menuSearch
Milestones Trust

Privacy notice

Introduction

This is Milestones Trust’s general Privacy Notice. If you are an employee, volunteer or Trustee, or an applicant/candidate please refer to those separate Employee Privacy Notices.

Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377.

Milestones Trust is the controller for the personal information we process, unless otherwise stated.

Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL.

The Data Protection Officer for Milestones Trust can be contacted via email: dpo@milestonestrust.org.uk  or by telephoning 0117 970 9300.

 

Definitions

We are required to process personal data as part of the services we offer and as an employer.

‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.

‘Personal data’ is defined by Data Protection legislation as “any information relating to an identifiable person who can be directly or indirectly identified”.  In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.

‘Special Category’ data is defined as personal data that is likely to be more sensitive and has extra protection under data protection law. It includes personal data about:

  • racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where used for identification purposes)
  • health
  • sex life
  • sexual orientation

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this Privacy Notice. It also explains your rights in relation to your data.

 

The lawful bases we rely on

We have to have a lawful basis for processing personal data and a separate lawful basis for processing any ‘Special Category’ data.

We have a ‘Legitimate Interest’ (GDPR Article 6(1)(f)) in processing personal information and use this as a lawful basis for processing personal data; the processing is necessary in order for us to carry out our core business aims of providing safe services to the people we support including through 3rd parties, contractors and others we work with and we couldn’t do that otherwise. We may also rely on the basis of Legal Obligation (GDPR Article 6(1)(c)) to process data, for example where we are required by law to process information.

The Special Category data we process includes that which is related to our management of health and social care services (GDPR Article 9(2)(h) and Data Protection Act 2018 – Schedule 1, Part 1, (2)(f)) and as employers (GDPR Article 9(2)(b)). Some special category information is processed in the Substantial Public Interest (GDPR Article 9(2)(g)) such as the Covid vaccination status of people visiting our care homes (as required by the government from 11th November 2021). We also process criminal offence/convictions data where necessary and this includes for people providing one-to-one complementary therapy sessions with people we support. We have an Appropriate Policy Document in place for these purposes.

 

People we support

What data we process

So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data (including special category data):

  • Your basic details and contact information e.g. your name, address, date of birth and next of kin.
  • Your financial details e.g. details of how you pay us for your care or your funding arrangements.
  • Health and social care information about you, which might include both your physical and mental health data. This includes information provided by other services that may be working with you, e.g. Health and care workers, voluntary agencies.
  • We may also record data about your race, ethnic origin, sexual orientation or religion to support us delivering a person-centred service.
  • Information about the support and care we deliver to you e.g. daily diaries, support plans and risk assessments.
  • Information about meetings we have with you and / or that are about your support e.g., when we plan activities, if we have Best Interests meetings.
  • Information you or other people who know you have given us.
  • Information we have given you.

Why and how we process this data

We need this data so that we can provide high-quality care and support. We process your data (including special category data) because:

  • It is necessary in order for us to provide you with person-centred care and support using information that is accurate and up to date.
  • It is necessary for our proper management of health and social care services.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC).
  • We can refer to this information if you have a complaint about the serviced you’ve received.

We may also process your data with your explicit consent. This will happen if we want to use your information for a reason that’s different from why we collected it in the first place e.g., a photo to go in our internal magazine or if you wanted to be in a video for the website. If we need to ask for your consent we will offer you a clear choice and ask that you confirm consent to us before we use that information. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Who we share your personal data with

Third parties are people or organisations we might lawfully ask for or share your data with. These include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
  • The Local Authority.
  • Housing Associations where you have a tenancy with them.
  • Third party organisations like Access Social Care – with your permission.
  • Complementary Therapists – with your permission or as part of a Best Interests decision.
  • Your family or friends – with your permission unless already stated and/or as part of Best Interests decision making where appropriate.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC).
  • The police or other law enforcement agencies if we have to by law or court order.

Where we process your data

We process data in the UK. This includes face to face, phone, email, website, post, application/referral forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet) and may also do this via apps.

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representative(s).
  2. Third parties including as part of the referral process.

 

Friends/relatives

What data we have

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

  • Your basic details and contact information e.g. your name and address, phone number/s and email address.
  • Information on your relationship to the person we support including any legal relationship e.g., Power of Attorney, Deputyship.

Why and how we process this data

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service so that we are confident we are only communicating with the right people. We may ask for proof of identity before disclosing information to you.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Who we share your personal data with

Third parties are people or organisations we might lawfully ask for or share your data with include:

  • Other parts of the health and care system such as local hospitals, social workers and other health and care professionals.
  • The Local Authority.
  • Third party organisations like Access Social Care – with your permission.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC).
  • The police or other law enforcement agencies if we have to by law or court order.

Where we process your data

We process your data in the UK. We do this face to face, and/or via phone, email, our website, post, application/referral forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet) and may also do this via apps. This is collected from or shared with:

  1. You
  2. Third parties including as part of the referral process

 

Third Parties (Contractors, external trainers, prospective clients/residents, corporate volunteers, complementary therapists etc.)

What data we process

We need to keep certain records about you/your company in order to ensure services are safe and we are fulfilling any obligations and responsibilities. We have a Legitimate Interest in doing this as processing is necessary in helping us be sure the services we deliver to people we support (including through visiting contractors etc.) are safe, and we could not do so otherwise. We also have a Legal Obligation to process some data.

We may process the following types of data (including special category data):

  • Basic details and contact information e.g. your name, address, contact details, company name and details, date of birth.
  • Financial details e.g. details of how you pay us for your care or your funding arrangements, or how we pay you for services delivered.
  • Health and social care information which might include both physical and mental health data only if appropriate e.g. referral information.
  • We may also record data about your race, ethnic origin, sexual orientation or religion where this is appropriate to delivering person-centred services.
  • Health data relating to Covid vaccination status (and exemptions) which we are required by law to process for some people entering care homes from 11th November 2021. We have an Appropriate Policy Document in place for this processing.
  • We also process Criminal Conviction data where necessary e.g., for complementary therapists who work 1-1 with people we support. We have an Appropriate Policy Document in place for this processing.

Why and how we process this data

We need this data so that we can provide safe and high-quality care and support. We process your special category data because:

  • It is necessary in order for us to provide person-centred care and support.
  • It is necessary for our management of health and social care services.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC).
  • We have to fulfil legal obligations.

We may also process your data with your explicit consent. This will happen if we want to use your information e.g., a photo, for a reason that’s different from why we collected it in the first place. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Who we share your personal data with

People or organisations we might lawfully ask for or share your data with include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
  • The Local Authority.
  • Third party organisations like Access Social Care – with your permission.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the Care Quality Commission (CQC), the Health and Safety Executive (HSE).
  • The police or other law enforcement agencies if we have to by law or court order.

Where we process your data

We process data face to face, and/or via phone, email, our website, post, application forms, systems that record information about incidents and accidents (AssessNet) and may also do this via apps.

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representatives
  2. Other parties

 

Staff

We have separate Employee and Applicant/Candidate Privacy Notices.

 

Our website

In order to provide you with the best experience while using our website, we process some data about you. When someone visits www.milestonestrust.org.uk  we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. You can find more information on how cookies are used on this website in our Cookies Policy here.

If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

 

Getting in touch

On our get in touch page we ask you to supply personal information, which allows us to get back in touch with you.  Your enquiry is received by our reception team, who then forward the email on to the relevant person, depending on your enquiry. Your personal information isn’t stored and the emails are deleted by the reception team once they have been forwarded on.

 

Newsletter sign up

As part of the registration process for our Recruitment and Friends of Milestones e-newsletters, we collect personal information.

For our Recruitment e-newsletter we use that information to let you know about our current job opportunities that you’ve asked to hear about.

For our Friends of Milestones e-newsletter we use that information to let you know about what we’ve been up to and our upcoming events.

We may also use the information from both e-newsletters to contact you if we need to obtain or provide additional information; to check our records are right and to check every now and then that you’re happy and satisfied. We don’t rent or trade email lists with other organisations and businesses.

We use a third-party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.

You can unsubscribe to general mailings at any time by clicking the unsubscribe link at the bottom of any of our emails or by emailing our marketing team on marketing@milestonestrust.org,uk

 

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. Those sites are not governed by this Privacy Notice, and if you have questions about how a site uses your information, you’ll need to check that site’s privacy statement.

 

How we protect your personal data

We have technical and organisational measures in place to protect your personal data and keep it secure. These include setting controls and permissions to folders and systems, using password protection, using secure email and making sure all staff are trained to understand their obligations around data protection. Information is stored, retained and disposed of in line with our policies and Retention Schedule and we do not keep your information any longer than we need to.

 

How long we process data for

Our Retention Schedule sets out the retention timescales for the different information we process. In line with data protection regulations we will not ask for more information than we need and do not keep data any longer than we have to.

 

Your rights

You have the following rights when it comes to your data:

  1. Right to be informed: We are transparent about how and why we collect and use your data and this Privacy Notice tells you about this.
  2. Right of access: You have the right to request a copy of the data we keep about you. Email your request to our data protection officer on dpo@milestonestrust.org.uk You may need to provide adequate information for identification, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.
  3. Right to rectification: You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict the processing of your data while we consider your rectification request.
  4. Right to erasure: You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  5. You can also ask for your data to be erased if we have asked for your consent to process any of your data. You can withdraw consent where it has been provided at any time – please contact us to do so.
  6. Right to restrict processing: You may request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for but you do not wish for it to be erased.
  7. Right to portability: You have the right to request your personal data in a way that is accessible and machine-readable, for example as a csv file. You also have the right to ask us to transfer your data to another organisation.
  8. Right to object: If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. This is not an absolute right and we may need to continue using your information. We will tell you if this is the case.
  9. Rights related to automated decision-making including profiling: Where any activities involve this, e.g., as part of the recruitment process, we ask for explicit consent and do not rely solely on this information.

 

Further information

If you have any concerns or questions please contact the DPO by emailing dpo@milestonestrust.org.uk or phoning 0117 970 9300.

If you wish to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

ico.org.uk/global/contact-us/

 

Changes to this Privacy Notice

We keep our privacy notice under regular review. This privacy notice was last updated in October 2021.