Website Privacy and Cookies Policy and Procedure

1. Purpose

1.1 The purpose of this policy is to provide a template Privacy Policy that Saffron Support Ltd can adapt to use on its website. The Privacy Policy will apply to all users of the website of Saffron Support Ltd. Following recent guidance from the Information Commissioner’s Office (ICO), the template Cookie Policy has been updated to include further detail on the cookies that Saffron Support Ltd is required to give to users of its website. This policy is a standalone document and is intended to form part of a layered Privacy Policy.

1.2 By using the template Privacy Policy provided, Saffron Support Ltd will ensure that the policy on its website is GDPR compliant.
1.3 To support Saffron Support Ltd in meeting the following Key Lines of Enquiry:

Key Question Key Line of Enquiry (KLOE)

1.4 To meet the legal requirements of the regulated activities that Saffron Support Ltd is registered to provide:

The Privacy and Electronic Communications (EC Directive) Regulations 2003. General Data Protection Regulation 2016
Data Protection Act 2018

WELL-LED

W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed?

2. Scope

2.1 The following roles may be affected by this policy: All staff

2.2 The following Service Users may be affected by this policy: Service Users

2.3 The following stakeholders may be affected by this policy: Family

Advocates
Representatives Commissioners
External health professionals Local Authority

NHS

3. Objectives

3.1 The objective of this policy is to provide assurance that Saffron Support Ltd has a Privacy Policy in place for users of its website that is GDPR compliant.
3.2 This policy will assist with establishing ways of working in terms of the use, storage, retention and security of personal data and will ensure that all Data Subjects, including Service Users, understand the ways in which personal data collected by Saffron Support Ltd via its website is processed.

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 3/8

GDPR08 – Website Privacy and Cookies Policy and Procedure Page 4/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

4. Policy

4.1 Saffron Support Ltd understands that if it operates a website, it may need to update its Privacy Policy to ensure that it is compliant with GDPR. Saffron Support Ltd will use this Privacy Policy as a template for its updated version. Saffron Support Ltd understands that this Privacy Policy only needs to be uploaded
by Saffron Support Ltd to its website if it collects personal data via its website. Saffron Support Ltd will use the template Fair Processing Notice to inform all other Data Subjects, including Service Users, about

how Saffron Support Ltd processes personal data other than personal data collected via the website.
4.2 Saffron Support Ltd understands that the form attached to this policy constitutes the template Privacy Policy. Saffron Support Ltd understands that terms in square brackets are optional (depending on whether they apply to Saffron Support Ltd or not) or require completion by Saffron Support Ltd. Saffron Support Ltd will review the Privacy Policy in its entirety to determine which elements are applicable to its website, and which are not relevant.
For example:

If the template Privacy Policy below refers to personal data that is not collected by Saffron Support Ltd via its website, Saffron Support Ltd will delete references to such personal data

If the website of Saffron Support Ltd does not use cookies, Saffron Support Ltd will delete references to cookies and the Cookie Policy at Saffron Support Ltd

If Saffron Support Ltd does not transfer personal data outside of the EEA, Saffron Support Ltd will delete the section entitled “Where we store your personal data”

If Saffron Support Ltd is not required to appoint a Data Protection Officer, Saffron Support Ltd will delete references to the Data Protection Officer or will consider replacing references to the Data Protection Officer with references to the Privacy Officer at Saffron Support Ltd or other person nominated to have day-to-day responsibility for data protection and GDPR

If Saffron Support Ltd uses personal data collected via its website in a way that is not described in the Privacy Policy, it will consider incorporating additional sections.
This Privacy Policy directs users to a webpage with a contact form or contact details if they wish to contact Saffron Support Ltd. Saffron Support Ltd will consider whether to provide an alternative contact method instead, such as an email address and/or phone number.

If Saffron Support Ltd has any concerns or queries in respect of the template Privacy Policy, it will seek legal advice.
4.3 GDPR has changed the way cookies should be incorporated into websites which means that Saffron Support Ltd must explain what cookies will be set and what the cookies will do to the users of its website. Saffron Support Ltd must obtain consent from individuals to store certain cookies on devices. Cookies that are not strictly necessary need consent which is GDPR compliant which means that Saffron Support Ltd can no longer rely on implied consent.

4.4 Saffron Support Ltd should, therefore, update its processes for collecting consent for cookies. In practice this means:

Users must take a clear and positive action to consent to non-essential cookies

The websites and apps of Saffron Support Ltd must tell users clearly what cookies will be set and what they do, including any third-party cookies

Pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, cannot be used for non- essential cookies

The users at Saffron Support Ltd must have control over any non-essential cookies; and

Non-essential cookies must not be set on landing pages before you gain the user’s consent

Consent is not required for cookies that are defined as “strictly necessary” or that fall within the communication exemption. “Strictly necessary” cookies are those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential, or that are essential for the purposes of Saffron Support Ltd, will still require consent. The communication exemption is about the transmission of a communication over an electronic communications network. For the exemption to apply, the transmission of the communication must be impossible without the use of the cookie. Simply using a cookie to assist the communication is insufficient for the exemption to apply.

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 4/8

GDPR08 – Website Privacy and Cookies Policy and Procedure Page 5/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Saffron Support Ltd should note, in particular, that cookies used for analytical purposes or those used for marketing and advertising will always need consent as they are considered to be non-essential. This guidance may change as the latest draft legislation is subject to some challenges on this point.
Saffron Support Ltd should read the ICO’s cookie guidance available at: https://ico.org.uk/for- organisations/guide-to-pecr/cookies-and-similar-technologies/ for further information on the types of cookie that require consent.

5. Procedure

5.1 Saffron Support Ltd will consider whether or not it collects personal data via its website (for example, via enquiry forms, requests to be sent newsletters, requests for provision of services) and whether it needs a Privacy Policy. Saffron Support Ltd acknowledges that the use of cookies constitutes processing of personal data via the website.
5.2 Saffron Support Ltd will review the template Privacy Policy. Saffron Support Ltd will adapt the Privacy Policy before uploading it to its website to ensure that all aspects of the Privacy Policy are relevant and reflect the ways in which Saffron Support Ltd processes personal data collected via its website. Where Saffron Support Ltd has any concerns or queries in relation to its own Privacy Statement, Saffron Support Ltd will seek legal advice.
5.3 Saffron Support Ltd should use the template Fair Processing Notice to inform all other Data Subjects, including Service Users, about how Saffron Support Ltd processes personal data other than personal data collected via the website.

6. Definitions

6.1 Data Subject

The individual about whom Saffron Support Ltd has collected personal data

6.2 Data Protection Act 2018

The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive

6.3 GDPR
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data

protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and after a two-year transition period became enforceable on 25 May 2018

6.4 Personal Data

Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, as defined below

6.5 Process or Processing

Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. Saffron Support Ltd does not need to be doing anything actively with personal data – at the point Saffron Support Ltd collects it, it is processing it

6.6 Special Categories of Data

Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services), Care Plans and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views

6.7 Cookies

Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website and can be accessed either by the web server or the client’s computer

6.8 The Information Commissioner’s Office (ICO)

The ICO is the UK’s independent body set up to uphold information rights

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 5/8

GDPR08 – Website Privacy and Cookies Policy and Procedure Page 6/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Key Facts – Professionals

Professionals providing this service should be aware of the following:
The Privacy Policy applies to personal data collected via the website of Saffron Support Ltd

Key Facts – People affected by the service

People affected by this service should be aware of the following:
Personal data provided to Saffron Support Ltd via its website will be processed in accordance with the Privacy Policy at Saffron Support Ltd

Further Reading

As well as the information in the ‘underpinning knowledge’ section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:

What are cookies? http://www.bbc.co.uk/webwise/guides/about-cookies
ICO cookie guidance: https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/ It is important for Saffron Support Ltd to note that the ePrivacy Regulation which is currently in the draft stage may change the way that consent is required for certain cookies, including analytic cookies. At the time of updating this policy, the draft suggests that using analytic cookies as a simple first-party data analytics tool to learn about website audiences in a non-intrusive way may not require explicit consent. The proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes and the data collected cannot identify an individual. However, it is yet unclear whether external services, such as Google Analytics will benefit from this exemption.
If Saffron Support Ltd only uses analytical cookies for the purpose of learning about website audiences and its website is low risk, we suggest that Saffron Support Ltd may want to wait until the final draft of the ePrivacy Regulation is adopted, further guidance is issued, and website developers have the tools required before updating its cookie banner to seek explicit consent for analytic cookies.

Outstanding Practice

To be ‘ outstanding ’ in this policy area you could provide evidence that:
Saffron Support Ltd has modified the template privacy policy to ensure that it includes all information relevant to the collection of personal data via its website and has uploaded a copy to its website Saffron Support Ltd should ensure that clear links are available to the privacy policy on its website and that, if a person inputs personal data into the website, they are directed to the policy and required to accept its terms
The wide understanding of the policy is enabled by proactive use of the QCS App

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 6/8

GDPR08 – Website Privacy and Cookies Policy and Procedure Page 7/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Forms

The following forms are included as part of this policy:

Title of form

When would the form be used?

Created by

Website Privacy Statement – GDPR08

When the Provider has a website.

QCS

Cookies Example Policy Statement – GDPR08

When Saffron Support Ltd has no information on the use of cookies on its website (a Cookie Policy). It can be used with the Website Privacy Statement.

QCS

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 7/8

GDPR08 – Website Privacy and Cookies Policy and Procedure Page 8/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

This page is deliberately left blank

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 8/8

Website Privacy Statement – GDPR08 Page 1/4

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

We are Saffron Support Ltd, a [company] incorporated in [England and Wales] [Scotland]. Our company number is [insert registered company number] and our registered address is Business and Technology Centre
Chroma House
Shire Hill

Saffron Walden Essex
CB11 3AQ

(“Saffron Support Ltd” / “we” / “our” / “us”). We are committed to ensuring that your privacy is protected. We comply with the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) unless and until the GDPR is no longer directly applicable in the UK, together with any national implementing laws, regulations and secondary legislation as amended or updated from time to time in the UK, and any successor legislation to the GDPR and the DPA (together “Data Protection Legislation”). We are the data controller of data you pass to us pursuant to this policy. Our Data Protection Officer can be contacted at [insert email address for DPO. If there is no DPO, delete reference to them].

This Privacy Policy [together with our website terms and conditions and Cookie Policy] sets out how we collect personal information from you and how the personal information you provide will be processed by us. By visiting the website at NA (the “Website”) you are accepting and consenting to the practices described in this Privacy Policy. If you do not consent, please do not submit any personal data to us.

What information does Saffron Support Ltd hold and how will we use it?

Information you give Saffron Support Ltd: You may give us information about you by completing enquiry forms on the website or by requesting via the website that we send you marketing information [or [insert any other reason for which a person may upload their personal data to the website]. The information you give us may include your name, email address, address/location and phone number [if there are any other types of personal data that Saffron Support Ltd collects via the website, add them to this list. This does not include all personal data processed by Saffron Support Ltd but only personal data it collects through its website].

We will retain this information while we are corresponding with you or providing services to you or to a Service User you represent. We will retain this information for [insert the relevant retention period for the types of personal data listed above. If it is not possible to insert the retention period, explain the criteria Saffron Support Ltd uses for determining how long it will retain the personal data. Refer to the Records Management Code of Practice for Health and Social Care if required].

Information Saffron Support Ltd collects about you: Saffron Support Ltd may collect the following information from you when you visit the website:

• Technicalinformation,includingtheInternetprotocol(IP)addressusedtoconnectyourcomputertothe Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform; and

• Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from the website (including date and time), products you viewed or searched for, page response times, website errors, length of visits to certain pages, page interaction information, methods used to browse away from the page and any phone number used to call our helpline

We retain this information for [insert the relevant retention period for the types of personal data listed above. If it is not possible to insert the retention period, explain the criteria Saffron Support Ltd uses for determining how long it will retain the personal data].

Information we receive from other sources: This includes information we receive about you when you use other websites operated by us or other services we provide. This information may include your name, email address, postal address and phone number. We will retain this information for [insert the relevant retention period for the types of personal data listed above. If it is not possible to insert the retention period, explain the criteria Saffron Support Ltd uses for determining how long it will retain the personal data].

Cookies

The Website uses cookies to distinguish you from other users of the website. For detailed information on the

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Website Privacy Statement – GDPR08 Page 2/4

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

cookies we use and the purposes for which we use them, please see our Cookie Policy [insert hyperlink to Cookie Policy].

Use Made of the Information

Saffron Support Ltd may use the information we receive and/or collect about you to:

  • Fulfil our obligations under any contract that we have entered into with you or with a Service User that you represent, and to provide you or the relevant Service User with information or services that you or the Service User has requested
  • Send you newsletters and marketing information if you have consented to us doing so
  • Notify you of products and services that we feel may interest you, or permit third parties to do so if you have provided the appropriate consent
  • Monitorwebsiteusageandprovidestatisticstothirdpartiesforthepurposesofimprovinganddeveloping the website and the services we provide via the website

    Saffron Support Ltd processes personal information for certain legitimate business purposes, which include some or all the following:

  • Where the processing enables Saffron Support Ltd to enhance, modify, personalise or otherwise improve the website, its services or communications
  • To identify and prevent fraud
  • To enhance the security of the network and information systems of Saffron Support Ltd
  • To better understand how people interact with the websites of Saffron Support Ltd
  • Toadministerthewebsiteandcarryoutdataanalysis,troubleshootingandtesting;and
  • Todeterminetheeffectivenessofpromotionalcampaignsandadvertising

    If we obtain consent from you to do so, we may provide your personal details to third parties so that they can contact you directly in respect of services in which you may be interested.

    Where we are processing personal data that we have obtained via the website on the basis of having obtained consent from you, you have the right to withdraw your consent to the processing of your personal data at any time. If you would like to withdraw your consent or prefer not to receive any of the above-mentioned information (or if you only want to receive certain information from us) please let us know by contacting us via the following webpage [insert link to webpage]. Please bear in mind that if you object, this may affect our ability to carry out the tasks above for your benefit.

    If you wish to have your information removed from our database or if you do not want us to contact you for marketing purposes, please let us know by clicking the “Unsubscribe” option in any email we send to you and providing the details requested or by contacting us via the following webpage [insert webpage link] and we will take steps to ensure that this information is deleted as soon as reasonably practicable.

    We will not share, sell or distribute any of the information you provide to us (other than as set out in this policy) without your prior consent, unless required to do so by law.

    We may carry out automated decision-making using the personal data you provide to us. We do so to [insert an explanation about the automated decision-making (including profiling) that you carry out. You should explain the logic involved and the significance and potential consequences for the Data Subject. For example, if you track their behaviour on your website to send targeted advertising, explain this process. If you do not carry out any automated decision making, you can delete this policy entry].

    Third Party Sites

    Our website may contain links to third party websites, including websites via which you are able to purchase products and services. They are provided for your convenience only and we do not check, endorse, approve or agree with such third-party websites nor the products and/or services offered and sold on them. We have no responsibility for the content, product and/or services of the linked websites. Please ensure that you review all

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Website Privacy Statement – GDPR08 Page 3/4

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

terms and conditions of website use and the Privacy Policy of any such third-party websites before use and before you submit any personal data to those websites.

How Safe is your Information?

Where we have given you (or where you have chosen) a password which enables you to access certain parts of the website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Protecting your security and privacy is important to us and we make every effort to secure your information and maintain your confidentiality in accordance with the terms of the Data Protection Legislation. The website is protected by various levels of security technology, which are designed to protect your information from any unauthorised or unlawful access, processing, accidental loss, destruction and damage.

We will do our best to protect your personal data but the transmission of information via the Internet is not completely secure. Any such transmission is therefore at your own risk.

Disclosure of your Information

We may share your personal information with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006. We may share your information with selected third parties including:

  • Business partners, suppliers and sub-contractors for the performance of any contract we enter with them or you
  • Thirdpartieswhomaywishtocontactyouinrespectofservicesorproductstheyofferorsellwhichmaybeof interest to you, provided we receive your consent to such disclosure; and/or advertisers and advertising networks that require the data to select and serve relevant adverts to you and analytics and search engine providers that assist us in the improvement and optimisation of the website

    Please note we may need to disclose your personal information where we:

  • Sellanyorallourbusinessorassetsorwebuyanotherbusinessorassetsinwhichcasewemaydisclose your personal data to the prospective buyer or seller
  • Areunderalegaldutytocomplywithanylegalobligationortoenforceorapplyourtermsandconditions;or
  • Need to disclose it to protect our rights, property or the safety of our customers or others, including the exchange of information with other companies, organisations and/or governmental bodies for the purposes of fraud protection and credit risk reduction

    Where we Store your Personal Data [if Saffron Support Ltd does not transfer personal data outside the EEA, this policy entry can be deleted].

    The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) to [insert the reasons why personal data is transferred outside the EEA, for example, because it is hosted on a server outside the EEA]. By submitting your personal data, you agree to this transfer, storing or processing. Saffron Support Ltd will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. If a finding of adequacy hasn’t been made by the EC Commission in respect of the country to which the data is transferred, we will only transfer it where there are appropriate safeguards in place, including the use of EU standard contractual clauses or an intragroup agreement.

    Your Rights in Respect of your Data

    If any of the information you provide to us via the website changes, please let us know as soon as possible so that we can make the necessary changes to the information we hold for you on our database. If you wish to make any changes to your information, please contact us via the following webpage [insert webpage link].

    If you wish to access or rectify the information we hold about you, or request that such information be transmitted directly to another data controller, please contact us via the following webpage [insert webpage link]. We shall process your request to access your information within one month of receipt, or we’ll let you know within that timeframe if we need more information from you. We will process your request free of charge.

    To request that your information is deleted or if you wish to restrict or object to the processing of your information,

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Website Privacy Statement – GDPR08 Page 4/4

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

please contact us via the following webpage [insert webpage link].

If you have any complaints about our use of your personal data, please contact us. You also have the right to complain to the relevant supervisory authority in your jurisdiction. In the UK, the supervisory authority is the Information Commissioner’s Office. Contact details for the ICO can be found at https://ico.org.uk/.

If you have any further queries or comments on our Privacy Policy, please contact us via the following webpage [insert webpage link] or you can contact us by emailing [insert email address]. We also welcome your views about our website and our Privacy Policy

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Cookies Example Policy Statement – GDPR08 Page 1/2

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

COOKIES WEBSITE STATEMENT

Cookies are small text files which a website may put on your computer or mobile device when you first visit the website. The cookies will help the website recognise your device the next time you visit. Web beacons or other similar files can also do the same thing. We use the term “cookies” in this policy to refer to all files that collect information in this way.

We use cookies to distinguish you from other users of the website. This helps us to provide you with a good experience when you use the website and also allows us to improve the services we provide to you. On revisiting the website, we will be able to obtain information about your previous visits and about your computer including where available, your IP address, operating system and browser type, for system administration [and to report aggregate information to our advertisers] [insert an explanation about the information your cookies collect if it is necessary to expand on this]. [If you do not report aggregate information to advertisers, you can delete the foregoing policy entry]. This is statistical data about your browsing actions and patterns and does not identify you. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer.

We use the following cookies:

• Strictly necessary cookies. These are cookies that are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Disabling them may mean you are not able to access parts of our website.

• [Analytical or performance cookies. We use these cookies to collect information about how visitors use the website, for instance which pages visitors go to most. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. Some of these cookies are known as analytic cookies which allow us to monitor website traffic using industry accepted third parties.] [If you do not use analytical or performance cookies, you can delete this policy entry.]

• Functionality cookies. These cookies are used to recognise you when you return to our website and to remember changes you have made to things such as text size, fonts and other parts of the website you can change so we can personalise our content for you.

• [Targeting cookies. We use these cookies to record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may share this information with third parties for this purpose.] [If you do not use targeting cookies, you can delete this policy entry].

For more details on the specific cookies we use, why we use them and when they will expire, please see Part 1 of Appendix 1 of this Cookie Policy.
[Please note that third parties (such as advertising networks and providers of external services) may also use cookies on the website, over which we have no control. These cookies are likely to be analytical cookies, performance cookies or targeting cookies. Part 2 of Appendix 1 of this Cookie Policy provides a list of the third parties who may use these cookies and the reasons for which they use them.] [If you do not use third parties for these services, you can delete this policy entry].

Most browsers accept cookies automatically, but you can change your cookie preferences by adjusting your browser settings to refuse the setting of all or some cookies if you prefer. You can usually do this by visiting the “options” or “preferences” menu on your browser. Please note, however, that if you do this and choose to block all cookies (including essential cookies) we cannot guarantee that your experience will be as fulfilling as it would otherwise be, and you may not be able to access all or parts of our website.

Where we collect personal data as part of our use of cookies on the website, we will do so in accordance with our Privacy Policy [insert hyperlink to Privacy Policy].

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Cookies Example Policy Statement – GDPR08 Page 2/2

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Privacy Notice Policy & Procedure

1. Purpose

1.1 To provide a template privacy impact assessment (PIA) to be used by Saffron Support Ltd on an ongoing basis, as necessary. This policy also explains when a PIA should be conducted.
1.2 Saffron Support Ltd will ensure that the Data Protection Officer will determine when a PIA is required and will complete the PIA, with input, as necessary, from colleagues and teams.
1.3 To support Saffron Support Ltd in meeting the following Key Lines of Enquiry:

Key Question Key Line of Enquiry (KLOE)

1.4 To meet the legal requirements of the regulated activities that Saffron Support Ltd is registered to provide:

General Data Protection Regulation 2016 Data Protection Act 2018

WELL-LED

W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed?

2. Scope

2.1 The following roles may be affected by this policy: All staff

2.2 The following Service Users may be affected by this policy: Service Users

2.3 The following stakeholders may be affected by this policy: Family

Advocates
Representatives Commissioners
External health professionals Local Authority

NHS

3. Objectives

3.1 Saffron Support Ltd considers the potential data protection and GDPR implications of any new processes or systems it introduces, or of any changes that impact on its processing of personal data. 3.2 By reviewing and utilising the form set out in this policy, Saffron Support Ltd will be able to provide evidence of the decisions it has taken and changes it has made that may impact on the processing it carries out.

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 3/8

GDPR07 – Privacy Notice Policy & Procedure Page 4/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

4. Policy

4.1 Saffron Support Ltd understands that a PIA will enable it to identify and minimise the risks of any project it wishes to carry out.
4.2 Saffron Support Ltd understands that PIAs must be conducted for specified types of processing (listed in the Procedure section below) as well as for processing that may result in a high risk for affected individuals.

4.3 Saffron Support Ltd understands that a PIA should:
Describe the nature, scope, context and purposes of the processing
Assess whether the processing is necessary and proportionate and in compliance with GDPR Identify and assess risks to affected Data Subjects
Identify the measures it will take to mitigate those risks

4.4 Saffron Support Ltd understands that if a PIA identifies that processing may be high risk and it is unable to take steps to mitigate those risks, it should notify the ICO and seek advice from the ICO as to whether it should carry out the processing.

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 4/8

GDPR07 – Privacy Notice Policy & Procedure Page 5/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

5. Procedure

5.1 Saffron Support Ltd will implement a process for deciding whether a PIA is necessary and, if so, the steps that it will take to conduct the PIA. Saffron Support Ltd will use the form attached to this policy when conducting a PIA.
5.2 Saffron Support Ltd will provide training to its employees about when a PIA is necessary and how to conduct a PIA.

5.3 Saffron Support Ltd will conduct PIAs in the following scenarios:
Where Saffron Support Ltd intends to use systematic and extensive profiling or automated decision-

making to make significant decisions about Data Subjects

Where personal data relating to children will be processed for profiling or automated decision making, for marketing to offer online services directly to the children

Where Saffron Support Ltd will process special categories of data or criminal offence data on a large scale

Where Saffron Support Ltd intends to monitor a publicly accessible place on a large scale

Where new technologies are introduced by Saffron Support Ltd that may impact on its processing activities

Where Saffron Support Ltd intends to process biometric or genetic data
Where Saffron Support Ltd intends to combine, compare or match personal data from multiple sources

Where Saffron Support Ltd processes personal data without providing a privacy policy directly to the affected Data Subject

Where the processing will involve tracking individuals’ behaviour (whether online or offline)

Where the processing could result in physical harm if there is a breach of security

5.4 Saffron Support Ltd will consider carrying out PIAs in the following circumstances, as well as in any other circumstances which Saffron Support Ltd considers to be potentially high risk:

Where Saffron Support Ltd processes special categories of data or personal data of a highly personal nature

Where Saffron Support Ltd conducts large-scale processing; and

Where the processing concerns vulnerable Data Subjects

Saffron Support Ltd acknowledges that because of the types of services it provides, it may need to conduct PIAs on a regular basis to ensure that Data Subjects, including Service Users, are protected.
5.5 Saffron Support Ltd will also conduct a PIA if the nature or purpose of the processing it carries out changes.

5.6 Saffron Support Ltd will document the steps taken as part of the PIA and the outcomes in line with the form attached to this policy.
5.7 Saffron Support Ltd will take any steps it identifies as being necessary to mitigate risks associated with the processing and will document the steps taken and the outcome of those steps.

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 5/8

GDPR07 – Privacy Notice Policy & Procedure Page 6/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

6. Definitions

6.1 Data Subject

The individual about whom Saffron Support Ltd has collected personal data

6.2 Data Protection Act 2018

The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive

6.3 GDPR
General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data

protection and privacy for all individuals within the European Union. It became enforceable on 25 May 2018

6.4 ICO

The Information Commissioner’s Office

6.5 Personal Data

Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data

6.6 PIA

A Privacy Impact Assessment, also known as a Data Protection Impact Assessment

6.7 Process or Processing

Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. You do not need to be doing anything actively with the personal data – at the point you collect it, you are processing it

6.8 Special Categories of Data

Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services) and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views

Key Facts – Professionals

Professionals providing this service should be aware of the following:
All staff should be made aware of how GDPR impacts on their role and ensure that they know who at Saffron Support Ltd has overall responsibility for data protection
A PIA is essentially a risk assessment of proposed processing of personal data. If Saffron Support Ltd is processing personal data that is likely to result in a high risk to the Data Subject’s rights, a PIA must be carried out prior to commencing that processing
A six-step process maps the lifecycle of the personal data in order to establish: the provenance of the data, the manner of the processing involved, the location of the processing, the relevant stakeholders and the deletion/anonymisation process

Key Facts – People affected by the service

People affected by this service should be aware of the following:
PIAs will be conducted by Saffron Support Ltd to ensure that if its processing of personal data changes, any associated risks will be understood and acted upon

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 6/8

GDPR07 – Privacy Notice Policy & Procedure Page 7/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Further Reading

There is no further reading for this policy, but we recommend the ‘underpinning knowledge’ section of the review sheet to increase your knowledge and understanding.

Outstanding Practice

To be ‘ outstanding ’ in this policy area you could provide evidence that:
The wide understanding of the policy is enabled by proactive use of the QCS App
Saffron Support Ltd has implemented a PIA policy and all staff are aware of the potential need to conduct a PIA
Saffron Support Ltd is seen as an expert in GDPR, supporting other organisations and individuals in their understanding
Data Subjects express high levels of satisfaction with how Saffron Support Ltd processes their personal information

Forms

The following forms are included as part of this policy:

Title of form

When would the form be used?

Created by

Privacy Impact Assessment – GDPR07

This form should be used each time an organisation determines that it is necessary to conduct a PIA in line with the guidelines set out in this policy and procedure

QCS

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 7/8

GDPR07 – Privacy Notice Policy & Procedure Page 8/8 GDPR – Policies

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

This page is deliberately left blank

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 8/8

Privacy Impact Assessment – GDPR07 Page 1/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Annex One: Privacy Impact Assessment Screening Questions

These questions are intended to help you decide whether a PIA is necessary. Answering ‘yes’ to any of these questions is an indication that a PIA would be a useful exercise. You can expand on your answers as the project develops if you need to.
You can adapt these questions to develop a screening method that fits more closely with the types of project you are likely to assess.

Will the project involve the collection of new information about individuals?

Y/N

Will the project compel individuals to provide information about themselves?

Y/N

Will information about individuals be disclosed to organisations or people who have not previously had routine access to the information?

Y/N

Are you using information about individuals for a purpose it is not currently used for, or in a way it is not currently used?

Y/N

Does the project involve you using new technology that might be perceived as being privacy intrusive? For example, the use of biometrics or facial recognition.

Y/N

Will the project result in you making decisions or taking action against individuals in ways that can have a significant impact on them?

Y/N

Is the information about individuals of a kind particularly likely to raise privacy concerns or expectations? For example, health records, criminal records or other information that people would consider to be private.

Y/N

Will the project require you to contact individuals in ways that they may find intrusive?

Y/N

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 2/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Annex Two: Privacy Impact Assessment Template

This template is an example of how you can record the PIA process and results. You can start to fill in details from the beginning of the project, after the screening questions have identified the need for a PIA. The template follows the process that is used in this code of practice. You can adapt the process and this template to produce something that allows your organisation to conduct effective PIAs integrated with your project management processes.

Step one: Identify the need for a PIA

• Explain what the project aims to achieve, what the benefits will be to the Organisation, to individuals and to other parties

• You may find it helpful to link to other relevant documents related to the project, for example, a project proposal
• Also summarise why the need for a PIA was identified (this can draw on your answers to the screening questions)

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 3/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Step two: Describe the information flows

• You should describe the collection, use and deletion of personal data here and it may also be useful to refer to a flow diagram or another way of explaining data flows. You should also say how many individuals are likely to be affected by the project

Consultation requirements

• Explain what practical steps you will take to ensure that you identify and address privacy risks. Who should be consulted internally and externally? How will you carry out the consultation? You should link this to the relevant stages of your project management process. You can use consultation at any stage of the PIA process

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 4/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Step three: Identify the privacy and related risks

• Identify the key privacy risks and the associated compliance and corporate risks. Larger-scale PIAs might record this information on a more formal risk register. Annex three can be used to help you identify the DPA related compliance risks

Privacy Issue

Risk to Individuals

Compliance Risk

Associated Organisation/Corporate Risk

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 5/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Step four: Identify privacy solutions

• Describe the actions you could take to reduce the risks, and any future steps which would be necessary (eg the production of new guidance or future security testing for systems)

Risk

Solution

Result: is the risk eliminated, reduced, or accepted?

Evaluation: is the final impact on individuals after implementing each solution a justified, compliant and proportionate response to the aims of the project?

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 6/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Step five: Sign off and record the PIA outcomes

• Who has approved the privacy risks involved in the project? What solutions need to be implemented?

Risk

Approved Solution

Approved By

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 7/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Step six: Integrate the PIA outcomes back into the project plan

• Who is responsible for integrating the PIA outcomes back into the project plan and updating any project management paperwork? Who is responsible for implementing the solutions that have been approved? Who is the contact for any privacy concerns that may arise in the future?

Action to be Taken

Date for Completion of Actions

Responsibility for Action

Contact point for future privacy concerns

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 8/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Annex Three: Linking the PIA to the Data Protection Principles

Answering these questions during the PIA process will help you to identify where there is a risk that the project will fail to comply with the DPA or other relevant legislation, for example the Human Rights Act

Principle 1

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: a) at least one of the conditions in Schedule 2 is met, and

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met

Have you identified the purpose of the project?

Y/N

How will you tell individuals about the use of their personal data?

Do you need to amend your privacy notices?

Y/N

Have you established which conditions for processing apply?

Y/N

If you are relying on consent to process personal data, how will this be collected and what will you do if it is withheld or withdrawn?

If your organisation is subject to the Human Rights Act, you also need to consider: • Will your actions interfere with the right to privacy under Article 8?
• Have you identified the social need and aims of the project?
• Are your actions a proportionate response to the social need?

Y/N

Principle 2

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Does your project plan cover all of the purposes for processing personal data?

Y/N

Have you identified potential new purposes as the scope of the project expands?

Y/N

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 9/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Principle 3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

Is the quality of the information good enough for the purposes it is used?

Y/N

Which personal data could you not use, without compromising the needs of the project?

Principle 5

Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.

What retention periods are suitable for the personal data you will be processing?

Are you procuring software that will allow you to delete information in line with your retention periods?

Y/N

Principle 6

Personal data shall be processed in accordance with the rights of data subjects under this Act.

Will the systems you are putting in place allow you to respond to subject access requests more easily?

Y/N

If the project involves marketing, have you got a procedure for individuals to opt out of their information being used for that purpose?

Y/N

Principle 7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Do any new systems provide protection against the security risks you have identified?

Y/N

What training and instructions are necessary to ensure that staff know how to operate a new system securely?

Principle 8

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Will the project require you to transfer data outside of the EEA?

Y/N

If you will be making transfers, how will you ensure that the data is adequately protected?

This policy is Copyright © Quality Compliance Systems Ltd. 2018 (Last updated 2019) and is only licensed for use with a current Licence Certificate. If you have a current Licence Certificate, it can be accessed in your online account. Use without a current Licence Certificate is strictly prohibited.

Privacy Impact Assessment – GDPR07 Page 10/10

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

This page is deliberately left blank

Privacy Policy and Procedure

Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

1. Purpose

1.1 To support the human rights of the Service User and ensure that Saffron Support Ltd complies with legislation and regulation in relation to the privacy of individuals.
1.2 To support Saffron Support Ltd in meeting the following Key Lines of Enquiry:

Key Question Key Line of Enquiry (KLOE)

1.3 To meet the legal requirements of the regulated activities that Saffron Support Ltd is registered to provide:

The Care Act 2014
Equality Act 2010
The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 Human Rights Act 1998
Mental Capacity Act 2005
Data Protection Act 2018

CARING

C3: How are people’s privacy, dignity and independence respected and promoted?

RESPONSIVE

R1: How do people receive personalised care that is responsive to their needs?

WELL-LED

W1: Is there a clear vision and credible strategy to deliver high-quality care and support, and promote a positive culture that is person-centred, open, inclusive and empowering, which achieves good outcomes for people?

2. Scope

2.1 The following roles may be affected by this policy: All staff

2.2 The following Service Users may be affected by this policy: Service Users

2.3 The following stakeholders may be affected by this policy: Family

External health professionals Local Authority
NHS

3. Objectives

3.1 To ensure that the Service User’s right to privacy is respected and that staff understand how they can deliver care and support that respects this right.

4. Policy

4.1 Saffron Support Ltd recognises the right of Service Users to be left alone, undisturbed and free from intrusion. The Service User also has a right to privacy with regard to both their personal affairs and their belongings.
4.2 Staff will adhere to the human rights of individuals and work in accordance with professional codes of conduct and company policy and procedures. Intentional breaches of privacy will be investigated fully, and appropriate bodies informed and lessons learnt.

This policy is Copyright © Quality Compliance Systems Ltd. 2007 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 3/6

CR24 – Privacy Policy and Procedure Page 4/6 Care Management – Rights & Abuse

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

5. Procedure

5.1 Care Planning at the start of a service

The needs of the Service User in relation to privacy will always be considered during the Care Planning stage to ensure that Saffron Support Ltd can effectively meet the person’s needs. This assessment will include what information about them can be shared and with whom

Preferred Service User wishes must be communicated to other relevant staff at Saffron Support Ltd

The Care Planning process will be completed in a private area where the Service User can feel able to discuss areas of their care needs. This is particularly relevant if an assessment is taking place in a hospital or respite setting prior to discharge home

5.2 Service User Rights

The individual requirement for privacy will be respected at all times and all information relating to individuals will be treated in a confidential manner

Saffron Support Ltd recognises the right of Service Users to be left alone, undisturbed and free from intrusion and public attention. The Service User also has a right to privacy with regard to both their personal affairs and their belongings

5.3 Staff Expectation, Behaviour and Professionalism

Staff will follow professional codes of conduct as well as operational policies and procedures when considering privacy for Service Users. This includes all staff expectations around professionalism of communication

Staff will only discuss Service Users in the work environment if it is for the purpose of assessment, management and evaluation of care

Staff will not discuss any aspect of the Service User’s care outside of the work environment

5.4 Records Management

Records will be designed, used and stored in a manner which assures privacy

Records will be made available to the Service User’s main Care Worker and family according to the wishes of the Service User

Staff will refer to the Record Keeping Policy and Procedure for further information and guidance

5.5 Personal Care and Privacy

Particular attention will be given to preserving privacy in the use of bathrooms, toilets and when dressing and undressing. At the same time, health and safety and personal risk management will be considered and discussed

Staff will ensure curtains/blinds are closed in order to ensure privacy during personal care and moving and handling

Any personal and sensitive items that may be deemed as necessary care equipment (such as continence aids, catheters, dressings) will be kept out of view at all times to ensure that privacy is maintained

Staff will always knock on the Service User’s door and await a response before entering the room

5.6 Photography and Filming

Staff will refer to the policies available with regard to privacy, photography, filming consent and the use of CCTV at Saffron Support Ltd and to relevant CQC guidance.
5.7 Breach in Privacy

Any breach of the privacy of a Service User will be considered a serious event. The incident will be fully investigated in accordance with local procedures and evidence of any lessons learnt recorded, to ensure that the risk of reoccurrence is reduced. Disciplinary action will be taken where the incident is considered to have been caused with intent

Any environmental or equipment fault which reduces the privacy of any Service User must be reported to the manager

Breaches of privacy of a serious nature will be referred to the local safeguarding board and a regulatory notification completed by Saffron Support Ltd manager or delegated other with the relevant

This policy is Copyright © Quality Compliance Systems Ltd. 2007 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 4/6

CR24 – Privacy Policy and Procedure Page 5/6 Care Management – Rights & Abuse

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

skills, knowledge and experience

5.8 Training and Education

Privacy forms part of the Care Certificate for care workers. New staff that have not already completed this will be expected to achieve this unit

Staff will be expected to review their professional code of conduct and be aware of what this means in practice

Privacy will form part of the supervision process at Saffron Support Ltd as well as staff and Service User meetings in order to review practice, seek feedback and determine quality assurance

Staff will receive training on the Data Protection Act and associated regulations

5.9 Capacity and Privacy

The same rights of privacy apply to individuals who are proven to lack capacity, therefore staff must do the following:

Establish any previously expressed views or wishes of the individual regarding privacy from family and others

Observe Service User behaviours to identify what the preferences may be for that individual wishing to have privacy

Continue to follow the core principles and practices as detailed within this policy, if deemed in
the Service User’s best interest to do so (in accordance with the Mental Capacity Act) when weighing up privacy. Refer to associated policies and procedures for further guidance

6. Definitions

6.1 Privacy

In literal terms, privacy is defined as a state in which one is not observed or disturbed by other people or the state of being free from public attention
For the purposes of health and social care, privacy is very personal and means different things to different people. Therefore in order to respect people, privacy services need to be personalised as much as possible

6.2 Care Certificate

The Care Certificate is a set of standards that social care and health workers stick to in their daily working life. It identifies the new minimum standards that will be covered as part of the induction training of new care workers

6.3 Human Rights

Human rights are the basic rights and freedoms that belong to every person in the world, from birth until death. They apply regardless of where you are from, what you believe or how you choose to live your life. They can never be taken away, although they can sometimes be restricted; for example, if a person breaks the law, or in the interests of national security

These basic rights are based on values like dignity, fairness, equality, respect and independence. But human rights are not just abstract concepts, they are defined and protected by law. In Britain our human rights are protected by the Human Rights Act 1998

This policy is Copyright © Quality Compliance Systems Ltd. 2007 (Last updated 2019) and is only licensed for use with a current Licence Certificate.If you have a current Licence Certificate, it can be accessed in your online account.
Use without a current Licence Certificate is strictly prohibited.

Page 5/6

CR24 – Privacy Policy and Procedure Page 6/6 Care Management – Rights & Abuse

Saffron Support Ltd
Business and Technology Centre, Chroma House, Shire Hill, Saffron Walden, Essex, CB11 3AQ

Key Facts – Professionals

Professionals providing this service should be aware of the following:
It is a fundamental right for everyone to have privacy and as professionals, your role is to promote and adhere to this right
Your professional codes of conduct refer to your accountability in relation to supporting people with maintaining privacy
The environment where Service Users are supported needs to accommodate the ability to promote privacy
Any breach of a person’s privacy is a serious event and will be fully investigated to ensure there is a period of learning, reflection and change in practice

Key Facts – People affected by the service

People affected by this service should be aware of the following:
You have full rights to privacy and staff will discuss what your wishes are around this and what that means for you
Information about you will only be shared with your permission, or if you are unable to give permission when it is deemed to be in your best interest to do so
Staff supporting you will respect your privacy wishes and support you in providing environments that are private

Further Reading

As well as the information in the ‘underpinning knowledge’ section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:

Many further reading resources combine best practice of privacy with dignity and respect, the following sites contain further information and guidance for health and social care professionals:
SCIE – Dignity in Care: https://www.scie.org.uk/publications/guides/guide15/factors/privacy/
Dignity in Care – Privacy: https://www.dignityincare.org.uk/Resources/Respecting_dignity/Privacy/
NICE Guidelines: Home Care – delivering personal care and practical support to older people living in their own homes:

https://www.nice.org.uk/guidance/ng21/chapter/Recommendations

Outstanding Practice

To be ‘ outstanding ’ in this policy area you could provide evidence that:
Staff follow the principles and practices of this policy
Service Users are provided with an opportunity to feedback their experiences in relation to privacy in order for practice review and quality assurance
Privacy forms a core agenda item for staff meetings, training and supervisions
Regular audits take place that review the privacy practices at Saffron Support Ltd
The wide understanding of the policy is enabled by proactive use of the QCS App