with Home Office requirements
• details of your education, qualifications previous employments, publications and any associated matters
• if you have family medical insurance we may hold details of the names and dates of birth of your partner and/or children

The types of information we hold include:

• your application form, CV, details of your career and references
• your contract of employment and any amendments to it
• correspondence with or about you, for example letters to you about changes to your pay or job or, at your request, a letter to your mortgage company confirming your salary
• information needed for payroll, pension scheme, life insurance, employee benefits and expenses purposes
• next of kin – contact and emergency contact details
• forms detailing your nominated beneficiary information on expression of wish forms which are referred to in the event of your death
• records of holiday, sickness, study leave and other absence
• information needed for equal opportunities monitoring policy and records relating to your career history at Healthcare Homes, such as training records, appraisals, other performance measures and, where appropriate, disciplinary and grievance records

Sensitive personal data

The information we obtain from you and then process and store (for example, you may give us information by filling in forms on our website, HR System, intranet or by corresponding with us by post, telephone, email or otherwise) may include:

• your religious affiliation
• cultural and philosophical beliefs
• your sexual orientation
• your ethnic background
• your nationality
• your marital status
• your biometric data
• general and occupational health records

How your personal data is used

Your data is used by us for a number of business purposes including:

• Internal reporting and record keeping
• Administrative purposes (e.g. in order to process payroll, pensions, salary sacrifice arrangements and departmental planning)
• Responding to data access requests you make
• Giving access to company resources such as IT Network, business phone usage, time and location attendance, and key card access to premises
• Issuing references at your request
• Contacting you, your next of kin, or other relevant contact in case of an emergency
• Contacting you via your personal mobile telephone number or personal email address regarding company news and information relating to your employment. You may unsubscribe from this service at any time
• Forms detailing your nominated beneficiary information on expression of wish forms which are referred to in the event of your death
• Marketing, including images, online, in print and on social media, and internal and external service and excellence recognition and awards (this should be done with your consent)
• Conducting exit interviews. We may share your personal data with an external company who contacts colleagues leaving the business to arrange exit interviews. You are under no obligation to participate and may decline the invitation.

You will inevitably be referred to in many company documents and records that are produced by you and your colleagues in the course of carrying out your duties and the business of the company.

Where necessary, we may keep information relating to your health and well-being, which could include reasons for absence and GP or Occupational Health reports and notes.

This information will be used in order to comply with our health and safety and occupational health obligations, to consider how your health affects your ability to do your job and whether any reasonable adjustments to your job might be appropriate.

We will also need this data to administer and manage statutory and company sick pay.

We may also use your data to provide cover on medical  and life insurance policies if this is applicable to you.

Where we process special categories of information relating to your racial or ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, biometric data or sexual orientation, we will always obtain your explicit consent to those activities unless this is not required by law or the information is required to protect your health in an emergency.

We monitor office computer and telephone/mobile telephone use. We also monitor the whereabouts of colleagues during working hours.

When providing survey and other feedback you acknowledge and consent to the review of your response by authorised personnel who may contact you to address specific feedback, which is a process aligned to ensuring an open and constructive process whilst respecting your privacy. This might be part of a review process, formal or informal, and might extend, for example, to the nomination and seconding of colleagues for particular achievements, excellence awards and such like, both internally and externally.

In relation to our residential care home colleagues, we may also keep records of your hours of work by way of our rota systems, as detailed in the Time & Attendance policy. When you give explicit consent, and after registering your fingerprints in the Time Clock machine at the care homes, we will record the start and finish hours you work using your biometric data. This information is used to grant fast access to your work, calculate your payments, and to avoid impersonation in accessing to the residents, premises, or sensitive information. It will not be used for any other purpose. You will have the right to freely choose or change to a different method of clocking used by the care home, for example a PIN number.

So far as domiciliary care services are concerned our colleagues delivering this service utilise a smartphone app that delivers rotas to them  and then track their whereabouts during working hours and their delivery of care and arrival and leaving times.

If you have concerns or queries about any of these purposes, or how we communicate with you, please contact us at the address given below. We will always respect a request by you to stop processing your personal data.

 

Any recipient or categories of recipients of the personal data

We may transfer information about you to other group companies and third party partners for purposes connected with your employment or the management of the company’s business as well as for processing employee benefits.

These include the following:

• Disclosure and Barring Service
• Dental and Medical insurance
• Life Insurance
• Vehicle insurers
• Pension organisations
• Professional Validation bodies
• Professional Registration bodies
• Employment Agencies
• Government agencies
• Occupational Health Consultants
• Employee Benefit providers
• Training and apprenticeship providers
• Communicating company news
• Authorised employees who with your consent are involved in feedback communications with you
• Long service and excellence nominations
• Conducting exit interviews
• Employee survey providers

We will only ever share your information for the purposes of managing your employment contract and only when we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.

Other than as mentioned above, we will only disclose information about you to third parties if we are legally obliged to do so e.g. HMRC, Local and Health Authorities, or where we need to comply with our contractual duties to you, for instance we may need to pass on certain information to our external payroll provider, pension, life and medical insurance schemes or when we provide references about you to a new employer.

When sharing information we always look to check the lawful basis for doing so and where appropriate ensure that the recipients of such information have provided security assurances and any contracts we have with them  have confidentiality obligations.

 

Purposes and lawful bases of the processing

We will keep and use personal data to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during the recruitment process, whilst you are working for us, at the time when your employment ends and after you have left.

This includes using your information to enable us to comply with the employment contract, to comply with any legal requirements, pursue the legitimate interests of Healthcare Homes and protect our legal position in the event of any legal proceedings.

If you do not provide this data, we may be unable in some circumstances to comply with our obligations and we will tell you about the implications of that decision, which might include putting your continued employment with us at risk where, for example, the absence of such data means that Healthcare Homes might be in breach of its statutory obligations to the people we care for or your colleagues.

We confirm that we are required to hold your personal data for various legal and business purposes, without which we would be unable to comply with our contractual obligations to you and our legal obligations as an organisation.

Article 6 of the UK GDPR sets out the bases for our processing standard personal information, and article 9 likewise for special category information. Different aspects of our relationship with you give different bases. We may need to consider, for example, any health issues, but we will always have to meet legal and regulatory requirements, and to enable us to contract with you. To quote the UK GDPR, ‘’processing is necessary:

• for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract…”
• for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller…”
• for compliance with a legal obligation to which the controller is subject for the purposes of preventive or occupational medicine… for the assessment of the working capacity of the employee… medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law …” For example we are subject to the Care Homes Regulations 2001 as well as other statutes and regulations.
• Other bases include the necessity to protect your vital interests and our legitimate interests in managing our relationship with you – and where you have provided us with your unambiguous consent – but all bases are prescribed by and confined to the specific purposes for the lawful processing of the particular information.

 

Purpose of Processing Personal information

We follow good Human Resources practice and will:

• Provide you with a contract of employment detailing the terms and conditions of your services
• Let you know what we are going to record about you – at the start of, as well as during your employment with us
• Show you what we have recorded about you, if you ask.

 

The legitimate interests of the controller or third party, where applicable

We may sometimes need to process your data to pursue our legitimate business interests, for example in preventing fraud, cooperating with law enforcement agencies, courts and other statutory bodies who may request your data to fulfil a statutory requirement or in the course of investigating potential crimes.

The nature of our legitimate interests in processing your data is to also ensure we uphold the duties, of confidentiality and under statute, we owe to our residents, clients, other employees and our contractual partners such as the NHS and Local Authorities.

Legitimate interests may also include:

• Where a serious crime or fraud has been committed.
• If there is a serious risk to the public, the people we care for or other employees.
• Where there is a need to protect children or vulnerable adults who are not able to decide if their personal data should be shared.

 

How we store, process and protect your data

• We take the privacy and security of your personal data very seriously. We ensure we handle your data with the highest level of care by having clear internal policies and procedures, physical security to our premises and IT security technologies to prevent the unauthorised access, damage and loss of your data.
• The personal data that we collect from you is only stored inside the UK, the European Economic Area (EEA), the USA (in accordance with the data bridge that permits certified US companies to receive UK personal data (the ‘UK-US data bridge’) (see https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents), and countries, territories and sectors covered by the European Commission’s adequacy decisions (in force at 31 December 2020) such as Canada, or any other country or international organisation outside of the UK, EEA or USA where we have provided appropriate safeguards in accordance with Article 46 of the UK GDPR, thereby ensuring we achieve the maximum privacy and security in line with UK Data Protection Laws.

 

How long will we hold your personal data

We will keep your personal data only as long as is necessary for the purpose(s) for which it was collected, and in accordance with the statutory retention periods. Data will be securely destroyed when no longer required. You can ask us to delete your data where retaining it is no longer necessary. Whilst at all times compliant with legislation and acting reasonably we reserve the right to judge what information we must continue to hold to be able to fulfil our contract with you and meet our legal, regulatory and reporting obligations.

 

Access to your information and correction – your rights

You have guaranteed rights under the UK GDPR. We will uphold your rights at all times.

These rights are:

• To be informed:
  • The right to be informed via Privacy Notices such as this one.
• The right of access:
  • The right to free access to any personal information Healthcare Homes holds about you (See the Contact Us section below).
  • This is free of charge and you are entitled to receive a copy of your personal data within 30 calendar days of our receipt of your subject access request, starting from the point at which we have verified your identity. It may take us longer if your request is particularly complex or you have made a number of requests, in which case, we will notify you and keep you updated.
• The right of rectification:
  • If you believe your details are incorrect, we are required to correct inaccurate or incomplete data within one month.
• The right to erasure:
  • Ordinarily under UK GDPR you have the right to have your personal data erased and to prevent processing. This right to erasure is also known as the ‘right to be forgotten’.
  • You may exercise your right to have your personal data erased in a number of circumstances (e.g. if the data is no longer necessary in relation to the purpose for which it was created or you withdraw your consent).
  • Where possible we will comply with all such requests, though some details are part of Healthcare Homes’s permanent records (e.g. historical salary, expenses paid) which cannot reasonably be deleted.
  • Data we hold for statutory purposes such as Tax and Pensions cannot be deleted by law and we will comply with statutory retention periods for such data.
• The right to restrict processing:
  • You have the right to suppress processing. We are entitled to retain sufficient records and information to meet our legitimate business interests and statutory and regulatory requirements.
  • You can tell us that we can keep your data but must stop processing it, including preventing future mailings and communications.
  • If possible, we will inform any third parties to whom your data has been disclosed of your requirement. An example of this might be a provider of an employee benefits website.
• The right to data portability:
  • We can provide you with your personal data in a structured, commonly used, machine readable form when you request your data. However, as your data is likely to be across various manual records and IT systems, we will do our best to provide information in a portable format.
• The right to object:
  • You can object to your personal data being used for profiling, direct marketing or research purposes.

• Automated Decision making:
  • You have rights in relation to automated decision making and profiling; to reduce the risk that a potentially damaging decision is taken without human intervention.
  • We have processes that automatically assist in creating efficient rotas and care visit arrangements, but they only consider training, location and availability and do not include any other data.
• The right to withdraw consent at any time, where relevant:
  • Where we are processing data based on your consent, you have the right to withdraw that consent at any time.
• The right to lodge a complaint with a supervisory authority:
  • Should you have any concerns about how your information is managed by Healthcare Homes, please contact our Data Protection Officer (see Contact Us section below).
  • If you are still unhappy you can then complain to the Information Commissioners Office (ICO) via their website (ico.gov.uk).

The source the personal data originates from and whether it came from publicly accessible sources

We may review public data about you, but only to ensure compliance with our policies. An example of this is our social media policy.

Whether the provision of personal data part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data

The provision of your personal data for employment purposes is part of the UK statutory requirements and other applicable UK Employment legislation.

The existence of automated decision making, including profiling and information about how decisions are made, their significance and consequences

 

Other websites

Our website contains links to other websites.  This privacy policy only applies to this website so when you link to other sites, please read their own Privacy Notices.

Changes to our privacy policy

• We regularly review our privacy policy and will place any updates on this webpage.
• This policy was last updated in December 2025.

How to contact us

Please contact us if you want to exercise any of your rights or if you have any questions about our privacy policy or information we hold about you.

Oliver Westmancott

Data Protection Officer

The Beeches, Apex 12, Old Ipswich Road, Ardleigh,

Colchester, Essex,

Email: [email protected]

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, like to have the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance.

 

APPENDIX 1

Healthcare Homes Group Limited – Z1204127

Healthcare Homes (LSC) Limited – ZA070204

Healthcare Homes (Spring) Limited – ZA695862

Manorcourt Care (Norfolk) Limited – Z5305810

Anglia Home Care Limited – Z1558886

Premier Homecare (East) Limited – Z5440099

South Norfolk Carers Limited – Z524590X

Care Plus (Essex) Limited – ZA082230

John Stanley’s Care Agency Limited- -Z6950041