NSCM Privacy Notice describes how we use information, particularly information that relates to you. NSCM is a registered Data Controller with the Information Commissioner’s Office (ICO), under registration number Z8473128, for the purpose of collecting and processing personal information. Who do we collect information about? NSCM collects records and holds information on all young people and adults who have been referred for accommodation and / or outreach support and have taken up a placement. We need to know your personal data / information so that we can provide you with the right accommodation and outreach support to meet your needs.
What personal data / information do we hold and do we collect this information?
Your basic personal data / information may be provided to us by the referrer (social worker or statuary agency) when they refer you to NSCM for a service. When contacting us, you and the referrer will be asked for personal information such as name, address, postcode etc. Information collected to inform the request for a service will include, for example:
• Personal details
• Family details
• Lifestyle and social circumstances
• Financial details
• Employment and education
• Offences and alleged offences
Some information is special due to its sensitivity, it may include:
• Physical or mental health details
• Sex life
• Sexual orientation
• Racial or ethnic origin
• Religious or other beliefs of a similar nature
• Political opinion
• Genetic and biometric data
This might be collected in person, over the phone or via forms sent through secure email or password protected.
Information may also be shared with us by another organisation due to NSCM being part of a package of support being provided. This may include organisations such as national and local NHS bodies, Local Authorities, Police, probation, colleges and schools.
What is the lawful base for NSCM using your personal data / information?
The law on data protection allows us to process your data for certain reasons only. The information below categories the type of data processing NSCM undertake and the lawful basis we rely on.
|NSCM Application form
Personal details, special categories, history, life style, social circumstances risk assessment.
Name, address, phone numbers, gender, national insurance number, right to work in UK, GP, next of kin, education, financial details, criminal convictions, risk assessment.
Physical or mental health, disability, sex life, sexual orientation, race, ethnic origin, political opinion, immigration status, religion, genetic and bio-metric data.
Circumstance that may pose a risk to you or NSCM staff or professionals, how to support you and how to manage the risk.
Record of any contact with you, any professional working with you, family or friends, in person, by phone or email.
|Daily / Weekly / Monthly summary report
Updates to social worker about how you are getting on in placement, any risks, successes, strengths.
Record of changes and significant events and incidences. Factual information, transitions, issues, interventions by NSCM and / or professionals.
|Accident / incident / injury reports / RIDDOR
Accidents and any treatment or hospitalisation, physical or verbal incidences towards NSCM staff or property.
|Safeguarding form or Cause for Concern form
Details - reporting a safeguarding or concern to social workers , police or appropriate agencies.
|Missing Person Form
If you go missing from placement, details of what may have triggered you going missing and risks form is shared with social workers, police or appropriate agencies.
Skills Assessment FormAssessment of how you getting on living independently.
Where you need support and what action is required and by whom.
When you ask NSCM staff to speak to an agency on your behalf, or where we may suggest that we can speak to an agency in your behalf.
How do we use personal data / information?
NSCM holds personal data / information to enable us to provide appropriate accommodation and outreach support packages to young people and adults, to refer to specialist services, to maintain our accounts and records. We may also use information to:
• Deliver services and support to you
• Manage services we provide to you
• Producing assessments of the health and care needs, child protection or safeguarding
• Contribute to assessments that may result in the young people and adults being taken into care under mental health law / safeguarding or child protection framework
• Identifying priorities for action
• Informing decisions on planning of new services
• Identifying staff training needs
• Help investigate any worries or complaints check the quality of the services
How the law allows us to use your personal data / information
We collate and use personal data / information where:
• You or your legal representative have given consent
• You have entered into an agreement / contract with us
• To perform our statutory duties
• To protect someone in an emergency
• To deliver health and social care services
• It is required by law
• To protect public health
Information security and data sharing
NSCM is a data controller for the purposes of the General Data Protection Regulation (GDPR) May 2018.When processing your personal information we will aim to do so fairly, lawfully and in line with the GDPR. Information will not be held for longer than required and will be disposed of securely.
We will work in an open and transparent way, discussing and /or sharing any reports, updates and assessments written by your outreach worker, with you, before sending them to your social worker. We will only share your personal data / information after discussions with you, with appropriate organisations such as the NHS, health care professionals, social care and welfare organisations.
The Care Quality Commission and / or Ofsted may also access your information as part of an inspection or monitoring process of NSCM. We will only share personal data / information once the necessary legal basis has been established and data protection safeguards have been verified. See Lawful basis above.
We will not give or sell your information to any third party for marketing purposes.
What are your rights?
You have the right to ask for all the information we have about you. When we receive a request from you in writing, we must give you access to everything that we have recorded about you. If you can’t request this in writing, please talk to you Outreach Worker who will consider another way to enable you to make this request.
However, we are unable to let you see any information held in your records which contain confidential information about other people or where a professional thinks this will cause serious harm to you or some else.
'Right to be forgotten’ – you can ask for information to be deleted
In some circumstances you can ask for your personal data/ information to be deleted. For example, where there is no legal reason for us to use it. If you believe the information we hold is wrong you have the right to have it corrected or deleted.
Information required by law cannot be deleted where it is used for public health purposes or if it is necessary for legal claims.
Limit the use of your personal data/ information
You can request us to restrict what we use your personal data/ information for where you have identified inaccurate information, and have told us about it.
Where possible we will seek to comply, but we may not be able to where we need to hold or use your information because we are required to by law.
How we protect your personal data/ information
We hold all records about you (paper or electronically) securely and only make them available to those who have the right to see them.
We secure information by using secure emails; hiding parts of your personal information from view and password protect electronic documents.
We ensure that emails are sent without revealing addresses to other recipients and use blind carbon copy (bcc), not carbon copy (cc). We also check group email addresses and only send the message to the people that need to see it.
Paper documents are held in a secure cabinet and locked room / office.
Paper is shredded and disposed of securely.
NSCM mobile phones and devises used by staff in the course of their work with you are password protected.
How we keep NCSM safe and protect against online risks
NSCM IT equipment has firewalls and virus checking systems to protect your personal data / information. Staff working for or on behalf of NSCM are expected to protect their personal devises i.e. mobile phones / IT equipment, if used for NSCM business.
All devises / IT equipment are password protected; in addition, all files containing personal data / information held on this equipment are password protected.
NSCM take the following actions to minimise the risk of personal data / information being compromised:
• Train Staff
• Staff declaration and commitment to reporting data breach
• Email disclaimer
• Secure email and file transfer
• Delete suspicious emails
• Robust reporting mechanisms in the event of loss or stolen devises (laptops, I-Pads, tablets, mobile phones etc.)
• Strong password protection on all devises
• Download software updates
• Use of anti-virus software
• Decommissioning the removal data form devises / hardware no longer in use or obsolete
• Memory sticks password protected
• Refresh NSCM Policy & Procedures, and continue to review the procedures annually
NSCM have a storage device located at Head Office. The devise stores information on the Cloud and is backed each night. This system is encrypted to protect all stored data / information. Closed files are stored on the system.
NSCM rely on Egress Switch Secure Email and File Transfer to communicate and share information, and need to protect the personally and commercially sensitive data that staff share both internally and with external users. Egress Switch Secure Email and File Transfer provides easy-to-use, flexible email and file encryption that offers the highest levels of security and access controls. In addition to encrypting message content and attachments. Switch Secure Email and File Transfer provides total control over shared information in real time, with the ability to revoke access, audit user actions and add message restrictions to prevent data mishandling.
• Government and industry-certified data security
• Switch Secure Email and File Transfer features comprehensive government and industry-certified security and authentication, including email and file encryption at rest and in transit, multi-factor authentication, and customisable policy controls.
• Users can stay in control of their information after it has been shared both internally and externally by revoking recipient access, preventing actions such as download and copy / paste, and viewing audit logs.
• Switch is certified under NCSC Commercial Product Assurance, Common Criteria and ISO 27001:2013.
How long do we keep your personal data / information for?
We are required, by law to keep your personal information for a set period of time and this can range from months to decades for more sensitive records. Records for YP/A leaving care are retained from the date of birth + 75 years or 15 years after death of child (where child dies under 18. Adults with Mental Health difficulties and or subject to the Mental Health Act files are retained from the last action + 20 years.
The Data Compliance
Officer will investigate your complaint and respond within 15 working days.If that response does not fully address your complaint, or if you are still not satisfied with our actions, you can contact the Information Commissioner’s Office ('ICO'). The ICO is an independent official appointed to oversee the General Data Protection Regulations, May 2018. Further information can be found on the ICO web site, https://ico.org.uk/. The ICO's address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, and the phone number is 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.