Other

Introduction

NSCM Privacy Notice describes how we use information, particularly information that relates to you. NSCM is a registered Data Controller with the Information Commissioner’s Office (ICO), under registration number Z8473128, for the purpose of collecting and processing personal information. Who do we collect information about? NSCM collects records and holds information on all young people and adults who have been referred for accommodation and / or outreach support and have taken up a placement. We need to know your personal data / information so that we can provide you with the right accommodation and outreach support to meet your needs.

What personal data / information do we hold and do we collect this information? 

Your basic personal data / information may be provided to us by the referrer (social worker or statuary agency) when they refer you to NSCM for a service. When contacting us, you and the referrer will be asked for personal information such as name, address, postcode etc. Information collected to inform the request for a service will include, for example: 
• Personal details
• Family details
• Lifestyle and social circumstances
• Financial details
• Employment and education
• Offences and alleged offences 

Some information is special due to its sensitivity, it may include:
• Physical or mental health details
• Sex life
• Sexual orientation 
• Racial or ethnic origin
• Religious or other beliefs of a similar nature
• Political opinion
• Genetic and biometric data 

This might be collected in person, over the phone or via forms sent through secure email or password protected.

Information may also be shared with us by another organisation due to NSCM being part of a package of support being provided. This may include organisations such as national and local NHS bodies, Local Authorities, Police, probation, colleges and schools.  

What is the lawful base for NSCM using your personal data / information?

The law on data protection allows us to process your data for certain reasons only. The information below categories the type of data processing NSCM undertake and the lawful basis we rely on.

How do we use personal data / information? 
NSCM holds personal data / information to enable us to provide appropriate accommodation and outreach support packages to young people and adults,  to refer to specialist services, to maintain our accounts and records. We may also use information to: 
• Deliver services and support to you
• Manage services we provide to you
• Producing assessments of the health and care needs, child protection or safeguarding 
• Contribute to assessments that may result in the young people and adults being taken into care under mental health law / safeguarding or child protection framework
• Identifying priorities for action
• Informing decisions on planning of new services
• Identifying staff training needs 
• Help investigate any worries or complaints check the quality of the services

How the law allows us to use your personal data / information 
We collate and use personal data / information where:
• You or your legal representative have given consent
• You have entered into an agreement / contract with us
• To perform our statutory duties 
• To protect someone in an emergency 
• To deliver health and social care services
• It is required by law
• To protect public health

Information security and data sharing
NSCM is a data controller for the purposes of the General Data Protection Regulation (GDPR) May 2018.When processing your personal information we will aim to do so fairly, lawfully and in line with the GDPR. Information will not be held for longer than required and will be disposed of securely.  

We will work in an open and transparent way, discussing and /or sharing any reports, updates and assessments written by your outreach worker, with you, before sending them to your social worker. We will only share your personal data / information after discussions with you, with appropriate organisations such as the NHS, health care professionals, social care and welfare organisations. 

The Care Quality Commission and / or Ofsted may also access your information as part of an inspection or monitoring process of NSCM.   We will only share personal data / information once the necessary legal basis has been established and data protection safeguards have been verified. See Lawful basis above.

We will not give or sell your information to any third party for marketing purposes. 

What are your rights? 
You have the right to ask for all the information we have about you. When we receive a request from you in writing, we must give you access to everything that we have recorded about you. If you can’t request this in writing, please talk to you Outreach Worker who will   consider another way to enable you to make this request. 

However, we are unable to let you see any information held in your records which contain confidential information about other people or where a professional thinks this will cause serious harm to you or some else.

'Right to be forgotten’ – you can ask for information to be deleted
In some circumstances you can ask for your personal data/ information to be deleted. For example, where there is no legal reason for us to use it. If you believe the information we hold is wrong you have the right to have it corrected or deleted.

Information required by law cannot be deleted where it is used for public health purposes or if it is necessary for legal claims. 

Limit the use of your personal data/ information
You can request us to restrict what we use your personal data/ information for where you have identified inaccurate information, and have told us about it.

Where possible we will seek to comply, but we may not be able to where we need to hold or use your information because we are required to by law.

How we protect your personal data/ information
We hold all records about you (paper or electronically) securely and only make them available to those who have the right to see them. 

We secure information by using secure emails; hiding parts of your personal information from view and password protect electronic documents. 

We ensure that emails are sent without revealing addresses to other recipients and use blind carbon copy (bcc), not carbon copy (cc).  We also check group email addresses and only send the message to the people that need to see it. 

Paper documents are held in a secure cabinet and locked room / office.

Paper is shredded and disposed of securely.

NSCM mobile phones and devises used by staff in the course of their work with you are password protected. 

How we keep NCSM safe and protect against online risks
NSCM IT equipment has firewalls and virus checking systems to protect your personal data / information. Staff working for or on behalf of NSCM are expected to protect their personal devises i.e. mobile phones / IT equipment, if used for NSCM business.

All devises / IT equipment are password protected; in addition, all files containing personal data / information held on this equipment are password protected.  

NSCM take the following actions to minimise the risk of personal data / information being compromised:
• Train Staff  
• Staff declaration and commitment to reporting data breach
• Email disclaimer
• Secure email and file transfer
• Delete suspicious emails
• Robust reporting mechanisms in the event of loss or stolen devises (laptops, I-Pads, tablets, mobile phones etc.)
• Strong password protection on all devises 
• Download software updates
• Use of anti-virus software
• Decommissioning the removal data form devises / hardware no longer in use or obsolete 
• Memory sticks password protected
• Refresh NSCM Policy & Procedures, and continue to review the procedures annually

NSCM have a storage device located at Head Office. The devise stores information on the Cloud and is backed each night. This system is encrypted to protect all stored data / information. Closed files are stored on the system.  

NSCM rely on Egress Switch Secure Email and File Transfer to communicate and share information, and need to protect the personally and commercially sensitive data that staff share both internally and with external users. Egress Switch Secure Email and File Transfer provides easy-to-use, flexible email and file encryption that offers the highest levels of security and access controls. In addition to encrypting message content and attachments. Switch Secure Email and File Transfer provides total control over shared information in real time, with the ability to revoke access, audit user actions and add message restrictions to prevent data mishandling.  

Standards:
• Government and industry-certified data security
• Switch Secure Email and File Transfer features comprehensive government and industry-certified security and authentication, including email and file encryption at rest and in transit, multi-factor authentication, and customisable policy controls. 
• Users can stay in control of their information after it has been shared both internally and externally by revoking recipient access, preventing actions such as download and copy / paste, and viewing audit logs. 
• Switch is certified under NCSC Commercial Product Assurance, Common Criteria and ISO 27001:2013. 

How long do we keep your personal data / information for?
We are required, by law to keep your personal information for a set period of time and this can range from months to decades for more sensitive records. Records for YP/A leaving care are retained from the date of birth + 75 years or 15 years after death of child (where child dies under 18. Adults with Mental Health difficulties and or subject to the Mental Health Act files are retained from the last action + 20 years.

If you have concerns about how we use your personal information You can make a complaint if you have a concern about the way the NSCM is handling your information you can email  This email address is being protected from spambots. You need JavaScript enabled to view it., or you can complete an NSCM Complaint / Compliment form which can be downloaded from www.nscm.co.uk or contact NSCM Compliance Officer Philip Savva on Tel: 0208 211 3663.  

The Data Compliance 
Officer will investigate your complaint and respond within 15 working days.If that response does not fully address your complaint, or if you are still not satisfied with our actions, you can contact the Information Commissioner’s Office ('ICO'). The ICO is an independent official appointed to oversee the General Data Protection Regulations, May 2018. Further information can be found on the ICO web site, https://ico.org.uk/. The ICO's address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, and the phone number is 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.

ISO 9001 Introduction / Awareness Information

Summary:
The Standard: - ISO 9001 – “Quality Management Systems” is a written set of guidelines (a framework), which any organisation can follow, in order to help control operations.  The overall aim of a quality management system is that the customer requirement is clearly understood and effectively delivered.‘ISO 9001’ specifies that certain activities should be under control and particular records must be maintained. 

What does ISO 9001 'Certification' mean?WHAT DOES ISO 9001 ‘CERTIFICATION’ MEAN?
Once an organisation has established suitable processes and records, a third party certification body is invited to assess the compliance of the ‘Quality Management System’, against the requirements of the standard.  If satisfied, they grant certification (sometimes referred to as ‘ISO 9001 Registration’), which can then be forwarded to interested parties as evidence of well-structured and diligent practices and a ‘Registered Logo’ can be displayed on corporate information.  ISO 9001 is internationally recognised, with over a million certificated organisations, worldwide. 

The assessment process:
Our selected Certification Body, who carries out the ISO 9001 assessments, is the British Standards Institution (BSI).  A representative from BSI regularly visits us to carry out assessments, within which he/she verifies that we comply with all of specified requirements of the standard, by sampling documentation, speaking to personnel and observing departments and practices. 

Why do we use ISO 9001?
There are various reasons why organisations, such as us, choose to adopt this standard. 
1. The quality management system is a useful tool to help us define and monitor our processes and to ensure that we are in compliance with customer expectations and industry requirements.
2. It provides an independent benchmark to verify that we are indeed following the high standards that we set for ourselves and that the overall service provided to the customer is at a consistently high level.
3. Customers and other external stakeholders often expect that their service providers, such as us, are able to demonstrate compliance with this quality standard through accredited third party certification. 

Who is involved in ISO 9001?
In short… everyone who carries out work on behalf of Next Step.  - For example, directors set out policies, procedures, objectives, and these are implemented and adhered to throughout the workforce. 

We are supported in development and implementation of our ISO system by consultants from Admac Ltd. 

The Next Step Care Management policy/procedures and documentation,  that comprises our quality system can be found via the NSCM staff website, or also available electronically via:  www.admac.co.uk/gateway. 

Policy Statement:
Within our quality management system, we have defined a ‘Policy Statement’.  To paraphrase, this is the senior management’s endorsement that we shall comply with customer requirements, and commit to continually improve through the setting of objectives.  It is the responsibility of every member of the company to do whatever he/she reasonably can, to control and improve our corporate quality performance.