Privacy Policy

INTRODUCTION

Poppy Cottage Limited (“Poppy Cottage”) offers a fully inclusive range of care and support packages for individuals with learning disabilities. These may include anything from 24 hr care and support, to just a couple of visits each week, therefore offering maximum flexibility to the individual and placing authority.

This notice describes how Poppy Cottage collects, uses and manages the information it holds about you, including how the information may be shared and how the confidentiality of customer information is maintained.

The “At a Glance” section contains some important information that will help explain what information we process and why.

AT A GLANCE

1.1     When do we collect personal data about you?

When we refer to personal data in this notice, we mean information that can or has the potential to identify you as an individual.

We will collect and process personal data about you at the following stages:

Stage Description
- Community Enquiry When you enquire about our wide range of services by visiting one of our websites, completing an enquiry form, speaking to us over the telephone or visiting one of our residential homes
- Community Visit When you or a responsible party comes to visit us for a residential tour and to discuss our services in more detail
- Care Assessment When we undertake a more detailed assessment of your medical and care home needs
- Care Agreement When contract negotiations commence and / or agreement to proceed is obtained
- Resident During your stay with us as a resident

1.2     What personal data may we collect from you and why?

Community Enquiry

During this stage we rely on our ‘legitimate interests’ to process your personal data.

Data Category Reason for Processing
- Personal Identifiers
- Contact Details
To provide you or a responsible party with information about services that you request or that we feel may be of benefit to you
- Personal Identifiers
- Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
- Personal Identifiers
- Contact Details
Internal record keeping and administration
- Online identifiers For system administration and internal tracking

Community Visit

During this stage we rely on our ‘legitimate interests’ to process your personal data.

Data Category Reason for Processing
- Personal Identifiers
- Contact Details
To provide you or a responsible party with information about products and services that you request from us
- Personal Identifiers
- Contact Details
To provide you or a responsible party with information about products and services that we feel may be of benefit to you
- Personal Identifiers
- Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
- Personal Information
- Special Category Data Third Party Information
- Other Information
To understand the level of care required (including any medical treatment(s) and specialist care)
- Personal Identifiers
- Contact Details
- Personal Information
- Special Category Data Third Party Information
- Other Information
Internal record keeping and administration

Care Assessment

During this stage we will rely on our ‘legitimate interests’ to process your personal data.

Data Category Reason for Processing
- Personal Identifiers
- Contact Details
To provide you or a responsible party with information about products and services that you request from us
- Personal Identifiers
- Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
- Personal Identifiers
- Contact Details
To maintain contact with you and to provide you with ongoing information about related services that we feel may be of benefit to you
- Personal Information
- Special Category Data Third Party Information
- Other Information
To understand the level of care required (including any medical treatment(s) and specialist care)
- Personal Information
- Special Category Data Third Party Information
- Other Information
Internal record keeping and administration

Care Agreement

During this stage we will rely on ‘contractual necessity’ to process your personal data.

Data Category Reason for Processing
- Personal Information
- Special Category Data Third Party Information
- Other Information
To determine the required pricing structure and prepare the contracts
- Personal Information
- Special Category Data Third Party Information
- Other Information
Internal record keeping and administration

Resident Stage

During this stage we will rely on ‘contractual necessity’ to process your personal data with the exception of data marked with a (#) below where we will rely on ‘legal obligation’.

Data Category Reason for Processing
- Personal Identifiers
- Contact Details
- Personal Information
- Third Party Information
- Other Information
To carry out our obligations to you arising from any contract

Responding to your queries and every day residential needs

- Personal Identifiers
- Contact Details
- Personal Information
- Third Party Information
- Other Information
To carry out our obligations to you arising from any contract

Supporting your medical treatment or care and other benefits

- Personal Identifiers
- Contact Details
- Personal Information
- Financial Information
- Third Party Information
- Other Information
To carry out your obligations to us arising from any contract

Billing, accounting and payment services

- Personal Identifiers
- Contact Details
- Personal Information
- Special Category Data Third Party Information
- Other Information
Responding to requests where we have a legal or regulatory obligation to do so
- Personal Identifiers
- Contact Details
- Personal Information
- Financial Information
- Special Category Data Third Party Information
- Other Information
Assessing the quality and type of care you have received and any concerns or complaints you may raise
- Personal Identifiers
- Contact Details
- Personal Information
- Financial Information
- Special Category Data Third Party Information
- Other Information
Internal record keeping and administration
- Personal Identifiers
- Contact Details
- Personal Information
- Financial Information
- Special Category Data Third Party Information
- Other Information
For internal audit and accounting purposes together with the preparation and review of management information

For further details of the data types contained within each category please refer to the Annex of Personal Data Types which can be found in section 1.11.

Your decision to provide any personal data described above to us is voluntary. If you chose not to provide any of the personal data requested, our ability to enter into a contract and or fulfil obligations to you arising from any contract may be limited.

FURTHER DETAILED INFORMATION

1.3     Data sharing and transfers

In the usual course of business Poppy Cottage may disclose your personal data which will include health information as recorded below (to the extent necessary) to (i) its affiliates, and certain third-party processors Poppy Cottage has retained to perform services on its behalf and pursuant to its instructions.  This may include sharing with:

  • Poppy Cottage Limited for the provision and delivery of services, IT application support, internal audit reviews and investigations, quality assurance, program monitoring, management reporting and other internal purposes
  • Operating companies for internal audit, reviews, management information and reporting.  Full details of the operating companies can be found in the glossary
  • business partners, suppliers and sub-contractors for the provision of the contracted services.
  • organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored.
  • third party debt collectors for the purposes of debt collection.
  • delivery companies for the purposes of transportation.
  • third party service providers who perform services on our behalf based on our instructions, for instance, for the purposes of storage of information and confidential destruction.  We do not authorise these service providers to use or disclose the information except as necessary to perform services on our behalf or comply with applicable legal obligations.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under Data Protection Laws.

Poppy Cottage may also disclose your personal data (ii) if it is required to do so by law or legal process, or (iii) in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements.  Poppy Cottage also reserves the right to transfer Personal Data in the event of an audit or if the company sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation).

1.4     Third country data transfers

Poppy Cottage Limited currently only operates in the United Kingdom. However, in the event that we need to transfer any part of our operations overseas, for example we may transfer the Consumer Personal Data we collect about you to recipients in countries other than the country in which the information originally was collected, we will advise you of the changes to our services.

Poppy Cottage Limited will ensure that access to your personal data will be limited to individuals who have a need to know the information for the purposes described in this Notice, and may include personnel in the HR, IT, compliance, legal, finance, accounting, internal audit, marketing and risk management functions.

Where we transfer your personal data to a country which may not have the same data protection laws as the country in which you initially provided the information, we will protect that information as described in this Privacy Notice and will comply with applicable legal requirements providing adequate protection for the transfer of personal information to recipients in countries other than the one in which you provided the information.  We have implemented appropriate safeguards to ensure an adequate level of data protection, including by concluding data transfer agreements incorporating the European Commission’s Standard Contractual Clauses under Article 46 of the EU General Data Protection Regulation (GDPR). You may contact the Data Protection Officer as indicated below to obtain further information on the transfer mechanism.

1.5     Health information collected during provision of treatment or services

Sensitive personal data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Notice. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies.

Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment and or care. It may also be provided to external service providers and regulatory bodies for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Medical professionals working with us:  We may share clinical information about you with our medical professionals as we think necessary for your treatment and care.

External practitioners: If we refer you externally for treatment, we may share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral.  It will always be clear when we do this.

Your GP:  If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP.

The NHS:  If you are required to attend hospital, we may share the details of your treatment with the part of the NHS, as necessary to perform further treatment and care.

Care home regulators:  We may be requested, and in some cases required, to share certain information (including personal data and sensitive personal data) about you and your care with regulators such as the CQC.

From time to time we may also make information available on the basis of necessity for treatment, the provision of healthcare and payment.

In an emergency and if you are incapacitated, we may share your personal data (including sensitive personal data) to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

We will use your personal data in order to monitor the outcome of any treatment associated with your care.

1.6     How we protect your personal data

We maintain appropriate technical and organisational measures designed to protect your personal data against loss or accidental, unlawful or unauthorised, alteration, access, disclosure or use.

1.7     Retention period

We retain personal information for as long as we reasonably require it for legal and business purposes. In determining data retention periods, Poppy Cottage also takes into consideration local laws, relevant regulations and contractual obligations.

1.8     Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the information that we hold about you. Poppy Cottage reserves the right to charge a reasonable fee based on our administration costs where further copies are requested.
  • Right of rectification – you have the right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply you have the right to request that we restrict the processing.
  • Right of portability – in certain circumstances you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing and profiling

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.

If you would like to exercise any of your data subject rights, please contact us using one of the methods highlighted below.

1.9     Contact Information

Please contact us if you have any questions about our privacy notice or information we hold about you:

  • By email at gillian.hudson@poppycottagelimited.co.uk
  • By writing to us at Data Protection Officer, Poppy Cottage Limited, Denham Green Lane, Denham, Uxbridge UB9 5LG

1.10   Complaints

In the event that you wish to make a complaint about how your personal data is being processed by us (or third parties as described in 1.3 & 1.4 above) please contact the data protection officer at the address detailed above.

If you are not satisfied with how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority at the Information Commissioner's Office (ICO) Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Tel 0303 123 1113 or 01625 5457

1.11   Personal data types & items

Data Type Data Items
Personal Identifiers Residential Account Number
Client ID Number
National Insurance Number
NHS Number
Online Identifiers (IP Address)
Contact Information Name
Address
Email
Telephone
Room Number
Community Name
Personal Information Date of Birth
Dietary Information
Gender
Marital Status
Photograph
Residential Status
Financial Information Bank Details
Personal Assets
Personal Liabilities
Residence Account Balance
Special Category Information Ethnic Origin
Health Information
Religion
Third Party Information Enquirer Details
GP Details
Guarantor Details
NOK Details
POA Details
Responsible Party Details
Spouse Details
Other Information Date of Admission
Details of Incident

1.12   Use of cookies

You can read more about our use of cookies on our cookies page.

1.13   Glossary

Consent

In certain circumstances, we are required to obtain your consent to the processing of your personal data in relation to certain activities.

Article 4 of the GDPR states that (opt-in) consent is "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." In plain language, this means that:

  • you have to give us your consent freely;
  • you have to know what you are consenting to;
  • you should have choice over which processing activities you consent to and which you don’t; and
  • you need to take positive and affirmative action in giving us your consent

We will keep records of the consents that we have received from you.

You have the right to withdraw your consent to these activities. You can do so at any time, and details of how to do so can be found above.

Contractual necessity

Article 6 of the GDPR states that we can process your data on the basis that such processing is necessary in order to enter into or perform a contract with you.

The "contractual performance" lawful basis permits the processing of personal data in two different scenarios:

  • Situations in which processing is necessary for the performance of a contract to which you, the data subject, is a party. This may include, for example, processing your health details for the provision of residential care.
  • Situations that take place prior to entering into a contract such as pre-contractual relations. For example, a formal review of the health confirmation collected during the care package assessment to determine the level of care required and the associated residential costs.

From the point at which contract negotiations commence and throughout your stay with us we will rely on contractual necessity as the lawful basis for the majority of personal data processing activities.

Compliance with legal obligations

Article 6 of the GDPR states that we can process your data on the basis that the we have a legal obligation to perform such processing.  Processing is permitted if it is necessary for compliance with a legal obligation.

Legitimate Interests

Article 6 of the GDPR states that we can process your data where it is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the interests or fundamental rights or freedoms of you which require protection of personal data.

Operating Companies

Poppy Cottage Limited Poppy Cottage
Poppy HousePoppy Lodge
Poppy Place
Poppy Cottage Recruitment Known as Pop In Recruitment

 

Poppy Cottage Careers

We're as dedicated to our team members as we are to our service users. Learn more about working at Poppy Cottage Limited.