menuSearch
Milestones Trust

Privacy notice

Introduction

This is Milestones Trust’s Privacy Notice.

Milestones Trust is a charitable trust limited by guarantee, registered in England under company number 2011021. Registered Charity No: 294377

Registered address: Unit 10, Eclipse Office Park, High Street, Staple Hill, Bristol BS16 5EL

Email address: dpo@milestonestrust.org.uk

Telephone number: 0117 970 9300

As part of the services we offer, we are required to process personal data about our staff, the people we support and, in some instances, the friends or relatives of people we support and staff. ‘Processing’ can mean collecting, recording, organising, storing, sharing or destroying data.

‘Personal data’ is defined by the UK GDPR and the Data Protection Act 2018 (collectively, ‘Data Protection Legislation’) as ‘any information relating to an identifiable person who can be directly or indirectly identified’.  In simpler terms, it is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers and CCTV images.

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data.

If you have any concerns or questions please contact us by emailing dpo@milestonestrust.org.uk or phoning 0117 9709300 and asking to speak to the Data Protection Officer.

 

People we support

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may process the following types of data:

  • Your basic details and contact information e.g. your name, address, date of birth and next of kin.
  • Your financial details e.g. details of how you pay us for your care or your funding arrangements.

We also record the following data which is classified as ‘special category’:

  • Health and social care data about you, which might include both your physical and mental health data.
  • We may also record data about your race, ethnic origin, sexual orientation or religion.

Why do we have this data?

We need this data so that we can provide high-quality care and support. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

We have a legitimate interest to do so – generally under the Health and Social Care Act 2012 or Mental Capacity Act 2005.

We process your special category data because:

  • It is necessary due to social security and social protection law (generally this would be in safeguarding instances).
  • It is necessary for us to provide and manage social care services.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent at any time.

Where do we process your data?

So that we can provide you with high quality care and support we need specific data. This is collected from or shared with:

  1. You or your legal representative(s).
  2. Third parties.

We do this face to face, and/or via phone, email, our website, post, application forms, Connecting Care portal, systems that record information about incidents and accidents (AssessNet) and may also do this via apps.

Third parties are organisations we might lawfully share your data with. These include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, clinical commissioning groups, and other health and care professionals.
  • The Local Authority.
  • Third party organisations like Access Social Care – with your permission.
  • Your family or friends – with your permission.
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC.
  • The police or other law enforcement agencies if we have to by law or court order.

 

Staff

What data do we have?

So that we can provide a safe and professional service, we need to keep certain records about you. We may record the following types of data:

  • Your basic details and contact information e.g. your name, address, date of birth, National Insurance Number and next of kin.
  • Your financial details e.g. details so that we can pay you, insurance, pension and tax details.
  • Your employment Terms and Conditions.
  • Your training records, work experience, qualifications.
  • Information about any disciplinary action.
  • Information related to accidents connected with work.

We also record the following data which is classified as ‘special category’:

  • Health and social care data about you, which might include both your physical and mental health data – we will only collect this if it is necessary for us to know as your employer, e.g. fit notes or in order for you to claim statutory maternity/paternity pay, occupational health referrals.
  • We may also, with your permission, record data about your race, ethnic origin, sexual orientation or religion, trade union membership.

As part of your application you may – depending on your job role – be required to undergo a Disclosure and Barring Service (DBS) check (Criminal Record Check). We do not keep this data once we’ve seen it.

Why do we have this data?

We require this data so that we can contact you, pay you and make sure you receive the training and support you need to perform your job. By law, we need to have a lawful basis for processing your personal data.

We process your data because:

  • We have a legal obligation under UK employment law.
  • We have a legitimate interest in processing your data – for example, we provide data about your training to Skills for Care’s National Minimum Data Set, this allows Skills for Care to produce reports about workforce planning.
  • We are required to provide data to our regulator, the Care Quality Commission (CQC), as part of our public interest obligations.

We process your special category data because:

It is necessary for us to process requests for sick pay or maternity pay.

If we request your criminal records data it is because we have a legal obligation to do this due to the type of work you do. This is set out in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974 (Exceptions) Order 1975. We do not keep a record of your criminal records information (if any).

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

As your employer we need specific data. This is collected from or shared with:

  • You or your legal representative(s).
  • Third parties.

We do this face to face as well as via: phone,  email, our website, staff intranet, post, application forms, via systems including the HRIS ‘TrustNet’ (Ceridian Dayforce) system, training portals, AssessNet, File Maker and CM2000.

Third parties are organisations we have a legal reason to share your data with. These include:

  • Her Majesty’s Revenue and Customs (HMRC).
  • Our pension scheme (TPT Retirement Solutions) regarding pension auto-enrolment, prior to the employee deciding whether they wish to opt-out.
  • Our Healthcare scheme / Health Cash Plan / Occupational Health Provider and Employee Assistance Programme (BHSF).
  • Sodexo, providers of our discount platform.
  • NHS Pension Scheme (not available for the new employees).
  • Organisations we have a legal obligation to share information with i.e. for safeguarding, the CQC.
  • The police or other law enforcement agencies if we have to by law or court order.
  • DDC (Due diligence Checking) for our Disclosure and Barring Service (DBS) checks.
  • There are occasions where we would share information with our lawyers regarding individual cases where it may be necessary to share personal or special category data, in the Trust’s legitimate interest.

 

Friends/relatives

What data do we have?

As part of our work providing high-quality care and support, it might be necessary that we hold the following information on you:

Your basic details and contact information e.g. your name and address.

Why do we have this data?

By law, we need to have a lawful basis for processing your personal data.

We process your data because we have a legitimate business interest in holding next of kin and lasting power of attorney information about the individuals who use our service and keeping emergency contact details for our staff.

We may also process your data with your consent. If we need to ask for your permission, we will offer you a clear choice and ask that you confirm to us that you consent. We will also explain clearly to you what we need the data for and how you can withdraw your consent.

Where do we process your data?

So that we can provide high quality care and support we need specific data. This is collected from or shared with:

  • You or your legal representative(s).
  • Third parties.

We do this face to face, via phone, via email, via our website, via post, via application forms.

Third parties are organisations we have a legal reason to share your data with. These may include:

  • Other parts of the health and care system such as local hospitals, the GP, the pharmacy, social workers, and other health and care professionals.
  • The Local Authority.
  • The police or other law enforcement agencies if we have to by law or court order.

 

Our website

In order to provide you with the best experience while using our website, we process some data about you.

When someone visits www.milestonestrust.org.uk  we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. You can find more information on how cookies are used on this website in our Cookie Policy here.

If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Getting in touch

On our get in touch page we ask you to supply personal information, which allows us to get back in touch with you.  Your enquiry is received by our reception team, who then forward the email on to the relevant person, depending on your enquiry. Your personal information isn’t stored and the emails are deleted by the reception team once they have been forwarded on.

Newsletter sign-up

As part of the registration process for our Recruitment and Friends of Milestones e-newsletters, we collect personal information.

For our Recruitment e-newsletter we use that information to let you know about our current job opportunities that you’ve asked to hear about.

For our Friends of Milestones e-newsletter we use that information to let you know about what we’ve been up to and our upcoming events.

We may also use the information from both e-newsletters to contact you if we need to obtain or provide additional information, to check our records are right and to check every now and then that you’re happy and satisfied. We don’t rent or trade email lists with other organisations and businesses.

We use a third party provider, MailChimp, to deliver our newsletter. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.

You can unsubscribe to general mailings at any time by clicking the unsubscribe link at the bottom of any of our emails or by emailing our marketing team on marketing@milestonestrust.org,uk

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. Those sites are not governed by this Privacy Policy, and if you have questions about how a site uses your information, you’ll need to check that site’s privacy statement.

Access to your personal information

You are entitled to access the personal information that we hold. Email your request to our data protection officer on dpo@milestonestrust.org.uk.

 

Your rights

The data that we keep about you is your data and we ensure that we keep it confidential and that it is used appropriately. You have the following rights when it comes to your data:

  1. You have the right to request a copy of all of the data we keep about you. Generally, we will not charge for this service.
  2. You have the right to ask us to correct any data we have which you believe to be inaccurate or incomplete. You can also request that we restrict all processing of your data while we consider your rectification request.
  3. You have the right to ask that we erase any of your personal data which is no longer necessary for the purpose we originally collected it for. Our retention schedule is based on the Records Management Code of Practice for Health and Social Care (https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016) The 2020 Draft Record Keeping Code of Practice has also been reviewed in creating this Privacy Notice and our Retention Schedule.
  4. You may also request that we restrict processing if we no longer require your personal data for the purpose we originally collected it for, but you do not wish for it to be erased.
  5. You can ask for your data to be erased if we have asked for your consent to process your data. You can withdraw consent at any time – please contact us to do so.
  6. If we are processing your data as part of our legitimate interests as an organisation or in order to complete a task in the public interest, you have the right to object to that processing. We will restrict all processing of this data while we look into your objection.

You may need to provide adequate information for our staff to be able to identify you, for example, a passport or driver’s licence. This is to make sure that data is not shared with the wrong person inappropriately. We will always respond to your request as soon as possible and at the latest within one month.

If you would like to complain about how we have dealt with your request, please contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
ico.org.uk/global/contact-us/

 

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated in February 2021.