Who we are
Nutley Hall is an independent adult residential care community for people with learning disabilities, offering a homely, social setting and specialising in a broad range of supported activities.
What is a Privacy notice?
Aim and Scope of the Policy
Nutley Hall recognises it must keep all records required for the protection and wellbeing of service users, and those for the effective and efficient running of the care service such as staff records, to comply currently with the Data Protection Act 1998 and its successor Act, when passed by Parliament, and the EU General Data Protection Regulation (GDPR), which comes into force from May 2018 (and which is likely to apply post-Brexit).
In line with its registration under the Data Protection Act and to comply with the GDPR, Nutley Hall understands that it will be accountable for the processing, management, regulation, storage and retention of all personal data held in the form of manual records and on computers.
This means that all personal data obtained and held by Nutley Hall to carry out its activities as a registered care provider must:
- have been obtained fairly and lawfully
- held for specified and lawful purposes
- processed in recognition of persons’ data protection rights, which are described in the GDPR in terms of the right:
- to be informed
- to have access
- for the information to be accurate and for any inaccuracies to be corrected
- to have information deleted (eg if inaccurate or inappropriately included)
- to restrict the processing of the data to keep it fit for its purpose only
- to have the information sent elsewhere as requested or consented to (eg in any transfer situation)
- to object to the inclusion of any information (eg if considered to be irrelevant)
- to regulate any automated decision-making and profiling of one’s personal data.
- be adequate, relevant and not excessive in relation to the purpose for which it is being used
- be kept accurate and up to date, using whatever recording means are used or agreed (eg manual or electronic)
- not be kept for longer than is necessary for its given purpose (in line with agreed retention protocols for each type of record specified in this document)
- have appropriate safeguards against unauthorised use, loss or damage with clear procedures for investigating any breaches of the data security
- comply with the relevant GDPR procedures for international transferring of personal data.
The policy applies to all manual and electronic records kept by Nutley Hall in relation to service users, including those involved with them, whose personal data might be found on their records, all staff, and any third parties (agencies and professionals), with whom anyone’s personal data information held by the service might have to be disclosed or shared.
Why and how we collect information (lawful basis)
Nutley Hall is required to process relevant personal data regarding staff and residents (and their parents & representatives) as part of its operation and shall take all reasonable steps to do so in accordance with this policy. Processing may include obtaining, recording, holding, disclosing, destroying or otherwise using data. In this policy any reference to staff and residents includes current as well as past or prospective individuals.
We may ask for or hold personal confidential information about the data subject which will be used to support delivery of appropriate care and treatment. This is to support the provision of high quality health and social care in accordance with GDPR Article 9(2)(h).
The processing is also necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract – GDPR Article 6 (b).
Residents’ (service users) records contain biographical, personal, medical and other information such as is necessary for contracts, care plans, reviews and needs assessments, and financial information in regard to care fees, funding and personal expenditure – as well as income, benefits and savings if Nutley Hall has responsibility, e.g. as appointee, for administering their financial affairs. As far as possible, residents should know what information is recorded and the reasons why. Information is available to be used by staff only in connection with their professional duties and is not open to third parties, except on a “need to know” basis, e.g. with regard to safeguarding or for health or social care professionals with direct responsibilities for the resident concerned.
Information on staff relates to terms and conditions of employment including: contracts; payroll and pension information; records of qualifications, experience, training and development; recorded supervisions and appraisals; some basic personal information provided voluntarily, e.g. next-of-kin. No sensitive personal data is held. Information is available for and to be used only by those who need it in the course of their professional duties and is also available to the person concerned (data subject) – but is not made available to any third party other than where a regulatory authority has the right of access.
Nutley Hall has taken the following steps to protect everyone’s personal data, which it holds or to which it has access so that it complies with current data protection laws.
- It has appointed Christian Bradford as Data Protection Executive for the processing and controlling of data. He will also have the responsibility of overviewing the effectiveness and integrity of all the data that must be protected.
- Nutley Hall Registered Manager, Raz Levy, is in charge of reviewing and auditing its data protection systems and procedures.
Data subjects (staff, residents, etc.) have the right to access their personal data by writing (which includes emails) to the Data Protection Executive.
If access to personal data is requested by the data subject, it will be provided by the Data Protection Executive within 30 days from the request; the data subject (residents will be supported where necessary) is requested then to read the information carefully and inform the Data Protection Executive in writing at the earliest opportunity if they believe that any of their personal data is inaccurate or untrue, or if they are dissatisfied with the information in any way.
Data subjects are entitled to have personal data rectified if it is inaccurate or incomplete.
Nutley Hall will extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, Nutley Hall will inform the individual within one month of the receipt of the request and explain why the extension is necessary.
If the data subject agrees, we will try to deal with the request informally, for example by providing the Data subject with the specific information orally or over the phone.
In the event of a disagreement between Nutley Hall and a data subject regarding personal data, the matter should be taken up under either Nutley Hall’s formal grievance or complaints procedures.
Ultimately, any data subject has the right to complain with ICO (Information Commissioner’s Office) if they think there is a problem with the way Nutley Hall is handling their data.
Information Commissioner’s Office (ICO)
Helpline on 0303 123 1113
How long is the information retained for?
For employees, the information provide during the application process will be retained by Nutley Hall as part of their employee file for the duration of their employment plus 3 years following the end of their employment. This includes their criminal records declaration, fitness to work, records of any security checks and references. Financial information will be kept for 7 years.
For unsuccessful candidates, the information they have provided until that point will be retained for 12 months from the closing date of the vacancy.
For Residents, all information is retained for 3 years following their demise or transfer. Financial information is kept for 7 years.
Nutley Hall Data Protection Executive is in charge of monitoring retention periods and taking appropriate disposal action when they come to an end.
He has disposal schedules (data base) that review regularly.
When records are no longer required by Nutley Hall, they are destroyed.
Destruction of paper records are carried out by shredding and burning.
To achieve full destruction of digital records, hard delete will be carried out.
Copies and backups will also be deleted.
How information is retained and kept safe
Information is retained in secure electronic and paper records and access is restricted to only those who need to know.
Hard copies of data are kept securely in a locked filing cabinet that can only be accessed by agreed members.
Computer files and all electronic personal data are password protected and only accessed by agreed members of the team.
Nutley Hall is registered with the Information Commissioners Office (ICO). Details of our registration can be found on
Enter our registration number (Z125913X) and click ‘search register’.
Technology allows us to protect information in a number of ways, in the main by restricting access. Our guiding principle is that we are holding your information in strict confidence.
How do we keep information confidential?
Everyone working for Nutley Hall is subject to the Common Law Duty of Confidentiality, the Data Protection Act 1998 and the GDPR.
Confidentiality of information is a priority at Nutley Hall, a cornerstone of professional practice and a core value in respecting individuals. All staff are required to maintain confidentiality, and it is important that they remain vigilant both with care of written records and in any oral communication, especially (regarding the latter) in off-duty circumstances.
Who will the information be shared with?
There are exceptions to maintaining confidentiality, for instance in cases of danger, abuse or criminal acts, and staff need to be conversant with the “Whistleblowing” procedure. In any event, Nutley Hall intends to disclose such data as relevant to third parties where the processing is necessary in order to exercise a right or obligation conferred or imposed by law upon Nutley Hall.
To provide best care possible we may share your information with a range of Health and Social Care organisations and regulatory bodies. Information sharing is governed by specific rules and law.
Generally, we would only do this to assist them to carry out their statutory duties (such as usages of healthcare services, public health or national audits).
Updated: 17 May 2018
Raz Levy, Registered Manager