Introduction

N-Compass respect your privacy and we are committed to protecting your personal data. This privacy notice explains how we collect and use personal information about you when you are referred to our services, or, when you are the next of kin, family member or carer of someone who receives our services. This includes the provision of Carer, Advocacy, Counselling, Wellbeing and Volunteering Services.

Our contact details

N-Compass is a data controller under the Data Protection Act 2018 because we collect, store, share and use personal data to provide our services. Your personal data will also be used to plan our services and to make sure those services are as good as they can be.

Our registered address is Edward VII Quay, Navigation Way, Ashton-on-Ribble, Preston, PR2 2YF. n- compass is registered with the Information Commissioner’s Office (ICO) Registration number: Z1718763.

We take our duty to protect your personal data and maintain confidentiality very seriously. We are committed to taking all reasonable measures to make sure the personal data we are responsible for is kept securely.

Our Data Protection Champion is Asher Ayres who can be contacted by writing to; Asher Ayres, N-Compass, Edward VII Quay, Navigation Way, Ashton-on-Ribble, Preston, PR2 2YF, by emailing as*********@***********rg.uk or by phone on 01772 280030.

Information we collect about you and where we collect it from

Our professionals caring for you need to keep records about you including your health, treatment, care and support that you receive from N-Compass.

Most of the information we process is provided to us directly by yourself but some of the information may come from other organisations e.g., referrals from GPs, social care agencies or hospitals. We process this information because it is necessary to enable us to provide the most effective and relevant care and support for you.

The use of these records will ensure that you receive the best possible care and support. These may be recorded on paper or in electronic form.

They include but are not limited to:

• basic personal details about you such as your name, address, date of birth, next of kin etc.
• contacts and interactions we have had with you such as telephone calls, emails, appointments or visits to our services
• notes and reports about your circumstances including health, treatment care and support
• relevant information from other people involved in your care and support such as health professionals, relatives and carers
• sometimes we ask people who use our services to let us use images and videos to share the work we undertake with the public. We will always ask for your consent before we do this.

We will collect similar personal data from others who refer individuals to us in their professional capacity.

It is essential that your details are accurate and up to date. Always check that your personal details are correct when you visit us and please inform us of any changes as soon as possible.

Our legal basis for processing your data

N-Compass is a charity (a private company limited by guarantee) operating across the North of England to help people regain control of their lives, providing hope and a sense of purpose, through the provision of Carers, Advocacy, Wellbeing, Counselling and Volunteering Services. Our business is based on statutory powers which underpin the legal bases that apply for the purposes of the UK General Data Protection Regulations (UK GDPR).

Our primary lawful bases for the majority of our processing are:

• Article 6(1)(f) – the processing of personal data is necessary for the purposes of the legitimate interests pursued by N-Compass or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data. The legitimate interest we rely on are:
  • To fulfil the charitable purpose of N-Compass as a health and social care provider. If we are unable to process your personal data, we will be unable to provide you with the health and social care services you need, and we will not be able to meet our contractual obligations with our commissioners (ICBs and Local Authorities) or meet our legal obligations with our regulators,
  • To fulfil the charitable purposes of N-Compass. For example, if we are unable to fundraise then we will not be able to continue to provide our provision of Carers, Advocacy, Wellbeing, Counselling and Volunteering Services,
  • The health and safety of our visitors, service users and sites.

• Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:

• Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract.

Where we have a specific legal obligation that requires the processing of personal data, for example the processing is necessary for compliance with our legal obligations in relation to our regulators, the legal basis is:

• Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

We may also use your personal information in the following situations, which are likely to be rare:

• Where we need to protect your vital interests (or someone else’s interests), for example in a medical emergency where your information needs to be shared with the ambulance services,
• Where it is needed in the public interest or for official purposes, for example during the Covid pandemic.
• Article 6(1)(a) – the individual has given clear consent for us to process their personal data for a specific purpose.

Special category information

Where we process special category data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR.

N-Compass only uses your confidential health information (information that identifies you and says something about your health, care and treatment, including your mental health) to provide you with direct care and support, and it is only shared with others for the purposes of providing care and support as set out in this privacy policy.

Where we are processing special category personal data for purposes related to the commissioning and provision of health and social care services the condition is:

• Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.

Where we process special category data for safeguarding purposes the condition is:

• Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law.

We may also share your data with our trusted legal partners to defend our legal rights – for example to resolve a serious complaint.

How we use your information and how we share it

Personal information relates to a living individual who can be identified from that data. We comply with the relevant Privacy legislation (UK General Data Protection Regulation & the Data Protection Act 2018) by ensuring that personal information about you is used fairly and in accordance with the eight data protection principles. These principles are there to protect you and they make sure that we:

• Don’t hold more information about you than we need,
• Ensure information we hold about you is accurate,
• Keep it secure and protected from loss, misuse, unauthorised access and disclosure,
• Keep it only for as long as it is necessary and
• Ensure that all personal data is processed lawfully and legally.

We only use your personal information to enable us to provide our services.

Your personal information (including health records) is used to direct, manage, and deliver the care and support you receive to ensure that:

• The professionals involved in your care have accurate and up to date information to assess your health and decide on the most appropriate care and support for you (Carers, Advocacy, Wellbeing, Counselling and Volunteering),
• Healthcare professionals (including partner organisations) delivering your care have the information they need to be able to assess and improve the quality and type of care you receive,
• Appropriate information is available if you see another professional or are referred to a specialist or another part of the health and social care sector.

Your information will also be used to help manage the services we provide and protect the health of the public by being used to:

• Review the care and support we provide to ensure it is of the highest standard and quality,
• Protect the health of the general public,
• Manage our services,
• Ensure our services can meet service user needs in the future,
• Investigate service user queries, complaints, and legal claims,
• Prepare statistics on our performance,
• Undertake health and care research and development,
• Help train and educate our health and social care professionals,
• Ask you for feedback about our services,
• Resolve any complaints you may have about services.

To ensure that N-Compass provides you with an efficient and effective service we will sometimes need to share your information with other organisations. Anyone who receives information from us has a legal duty to keep it confidential.

We may also need to share your information with other health and social care service providers, for example to make referrals on your behalf. If something you’ve told us makes us think you or someone else are at serious risk of harm, we might need to tell the police or social services, this will take place without your consent or on very rare occasions without your knowledge where the circumstances require us to do so.

We will never share your information with any external organisation for marketing purposes.

How we store your personal data

Your information is securely stored on our IT servers or on our premises. We have appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized manner, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.

They will only process your personal data on our written instruction, and they are subject to a duty of confidentiality.

We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know.

They will only process your personal information on our instructions, and they are subject to a strict duty of confidentiality.

We will only retain your information for as long as we need to legally keep records in accordance with charity, company law and funding and regulators terms and conditions. Once this period has elapsed, we will then securely dispose of all data relating to you in accordance with our retention and deletion policies.

We will then securely dispose of your personal data in line with recommended deletion processes.

Is your personal data transferred to other countries?

Very rarely your data may be processed outside of the UK, though it will remain within the European Economic Area (EEA) and will have the same protection as if processed within the UK. When this is outside the EEA, we will ensure the appropriate data protections are in place prior to transfer.

Your rights

Under data protection law, you have rights including:

Right to be informed

You have a right to be informed if your personal data is being used. Most of this right to be informed is met in this privacy notice, and similar information when we communicate with you directly – at the point of contact.

Right of access

You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR (commonly known as a Subject Access Request or SAR), although there are exceptions to what we are obliged to disclose.

For example, we may not provide all the information, where in the opinion of an appropriate health or social care professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health, or it refers to other individuals.

You will not usually have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

To submit a Subject Access Request, you can speak to the worker supporting you or you can contact our Caldicott Guardian by writing to Asher Ayres, N-Compass, Edward VII Quay, Navigation Way, Ashton-on-Ribble, Preston, PR2 2YF, by emailing as*********@***********rg.uk or by phone on 01772 280030.

Right to rectification

You have the right to ask us to rectify any inaccurate data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Right to erasure (‘right to be forgotten’)

You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process and store your data.

Right to object

You have the right to object to the processing of personal data about you on grounds relating to your particular situation. The right is not absolute, and we may continue to use the data if we can demonstrate compelling legitimate grounds.

Right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Right in relation to automated individual decision-making

You have the right to object to being subject to a decision based solely on automated processing, including profiling.

Right to notification

You have the right to be notified if there has been a breach with regards to your personal data that we hold. This right is enforced if the breach is likely to result in a high risk of adversely affecting your rights and freedom.

Right to data portability

You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes.

Changes to this policy

Any changes we may make to our privacy policy in the future will be posted on our website https://www.N-Compass.org.uk/

Any significant changes will be brought to your attention at the time of us providing our service to you.

Complaints

Please contact us if you feel we have not complied with your privacy rights or any of the above privacy requirements. You can contact us via our Data Protection Champion by writing to: Asher Ayres, N-Compass, Edward VII Quay, Navigation Way, Ashton-on-Ribble, Preston, PR2 2YF, by emailing as*********@***********rg.uk or by phone on 01772 280030.

You have the right to complain to the Information Commissioner if you are not happy with any aspect of how we have processed your personal data or believe that we are not meeting our responsibilities as a data controller.

The contact details for the Information Commissioner are: Information Commissioner’s Office

Wycliffe House
Water Lane
Wilmslow SK9 5AF

September 2023