GDPR Policy

1. Introduction

Shaw Lifetime Care Limited is a wholly owned subsidiary of The Shaw Foundation and elements of our data protection policy will inevitably have to fall in line with that of the Group. We do however work autonomously to the Group Companies and feel it is therefore appropriate to maintain our own policies which will remain under constant review locally.

Shaw Lifetime Care Limited is a Property Rental and Management Company which sells a product to the elderly market, known as the Care and Home Inheritance Plan.

Shaw Lifetime Care Limited is registered with the ICO, licence number ZA220873. The registered address held by the ICO for Shaw Lifetime Care Limited is L3, Alder Suite, 1st Flr, C, North Mamhilad House, Mamhilad Park Estate, Pontypool, Torfaen, Wales, NP4 0HZ. The Company was registered on 2nd December 2016 and the expiry date of the registration is 1st December 2023.

The EU General Data Protection Regulation (GDPR) became operative on 25 May 2018. It replaced the 1995 EU Data Protection Directive (European Directive 95/46/EC), strengthening the rights that EU individuals have over their data, and creating a uniform data protection law across Europe. These provisions supplement the requirements of the Data Protection Act (The Act). 

2. Shaw Lifetime Care Limited’s Services and Approach

In order to perform the daily duties of running our business, Shaw Lifetime Care Limited collects and uses certain types of information relating to our clients and other service users.

This personal information is collected and dealt with appropriately whether it is collected on paper, stored in a computer database or recorded on other material. Shaw Lifetime Care Limited has put in place safeguards to ensure this information is protected under the Data Protection Act 1998 and General Data Protection Regulation (GDPR).

Our data protection policy outlines what Shaw Lifetime Care Limited does with the data that is collected, who it will be shared with and how it is stored. 

3. Shaw Lifetime Care Limited’s Commitment

Shaw Lifetime Care Limited complies with the GDPR regulations as a ‘Data Processor’ and where applicable as a ‘Controller’. We will assist our clients wherever possible to meet their GDPR obligations.

This policy sets out Shaw Lifetime Care Limited’s approach to the protection of data for all clients and other service users with whom we interact including our employees. Shaw Lifetime Care Limited wishes to stress the high level of importance that it places upon complying with the requirements of GDPR. 

4. Data Controller and Data Processor

Shaw Lifetime Care Limited can be both a Data Processor and a Data Controller under the regulations.

Shaw Lifetime Care Limited is a Data Controller as it collects and uses personal data. It determines how and when data will be processed.

Shaw Lifetime Care Limited is a Data Processor when data is being processed on behalf of our clients.

Shaw Lifetime Care Limited is also responsible for notifying the Information Commissioners Office (ICO) of the data it holds or is likely to hold, and the general purposes that this data will be used for.

The current registration shows the nature of our work as General Business and the reasons we hold and process data. (See Appendix 1. For details)

Shaw Lifetime Care Limited’s Chief Executive Officer is responsible for ensuring that we comply with all provisions within this policy and the Act. 

5. Data Protection Principles

Shaw Lifetime Care Limited regards the lawful and correct treatment of personal information as critical to maintaining the confidence of those with whom we deal. To this end, Shaw Lifetime Care Limited will adhere to the Principles of Data Protection, as detailed in the Data Protection Act 1998. Specifically, the Principles require that personal information:

• Shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
• Shall be obtained only for one or more of the purposes specified in the Act, and shall not be processed in any manner incompatible with those purposes
• Shall be adequate, relevant and not excessive in relation to those purposes,
• Shall be accurate and, where necessary, kept up to date
• Shall not be kept for longer than is necessary
• Shall be processed in accordance with the rights of data subjects under the Act,
• Shall be kept secure by the Data Controller who takes appropriate technical and other measures to
• prevent unauthorised or unlawful processing or accidental loss or destruction of, or damage to, personal information
  
• Shall not be transferred to a country or territory outside the European Economic Area. 

6. Disclosure

Shaw Lifetime Care Limited may share data that it could reasonably be expected to with other agencies such as local authorities or the police or other parties who will operate the Care and Home Inheritance Plan. Staff are encouraged to not discuss work related matters whilst away from the office where other external parties could overhear or with third parties, unless the requirement is specific to the job.

There are circumstances where the law requires Shaw Lifetime Care Limited to disclose data (including sensitive data) without the data subject’s consent. These are:

• Carrying out any legal duties or as authorised by the Secretary of State
  
• Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  
• Data can be shared with clients’ (the auditors, regulators or a client company director)

Where necessary in order for them to monitor our work and maintain the Data Processing obligation of the client and agent relationship. 

7. Data Collection

Shaw Lifetime Care Limited will ensure that data is collected within the terms set out in this policy. This applies to data that is collected in person or in the written word from the completion of a form. When collecting data, Shaw Lifetime Care Limited will ensure that the client clearly understands what the data will be used for and what the consequences are should the Individual/Service User decide not to give consent to processing. 

8. Shaw Lifetime Care Limited Staff Roles and Responsibilities

Shaw Lifetime Care Limited Managers are responsible for:

• Ensuring that data protection requirements are observed
  
• Providing clear messages to their staff regarding appropriate processing of the personal data that they handle
  
• Identifying and addressing training needs within the team
  

All employees are responsible for:

• Complying with the data protection principles, as supported by the Policy, guidance on the application of the Policy and associated policies and guidance, such as the Shaw Lifetime Care Limited IT Security Policy and Procedures
  
• Contacting their manager for guidance if they are in any doubt about how they should deal with certain personal data
  
• Only processing personal data in the manner that is authorised for the purpose of carrying out their responsibilities or with management authorisation.

Shaw Lifetime Care Limited takes data protection compliance very seriously; any breach of data protection legislation, local data protection procedures and/or the provisions of the Data Protection Policy may render staff liable to internal disciplinary proceedings. Staff should be aware that it is a criminal offence to breach certain provisions of the Act and GDPR regulations. Knowingly or recklessly obtaining or disclosing personal data may leave an individual employee liable to prosecution

9. Data Storage

Shaw Lifetime Care Limited is accountable to maintain control of confidentiality of its and its clients’ records. Shaw Lifetime Care Limited must therefore take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure.

Shaw Lifetime Care Limited will ensure that data is collected and stored safely and securely. This may include:

• Using lockable cupboards (restricted access to keys)
  
• Archived data is kept off site with a secure third-party storage company, The Maltings in Cardiff
  
• Password protection on IT systems, which users are expected to change frequently.
  
• Emails are to be routinely deleted after a period of 6 months and archived.
  
• Setting up computer systems restricting access to certain areas for certain users.
  
• Copies of programs or data must not be taken or removed from Shaw Lifetime Care Limited's premises without the express permission of a Line Manager. However, when data is taken off site on laptops and mobiles, Shaw Lifetime Care Limited aims to protect the data on these medias by instructing staff to log-on to the network using their own account and keeping their passwords confidential. Laptops are all fully encrypted.
  
• Back up of data on computers kept on separate hard drives on a secure server on site
  
• A restriction on use of personal memory sticks
  
• A restriction on staff logging into non work related internet sites 

Information will be stored for only as long as it is needed or required by statute and will be disposed of appropriately. All paperwork which is no longer required is cross-cut shredded.

It is Shaw Lifetime Care Limited’s responsibility to ensure all personal and company data is non- recoverable from any computer system previously used within the organisation, which has been passed to a third party. 

10. Access and Accuracy

Client, Employees and other Stakeholders whose personal information is processed by Shaw Lifetime Care Limited have the right to know:

• What information we hold and process on them
  
• How to gain access to this information
  
• How to keep it up to date
  
• What controls we have in place to ensure we comply with the Act.

Clients also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information determined to be wrongfully collected. Clients have a right under the Act to access certain personal data being kept about them on computer and certain files.

The following information will be required before access is granted:

• Full name and contact details of the person making the request
  
• Their relationship with Shaw Lifetime Care Limited
  
• Any other relevant information - e.g. timescales involved
  
• Reference number held on record by Shaw Lifetime Care Limited – e.g. Unique Client/
• Property reference (Shaw Lifetime Care Limited may also require proof of identity before access is granted.)

Queries about handling personal information will be dealt with swiftly and politely.

Shaw Lifetime Care Limited will aim to comply with requests for access to personal information as soon as possible but will ensure it is provided within the 40 days required by the Act from receiving the written request. This policy was last updated in March 2020 and will be reviewed regularly and updated as necessary to reflect any additional regulatory requirements as well as best practice in data management, security and control.