PRIVACY POLICY

What is a Privacy Notice?
The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they
hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal
data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

This is Horizon Community Care (HCC) privacy notice.

HCC as a Data Controller
HCC is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018. Our legal name is Horizon Community Care C.I.C.
Our head office address is:

Fidelity House
34 St Andrews Close
London

SE28 8NZ
HCC is registered with the Information Commissioners Office with the registration number ZA789773

How to contact us
Please contact us if you have any questions about our privacy notice or information, we hold about you:

Contact details of our Data Protection Officer
HCC’S Data Protection Officer is:
Maleek Barber
Risk and Information Governance Team Lead and Data Protection Officer
E-mail: maleek@horizoncommunitycare.org

Our legal basis for processing personal data
HCC is a Community Interest Company providing community housing support and care services.
.The legal bases for the majority of our processing is:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is:

Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:

Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

Where we process special categories data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR.
Where we are processing special categories personal data for purposes related to the provision of housing, support and care services the condition is:
Where we process special categories data for employment or safeguarding purposes the condition is:

Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security
and social protection law…

HCC may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the
purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:

Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.

Where we process special categories of personal data for these purposes, the legal basis for doing so is:

Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
Article 9(2)(g) – processing is necessary for reasons of substantial public interest.

In ‘How We Use Your Information’ we set out most of the key ways in which we may process your personal data for the purposes of, or in connection with the services we offer.

How long do we keep information about you?
We will only hold information about you for as long as is necessary for delivery of our services to you, or as governed by statutory requirements.

Your Rights
The GDPR includes a number of rights that are more extensive that those in the Data Protection Act 1998. We must generally respond to requests in relation to your rights within one month,
although there are some exceptions to this.
The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a
request to exercise a right. Your rights and how they apply are described below.

Right to be informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.
A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody
else’s physical or mental health.

Right to rectification
You have the right to ask us to rectify any inaccurate data that we hold about you.

Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds
to continue to process the data.
How to access your personal information or make a request in relation to other rights
Requests may be made in writing or by speaking to us. All requests will be recorded, and you may need to provide information to verify your identity and enable us to locate the information:
Full name, address, and date of birth.
An indication of what information you are requesting to enable us to locate this in an efficient manner.

How We Use Your Information
Your information is used to deliver and improve the services that HCC provides. It may be used to:
Ensure that the services you receive are right for you
Ensure the right people are involved in delivering services, at the right time
Check and report on how effective HCC has been in providing services to you, other people and the community
Communicate directly with you about service availability and activities or events that HCC might be involved in from time to time
Check and report on the effectiveness of services HCC has commissioned from other providers
Investigate complaints, legal claims, or serious incidents
Make sure services are planned to meet peoples’ needs in the future
Review the support given to make sure it is of the highest possible standard
To improve the efficiency of housing service, by sharing information with other organisations for a specific, legally justified purpose that has been documented
Support HCC when seeking reimbursement for services that have been provided (but the amount of information used will be the minimum necessary)
Fulfil our contractual obligations

Information Sharing
To support our functions, we may share your information for health purposes and for your benefit with other organisations such as General Practitioners, Charities, Community Interest Companies
and Local Authorities.
Where information sharing is required with third parties, we will always have a relevant contractual obligation in place and will not disclose any detailed information without your explicit consent unless
there are exceptional circumstances such as when the health or safety of yourself or others is at risk, where the law requires it, or to carry out a statutory function.
We may be asked to share basic information about you, such as your name and address which does not include sensitive information where HCC, holds such information. This would normally be to
assist another organisation to carry out their own statutory duties.

Sharing Information with the Care Quality Commission (CQC)
The CQC has powers under the Health and Social Care Act 2008 to access and use information where they consider it necessary in order to carry out their functions as a regulator. The CQC
relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised. As a health and care provider
ECCH is required to comply with CQC requests for access to records.
More detail on how CQC ensure compliance with data protection law (including GDPR) and their privacy statement is available on the CQC website.