Legal
Privacy & Data Protection Policy
1. Introduction
Haven Respite Ltd is committed to protecting the privacy and personal data of everyone who uses our services, works with us, or contacts us. This policy explains how we collect, use, store, share, and protect personal information, and sets out your rights under data protection law.
We process all personal data in accordance with:
- The UK General Data Protection Regulation (UK GDPR)
- The Data Protection Act 2018
- Guidance from the Information Commissioner’s Office (ICO)
- Relevant health and social care legislation
2. Who We Are
Haven Respite Ltd is a registered social enterprise providing in-home respite care and non-medical support across Nottinghamshire. We are registered with the ICO.
ICO Registration Number: ZB939133
For all data protection queries, please contact:
3. Scope
This policy applies to:
- All clients, families, and representatives who use or enquire about our services
- All Haven Respite staff, support workers, and contractors
- All partner organisations and third parties we work with
- All personal data we hold in any format — digital, paper, verbal, or recorded
4. What Personal Data We Collect
Depending on your relationship with us, we may collect and process:
- Personal identification details (name, address, date of birth, contact information)
- Health, care, and support needs information
- Emergency contact details
- Communication records, assessments, care notes, and visit records
- Financial or payment information (for service delivery and invoicing)
- Employment, vetting, and DBS information (for staff and support workers)
We collect only the minimum data necessary to deliver safe, effective, and personalised care.
5. How We Use Your Information
We use personal data only for purposes directly related to:
- Delivering and managing care and support services
- Carrying out assessments, care planning, and risk management
- Safeguarding and promoting the welfare of clients
- Communicating with clients, families, and relevant professionals
- Meeting legal, regulatory, and quality assurance obligations
- Processing payments and managing service agreements
6. Legal Basis for Processing
We process personal data under one or more of the following lawful bases under UK GDPR:
- Performance of a contract — to deliver the services you have engaged us to provide
- Legal obligation — where we are required to process data by law (e.g. safeguarding reporting)
- Vital interests — in an emergency, to protect the life or safety of an individual
- Legitimate interests — for service management, quality assurance, and improvement
- Consent — where you have given us explicit permission (e.g. for optional communications)
Where we process special category data (such as health or care information), we do so under Article 9(2)(h) of the UK GDPR, relating to the provision of health and social care services.
7. Data Storage & Security
We take the security of your personal data seriously. Our measures include:
- Electronic records stored on encrypted, password-protected systems compliant with UK GDPR
- Paper records kept in locked, secure storage
- Role-based access controls, so staff can only access information relevant to their role
- Regular data backups carried out securely
- Personal devices are not used to store or transfer client data
- All staff and support workers complete mandatory data protection training
8. Data Sharing
Haven Respite will only share personal information where:
- It is necessary to deliver or coordinate care and support
- The individual, or their legal representative, has given informed consent
- We have a legal duty to share — for example, in relation to safeguarding, regulatory compliance, or a lawful request from a statutory authority
- Information is requested by a local authority, NHS provider, or other authorised professional for legitimate care purposes
All data sharing is documented and carried out securely. We do not sell or share personal data for commercial purposes.
9. Data Retention
We retain personal data only for as long as necessary for its original purpose, or as required by law:
| Record Type | Retention Period |
|---|---|
| Client care records | 8 years after service ends (or longer if required by safeguarding law) |
| Staff and support worker records | 6 years after employment or engagement ends |
| Financial records | 6 years for audit and compliance purposes |
After the relevant retention period, data is securely destroyed or permanently anonymised.
10. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data (Subject Access Request)
- Correct any inaccurate or incomplete data we hold about you
- Erasure — request that we delete your data in certain circumstances
- Restrict or object to how we process your data in certain circumstances
- Data portability — request a copy of your data in a portable format
- Withdraw consent at any time, where consent is the basis for processing
To exercise any of these rights, please contact our Data Protection Lead in writing. We will respond within one calendar month, as required by law.
11. Confidentiality
All Haven Respite staff and support workers sign a Confidentiality Agreement before accessing any client information. Client information is:
- Never discussed in public spaces or via personal communication channels
- Shared only on a strict need-to-know basis
- Never posted or referenced on social media in any form
12. Data Breach Protocol
In the event of a suspected data breach — including loss, theft, unauthorised access, or accidental disclosure — Haven Respite will:
- Report the breach immediately to the Data Protection Lead
- Record full details of the breach, including time, nature, and individuals involved
- Take immediate steps to contain and recover the data where possible
- Assess the risk to affected individuals
- Notify the ICO within 72 hours where the breach poses a risk to individuals’ rights or freedoms
- Notify affected individuals where appropriate
- Conduct a full investigation and implement preventative measures
14. Changes to This Policy
This policy is reviewed annually or sooner if legislation, ICO guidance, or our operational practices change. Updated versions will be published on our website with a revised effective date.
15. Contact & Complaints
For any queries about how we handle your personal data, or to exercise your rights, please contact:
If you are not satisfied with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner’s Office:
Website: www.ico.org.uk
Phone: 0303 123 1113