Building Better Futures

Privacy Policy

Introduction

COOCI Associates LLP is fully committed to ensuring that we protect the privacy rights of all those we work with, while also maintaining transparent, caring honest and well organised business and communication methods.

When COOCI Associates LLP processes personal data we are required to comply with the Data Protection Act 1998 (“DPA”) up to and including 24 May 2018 and from 25 May 2018, the General Data Protection Regulation 2016 (“GDPR”) (the DPA and GDPR are together referred to as the “Data Protection Legislation”).

This document refers to data pertaining to:

• Clients and their representatives/friends/family
• Support Workers
• COOCI Staff and Associate Case Managers
• Third Parties (examples include Instructing Parties, Professionals or Service Providers linked to COOCI operations or Client service provision)
• COOCI Business Records

Forms of data include:

• Written Documents
• Hardcopy case notes and files
• Database entries
• Images
• Recordings
• Emails
• Text messages
• Spreadsheets

Aim and Purpose

The purpose of this document is to ensure that COOCI Associates LLP has a framework that protects the rights and freedom of individuals in relation to their personal data and adheres to best practice in the management of client information and business records. It aims to define the way in which this organisation collects, manages, and protects data, ensuring that any information processed is;

• the right information
• in the right place
• at the right time
• with the right people
• for the right reasons

This document may be updated at any time to reflect changes in the law or growth of the business, and therefore should be revisited regularly to check for any updates.

For the purpose of this policy, the Partners of COOCI Associates LLP are the Data Controllers, which includes Nikki Ounsworth, Tracey Clarke, Ruth Oakes and Siobhan Gourd. The named Data Protection Officer is Lorraine Sutherland.

What is Personal Data and Data Processing?

Personal data includes all the information we hold that can identify or is about someone, for example a person’s name, email address, postal address, date of birth, next of kin details, location data and in some cases opinions that we document about that person, as well as special categories of data including but not limited to medical and health records, care plans, photographs or recordings, information about religious beliefs, ethnic origin and race, sexual orientation and political views. For staff or support workers employed by our clients, information held would include payroll details, vehicle details, biographies, DBS information, recruitment records, ID documents and photographs.

Everything we do with your personal data counts as processing it, including collecting, storing, amending, transferring and deleting it.

Our Responsibilities

COOCI Associates LLP is the data controller of the personal data you provide. We have appointed Lorraine Sutherland as the Data Protection Officer and they will have day to day responsibility for ensuring that we comply with the Data Protection Legislation and for dealing with any requests we receive from individuals exercising their rights under the Data Protection Legislation. You can contact Lorraine via email: l.sutherland@coociassociates.co.uk

Whose Personal Data do we process?

COOCI Associates LLP processes personal information about clients and their representatives / family / friends, support workers, employers, business contacts and services, suppliers, referral sources, insurance agencies and professional advisors. We also process data relating to COOCI staff. Below is a table which details the reasons we process data, who we process data on, the type of information we process, the legal basis on which we process data, and the types of recipients we may share this data with.

 

DATA SUBJECT	PURPOSE OF USE	DATA TYPE	LEGAL BASIS FOR PROCESSING	RETENTION PERIOD	POTENTIAL RECIPIENTS
Clients	To provide a service to our client, to bill or verify your account, to identify your needs, to meet legal or regulatory requirements, to protect yours or others safety, and to improve, maintain and manage our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to you or if the law requires us to do so.	Name, date of birth, address, contact details, next of kin details, health details, medical records, legal reports, education plans, employment information, police reports, child protection reports, social services reports, employment records, CV, tax/NI numbers, financial records, bank details, passport details, photographs and videos (for rehabilitation purposes), vehicle details, insurance details.	a. Performance of a contract or engagement with you, to provide COOCI services to you, or because you have asked for something to be done so you can enter into such contract. b. To comply with a legal obligation. For example, if we are subpoenaed to court to act as a Witness of Fact in your litigation claim. c. Legitimate Interests. For example, to protect your safety or the safety of others, to meet our regulatory requirements as health professionals, to manage certain operations of COOCI Associates effectively, or to recover debt owing to us. d. Vital Interests. We may need to share your information to in a life-threatening emergency. e. Consent. We seek your consent to work with you and to share necessary information, however please note that there are occasions where if consent is withdrawn, we would still be required to process your data under the above listed legal bases.  Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.	For 8 years following the end of services provided to the Client or 8 years from the last time they were seen by our services. For children, we will retain their personal data until their 25th birthday, or their 26th  birthday if they were 17 years of age when our services were terminated.	External third-party service providers, law enforcement, or other government and regulatory agencies.
Representatives of the Client acting on their behalf. This may include legal services, insurance services or representatives appointed to act on behalf of the needs of an injured person.	To provide our services to the Client, to protect yours, the Client’s or other’s safety, to meet legal or regulatory requirements, and to improve, maintain and manage our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to the client or if the law requires us to do so.	Name, address, contact details, bank details (for client account management purposes for example) and any information that is shared by the data subject, the client or a third party which impacts the client, their care, safety or their rehabilitation objectives.	a. Performance of a contract or engagement with you (on behalf of the client), to provide COOCI services to the client, or because you have asked for something  to  be  done  so  you  can  enter into such contract. b. To comply with a legal obligation. For example, if we are subpoenaed to court to act as a Witness of Fact in the client’s litigation claim. c. Legitimate Interests. For example, to protect the client’s safety or the safety of others, to meet our regulatory requirements as health professionals, to manage certain operations of COOCI Associates effectively,  or  to  recover debt owing to us. d. Vital Interests. We may need to share your information if the Client is unconscious and it is an emergency. e. Consent. We may seek your consent to share necessary information if it not within the normal scope of our practice, however please note that there are occasions where if consent is withdrawn, we would still be required to process your data under the above listed legal bases.  Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.	For 8 years following the end of services provided to the Client or 8 years from the last time they were seen by our services. For children, we will retain their personal data until their 25th birthday, or their 26th  birthday if they were 17 years of age when our services were terminated.	External third party service providers, law enforcement, or other government and regulatory agencies, and person’s with authority to call our records (for example, the Client).
Relatives / Guardians of Client / Friends / Children / key people in the Client’s life	To provide our services to the Client, to protect yours, the Client’s or other’s safety, to meet legal or regulatory requirements, and to improve, maintain and manage our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to you or if the law requires us to do so.	Name, address, contact details, and any information that is shared by the data subject, the client or any third party which impacts the client, their care, safety or their rehabilitation objectives.	a. Legitimate Interests. We process information to maintain the safety of our client and those around them. We also process data to provide an effective service to our client, to meet our regulatory requirements as a health professional, and to manage certain operations of COOCI Associates effectively. b. To comply with a legal obligation (for example if we are subpoenaed to court to act as a Witness of Fact in the client’s litigation claim or if we undergo an audit by the Care Quality Commission). c. Vital interests. We may need to share your information with emergency services in the event our client is unconscious and is in urgent need of medical attention. d. Consent. In certain circumstance we may seek your consent to share necessary or sensitive information, however please note that there are occasions where if consent is withdrawn, we would still be required to process your data under the above listed legal bases.  Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.	For 8 years following the end of services provided to the Client or 8 years from the last time they were seen by our services. For children, we will retain their personal data until their 25th birthday, or their 26th  birthday if they were 17 years of age when our services were terminated.	External third party service providers, law enforcement, or other government and regulatory agencies, and person’s with authority to call our records (for example, the Client).
Solicitors, Deputies and Insurance Providers who COOCI do not have a contract with.	To provide a service to our client, to bill or verify your account, to identify your needs, to meet legal or regulatory requirements, to protect yours or others safety, and to improve, maintain and manage our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to you or if the law requires us to do so.	Name, address, contact details, bank details, reports	a. Legitimate Interests. We process information to maintain the safety of our client and those around them. We also process data to provide an effective service to our client, to meet our regulatory requirements as a health professional, and to manage certain operations of COOCI Associates effectively. b. To comply with a legal obligation (for example if we are subpoenaed to court to act as a Witness of Fact in the client’s litigation claim). c. Consent. There are occasions when we may seek your consent to share necessary information as part of our duties to the client.  Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.	For 8 years following the end of services provided to the Client or 8 years from the last time they were seen by our services. For children, we will retain their personal data until their 25th birthday, or their 26th  birthday if they were 17 years of age when our services were terminated.	External third party service providers, law enforcement, or other government and regulatory agencies, and person’s with authority to call our records (for example, the Client).
Support Workers of the Client (Current and Former)	Recruitment and payroll, providing our services to the Client, protecting yours, the Client’s or other’s safety, meeting legal or regulatory requirements, and improving, maintaining and managing our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to you or if the law requires us to do so.	Name, date of birth, contact details, NOK, health information (to determine suitability to work / sick leave), references, equal opportunity data, DBS status (criminal records information), photographs (for ID), bank details and NI number (for payroll), vehicle details, testimonials, biographies/CV, CQC audits, NDMS website data, accident and incident reports, complaints and safeguarding reports, supervisions, appraisals, grievances and disciplinaries.	a. Legitimate Interests. We process information to maintain the safety of our client and those around them. We also process data to provide an effective service to our client, to meet our regulatory requirements as a health professional, and to manage certain operations of COOCI Associates effectively. Where we support our clients to recruit support workers, we are required to collect personal information in relation to recruitment and the selection process and ongoing duties of your role, on behalf and in support of our client. b. To comply with a legal obligation (for example if we are subpoenaed to court to act as a Witness of Fact in the client’s litigation claim). c. Consent. There are occasions when we may seek your consent to share necessary information as part of our duties to the client.  Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.	Personal data relating to your recruitment and employment role will be kept about you through the duration of your employment role. Following this period, personal information will be kept for 7 years. Any electronic correspondence relating to a client’s rehabilitation programme and direct employment processes will follow the same retention period as Data Subject “Clients”. The Regulation does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  See this link: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/	External third party service providers, law enforcement, or other government and regulatory agencies, and person’s with authority to call our records (for example, the Client).
Third Parties service providers, law enforcement or other government services.	To provide a service to our client, to bill or verify your account, to identify your needs, to meet legal or regulatory requirements, to protect yours or others safety, and to improve, maintain and manage our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to you or if the law requires us to do so.	Name, address, contact details, any information provided that is considered relevant to the client. For services in this category that we explore on behalf of the client, data processed may also include insurance details (for example, professional indemnity insurance), bank details (for payment of services), CV, and registration details.	a. Legitimate Interests. We process information to maintain the safety of our client and those around them. We also process data to provide an effective service to our client, to meet our regulatory requirements as a health professional, and to manage certain operations of COOCI Associates effectively. b. To comply with a legal obligation (for example if we are subpoenaed to court to act as a Witness of Fact in the client’s litigation claim). c. Contract. Data may be processed if COOCI have a contract directly with you or where information is gathered for the purpose of entering a contract with you. d. Consent. There are occasions when we may seek your consent to share necessary information as part of our duties to the client.  Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal information.	Where the information pertains to Client related services, COOCI Associates will retain the personal data of this category for 8 years following the end of services provided to the client which it pertains to, or 8 years from the last time that client was seen by our services. If the client is a child, we will retain the personal data of this category until the client’s 25th birthday, or their 26th  birthday if they were 17 years of age when our services were terminated.	External third party service providers, law enforcement, or other government and regulatory agencies, and person’s with authority to call our records (for example, the Client).
Employed Staff and Associates	Recruitment and payroll, providing our services to the Client, protecting yours, the Client’s or other’s safety, meeting legal or regulatory requirements, and improving, maintaining and managing our business operations. We do not disclose your information to recipients outside of the EEA unless it is necessary as part of our case management duties to you or if the law requires us to do so.	Name, date of birth, contact details, health information (to determine suitability to work / sick leave), equal opportunity data, next of kin details, DBS status (criminal records information), photographs (for ID and website), bank details and NI number (for payroll), vehicle details, testimonials, biographies/CV, CQC audits, NDMS website data, accident and incident reports, complaints and safeguarding reports, insurance details, training and education records, supervisions, appraisals, grievance and disciplinaries.	a. To collect and maintain information in relation to the recruitment and selection process and ongoing duties as part of your position / role. b. To comply with a legal or regulatory obligations  (for  example,  if we  undergo  an  audit  by the Care Quality Commission). c. Legitimate Interests (for example, to protect your safety or the safety of others, to meet our regulatory requirements as a health professional, or to recover debt owing to us). d. Consent. There are occasions when we may seek your consent to share necessary information that is outside our normal day to day duties.	Personal data will be kept about you throughout the duration of time working with COOCI Associates LLP.  Following this period, personal information will be kept for 7 years. The Regulation does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.  See this link: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-5-retention/	Personal data may be shared with HMRC, your regulatory body, next of kin, financial services, insurance providers, training services, and other relevant providers of equipment or services to COOCI Associates and our service provision, including our web hosting services.
Website Users	To identify your needs, to respond to queries you submit, or to maintain, improve and manage business operations. By continuing to use our website you agree to the terms of this Privacy Policy.	Name, contact details (phone or email address) information pertinent to fulfilling our services, any information that you provide voluntarily in via the contact form, and also any technical information about your visit that may be relevant such as the Internet Protocol (IP) address, operating system and platform, the full Uniform Resource Locators (URL), clickstream to, through and from the website (including date and time), products you searched for, page response times, website errors, length of visits to certain pages etc.	a.       Performance of a contract or engagement with you (or on behalf of the client), to provide COOCI services to the client, or because you have asked for something to be done so you can enter into such contract. b.       Legitimate Interests. We may process data to improve the quality of service we provide and to maintain our website functions. c.       Consent. We may signpost you to other, appropriate services based on your enquiry, if you are consenting to this.	Data provided via online forms will be allocated to one of the above listed data subject categories, which will then indicate the retention period of the data provided. Data collected via Google Analytics which identifies a visitor will be kept for 26 months from the last date the user accessed our website. If a visitor returns to the site, the clock resets.	Third party providers relevant to your enquiry only if you are consenting to the sharing of your information.

External third parties may include the following categories of recipients (not exclusively): Legal Bodies (solicitors, deputies etc), Health and Medical, Professionals, Social Services, Insurance Providers, Police, Child Protection Services, Education Providers, DVLA, HMRC, Guardians or Representatives, Suppliers, Financial Service Providers (for example is support is needed in setting up bank account or if the client needs payrolls support workers), Regulatory Services (for example the Care Quality Commission) or Travel Services.

When processing on the basis of legitimate interests, we will always ensure that the data shared is safeguarded, relevant and limited to what is necessary, and that our interests are balanced against your interests, rights and freedoms. In the case of special categories of data (i.e. information about race, ethnicity, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation), we process information for the provision of health or social care, or treatment, or the management of health or social care systems or services, due to legal obligations, or with your explicit consent.

 

If we obtain consent from you to the processing of your personal data, you can withdraw your consent at any time. This won’t affect the lawfulness of any processing we carried out prior to you withdrawing your consent.

In some instances, we may transfer your personal data outside of the EEA in connection with our contractual duties as case manager, for example when a Service User requests our support to arrange a holiday abroad/outside the EU. When we transfer your personal data out of the EEA, within our practical ability, we will see that a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
• We may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
• Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

If we are unable to put in place one of the above safeguards and you still wish for us to transfer your personal data outside of the EEA to secure a requested service, we will discuss options with you to ensure you are informed and in agreement to the proposed international information transfer.

How do we protect your data?

We are committed to ensuring that your information is secure. To prevent unauthorised access or disclosure, we:

• Undertook a Data Protection Impact Assessment to analyse potential risks to our data and systems.
• Provide training on Privacy Legislation and Data Protection practices to all our staff and Associates.
• Developed policies and procedures for all staff and Associates to follow in relation to data protection.
• Store any hardcopy data in a locked filing cabinet behind a locked door.
• Restrict data access within the company so that only those who need to have access to your personal data, do have access to it.
• Only use IT systems and videoconferencing platforms that are GDPR compliant. These include:

Software Name	Has a Security Certificate or information about GDPR Compliance on their website
Iinsight	http://www.iinsight.biz/files/ISO27001-2013-certificate.pdf
Microsoft Office 365 including OneDrive	https://www.microsoft.com/en-us/microsoft-365/blog/2018/02/22/microsoft-365-provides-an-information-protection-strategy-to-help-with-the-gdpr/
Xero	https://www.xero.com/uk/campaigns/xero-and-gdpr/
Foxit	https://developers.foxitsoftware.com/solutions/gdpr-compliance/
Stickman	http://stickman.co.uk/gdpr/
Mailchimp	https://mailchimp.com/legal/privacy/
TSOhost	https://www.tsohost.com/legal/privacy-policy
Moneysoft	https://moneysoft.co.uk/support/gdpr-statement-moneysoft-ltd/
Microsoft Teams	https://privacy.microsoft.com/en-gb/privacystatement
Skype	https://privacy.microsoft.com/en-gb/privacystatement
Zoom	https://zoom.us/privacy
WhatsApp	https://www.whatsapp.com/legal/client
Facetime	https://www.apple.com/legal/privacy/

Website Use

All information provided to COOCI Associates via the website contact forms (for example name, email address or personal information) is sent to the site privately via https encryption and is therefore secure.

How we use cookies

A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site or page. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. COOCI Associates LLP use traffic log cookies to identify which pages are being used. This helps us analyse data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.

Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. COOCI Associates LLP does not use cookie technology to collect Personal Information. You may also wish to refer to www.allaboutcookies.org

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.

The internet is a global environment and using the internet to collect and process data can involve the transmission of data on an international basis. Therefore, by browsing our website and communicating electronically with us, you acknowledge our processing of data in this way. However, we will endeavour to protect all Personal Information collected through our website in accordance with our data protection standards.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this Privacy Policy. You should exercise caution and look at the Privacy Policy applicable to the website in question.

 

What are your rights?

You benefit from several rights in respect of the personal data we hold about you. The rights that are available to you depend on the grounds on which we process your personal data. This means that there are certain scenarios in which we are entitled to refuse to comply with your request. If any of those apply, we will let you know. More information about this can be located at the Information Commissioner’s Office website – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

Individual rights include:

1. The right to access. You have the right to ask us to confirm that we process your personal data, as well as having the right to request access to/copies of your personal data. You can also ask us to provide a range of information, although most of that information corresponds to the information set out in this Privacy Notice.

We will provide the information free of charge unless your request is manifestly unfounded or excessive or repetitive, in which case we are entitled to charge a reasonable fee. We may also charge you if you request more than one copy of the same information.

We will provide the information you request as soon as possible and in any event within one month of receiving your request. If we need more information to comply with your request, we will let you know.

2. The right to rectification. If you believe personal data we hold about you is inaccurate or incomplete, you can ask us to rectify that information. We will comply with your request within one month of receiving it unless we don’t feel it is appropriate, in which case we will let you know why. We will also let you know if we need more time to comply with your
3. The right to be forgotten. In some circumstances, you have the right to ask us to delete personal data we hold about you. This right is available to you:

• Where we no longer need your personal data for the purpose for which we collected it
• Where we have collected your personal data on the grounds of consent and you withdraw that consent
• Where you object to the processing and we don’t have any overriding legitimate interests to continue processing the data where we have unlawfully processed your personal data (i.e. we have failed to comply with GDPR); and
• Where the personal data has to be deleted to comply with a legal obligation

There are certain scenarios in which we are entitled to refuse to comply with a request. If any of those apply, we will let you know.

4. The right to restrict processing. In some circumstances, you are entitled to ask us to suppress processing of your personal data. This means we will stop actively processing your personal data but we don’t have to delete it. This right is available to you:

• If you believe the personal data we hold isn’t accurate – we will cease processing it until we can verify its accuracy
• If you have objected to us processing the data – we will cease processing it until we have determined whether our legitimate interests override your objection
• If the processing is unlawful; or
• If we no longer need the data but you would like us to keep it because you need it to establish, exercise or defend a legal claim.

5. The right to data portability. You have the right to ask us to provide your personal data in a structured, commonly used and machine-readable format so that you are able to transmit the personal data to another data This right only applies to personal data you provide to us:

• Where processing is based on your consent or for performance of a contract (i.e. the right does not apply if we process your personal data on the grounds of legitimate interests); and
• Where we carry out the processing by automated means

We will respond to your request as soon as possible and in any event within one month from the date we receive it. If we need more time, we will let you know.

6. The right to object. You are entitled to object to us processing your personal data:

• If the processing is based on legitimate interests or performance of a task in the public interest or exercise of official authority
• For direct marketing purposes (including profiling); and/or
• For the purposes of scientific or historical research and statistics

In order to object, you must have grounds for doing so based on your particular situation. We will stop processing your data unless we can demonstrate that there are compelling legitimate grounds which override your interests, rights and freedoms or the    processing is for the establishment, exercise or defence of legal claims.

7. Rights in relation to automated decision making and profiling. Automated decision-making means making a decision solely by automated means without any human involvement. This would include, for example, an online credit reference check that makes a decision based on information you input without any human involvement. It would also include the use of an automated clocking-in system that automatically issues a warning if a person is late     a certain number of times (without any input from HR, for example).

COOCI Associates do not carry out any automated decision making using your personal data.

8. Your right to complain about our processing. If you think we have processed your personal data unlawfully or that we have not complied with GDPR, you can report your concerns to the supervisory authority in your jurisdiction. The supervisory authority in the UK is the Information Commissioner’s Office (“ICO”). You can call the ICO on 0303 123 1113 or get in touch via other means, as set out on the ICO website – https://ico.org.uk/concerns/.

If you have any questions or wish to exercise any of the rights set out above, please contact our Data Protection Officer Lorraine Sutherland at COOCI Associates on Ph: 01844 221 200, or via  email: l.sutherland@coociassociates.co.uk