Sunnybrook Care Home - Data Protection Consent Form
Sunnybrook Care Home uses your personal data for a number of different reasons. Personal data is any information that identifies you or, in some cases, information that is about you such as an opinion. It includes your name, email address, postal address, job role, photographs, CCTV and more sensitive types of information such as medical and health records, your care plan, information about your religious beliefs, origin and race, your sexual orientation and your political views.
We comply with the law in place in the UK around data protection when we use your personal data, which is known as "GDPR" (short for the General Data Protection Regulation). It allows us to use your personal data for a number of reasons without checking with you that it's ok for us to do so. For example, where we can show that we have legitimate reasons to use your personal data or where we need to use your personal data to provide you with the services you have requested from us, or to meet a legal obligation placed on us.
However, in some situations, we need you to confirm that you are happy for us to use your personal data.
Our privacy promise to you
We ask that you read this privacy promise carefully as it contains important information on who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information and on how to contact us and other organisations in the event you have a complaint.
Please see the section on YOUR RIGHTS for more information.
SCOPE OF OUR PRIVACY NOTICE
This privacy notice applies to anyone who interacts with us about our services (‘you’, ‘your’), in any way (for example, by email, through our website, by phone, through our app). We will give you further privacy information if necessary for specific contact methods or in relation to specific services.
This privacy notice applies to you if you ask us about or use Our services. It describes how we handle your information, regardless of the way you contact us (for example, by email, through our website, by phone, through our app and so on). We will provide you with further information or notices if necessary, depending on the way we interact with each other, for example if you use our apps we may give you privacy notices which apply just to a particular type of information which we collected through that app.
If you have any questions about this, please contact us at info@sunnybrookcarehome.co.uk
Introduction
We are Sunnybrook Care Home. In order that we can provide care and residential support services to the people we support we collect and use certain personal information about you.
Personal information means any information about you from which you can be identified, but it does not include information where your identity has been removed (anonymous data).
As the ‘controller’ of personal information, we are responsible for how that data is managed. The General Data Protection Regulation (GDPR), which applies in the United Kingdom and across the European Union, sets out our obligations to you and your rights in respect of how we manage your personal information.
As the ‘controller’ of your personal information, we will ensure that the personal information we hold about you is:
· Used lawfully, fairly and in a transparent way
· Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes
· Relevant to the purposes we have told you about and limited only to those purposes
· Accurate and kept up to date
· Kept only as long as necessary for the purposes we have told you about
· Kept securely
If you have any questions about this privacy promise or would like further explanation as to how your personal information is managed then please contact us (see HOW TO CONTACT US below). Please note when we refer to:
A ‘public body‘ we mean any organisation in the United Kingdom which delivers, commissions or reviews a public service and includes (but is not limited to) the Ombudsman, local authorities, councils, unitary authorities, clinical commissioning groups, health and social care trusts, the National Health Service as well as their arm’s length bodies and regulators.
A ‘social or health care professional‘ we mean any person who provides direct services, acts as consultant or is involved in the commission of your healthcare or social care services, including (but not limited to) your general practitioner (GP), dental staff, pharmacists, nurses and health visitors, clinical psychologists, dieticians, physiotherapists, occupational therapists, hospital staff, social workers and other care and support related professionals.
HOW WE COLLECT PERSONAL INFORMATION
In relation to people who enquire or use our services
We collect personal information from you and from third parties (anyone acting on your behalf, for example, brokers, health-care providers and so on). Please see below for more information.
Where you provide us with information about other people, you must make sure that they have seen a copy of this privacy notice and are comfortable with you giving us their information.
We collect personal information from you:
· through your contact with us, including by phone (we may record or monitor phone calls to make sure we are keeping to legal rules, codes of practice and internal policies, and for quality assurance purposes), by email, through our websites, through our apps, by post, by filling in application or other forms, through social media or face-to-face (for example, during open home care service events or in our offices), and during the course of providing care and support services to you.
We also collect information from other people and organisations.
For all our customers, we may collect information from:
· a family member, or someone else acting on your behalf;
· doctors, other clinicians and health-care professionals, hospitals, clinics and other social or health care providers;
· public bodies; and
· sources which are available to the public, such as the edited electoral register or social media.
CATEGORIES OF PERSONAL INFORMATION
We process two categories of personal information about you and (where this applies) your dependants:
· standard personal information (for example, information we use to contact you, identify you or manage our relationship with you); and
· special categories of information (for example, health information, information about your race, ethnic origin and religion that allows us to tailor your care).
For more information about these categories of information, see below.
Standard personal information includes:
· contact information, such as your name, username, address, email address and phone numbers;
· emergency contacts (i.e. name, relationship and home and telephone numbers)
· Your likes, dislikes and lifestyle preferences
· the country you live in, your age, your date of birth and national identifiers (such as your National Insurance number or passport number);
· details of any contact we have had with you, such as any complaints or incidents;
· financial details, such as details about your payments and your bank details;
· information about how you use our services, such as complaints, compliments, concerns or feedback surveys;
· LPA’s; and
· information about how you use our website, apps or other technology, including IP addresses or other device information (please see our COOKIES POLICY for more details).
The provision of your name, home address is required so that we can arrange a care worker to attend your home to deliver the services and so that we can invoice you for the fees.
Special category information includes:
· information about your physical or mental health (incl allergies), including genetic information or biometric information (we may get this information from application forms you have filled in, from notes and reports about your health and any treatment and care you have received or need, or it may be recorded in details of contact we have had with you such as information about complaints or incidents, and referrals from your existing care provider, quotes and records of medical services you have received); any accidents and incidents or near misses you may have been involved in whist on our premises or whilst our employees are delivering a regulated service to you – this may include details of injuries and treatment you may have received.
· information about your race, ethnic origin and religion, marital status or other beliefs (we may get this information from your list of preferences to allow us to provide care that is tailored to your needs)
WHAT WE USE YOUR PERSONAL INFORMATION FOR
We process your personal information for the purposes set out in this privacy notice. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing). We normally process standard personal information if this is necessary to provide the services set out in a contract, it is in our or a third party’s legitimate interests or it is required or allowed by any law that applies. Please see below for more information about this and the reasons why we may need to process special category information.
By law, we must have a lawful reason for processing your personal information. We process standard personal information about you if this is:
· necessary to provide the services set out in a contract − if we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you and your dependants with our home care services);
· in our or a third party’s legitimate interests − details of those legitimate interests are set out in more detail below;
· required or allowed by law (to comply with our obligations to the care regulator)
We process special category information about you because:
· it is necessary to provide health or social care or treatment, or to manage health-care or social-care systems (including to monitor whether we are meeting expectations relating to our service performance):
o Prepare, review and update a suitable care plan, describing the nature and level of care and support services which you have requested we supply to you
o To communicate with you, your representatives and any appropriate external social or health care professionals about your individual needs and personalise the service delivered to you
o Make reasonable adjustments, when required, to meet your individual needs and to ensure we have suitable facilities to ensure your safety
o Invoice you for the care and support services in accordance with our terms and conditions
o Carry out quality assurance procedures, review our service and improve our customer experience (please note that feedback can also be provided anonymously)
o Send information about our services which we believe you may be interested in. You may unsubscribe from this at any time
o Notify you about changes to our services which are relevant to you
o Monitor how effective our services are and to make sure that the services we provide meet your needs
o Improve your experience of our website and to ensure that the content is presented in the most effective way.
· it is necessary to establish, make or defend legal claims (for example, claims against us for insurance);
· it is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response to a safeguarding concern, a member's complaint or a regulator (such as the Care Quality Commission or the General Medical Council) telling us about an issue);
· it is in the public interest, in line with any laws that apply;
· it is information that you have made public; or
· we have your permission. As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for, and ask you to confirm your choice to give us that permission. If we cannot provide a service without your permission (for example, we cannot manage and run our care business without health information), we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you with a service that relies on having your permission.
LEGITIMATE INTEREST
We process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, for marketing, to help us improve our services and products, and in order to exercise our rights or handle claims. More detailed information about our legitimate interests is set out below.
Legitimate interest is one of the legal reasons why we may process your personal information. Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:
· to manage our relationship with you, our business and third parties who provide services for us (for example, to check that you have received a service to validate invoices and so on);
· to investigate complaints (for example, we may ask third parties (such as GPs, OTs or DNs) for information to make sure we receive accurate information and to monitor the quality of your care);
· to keep our records up to date and to provide you with marketing as allowed by law;
· to develop and carry out marketing activities and to show you information that is of interest to you, based on our understanding of your preferences (we combine information you give us with information we receive about you from third parties to help us understand you better);
· for statistical research and analysis so that we can monitor and improve services, websites and apps, or develop new ones;
· to contact you about market research we are carrying out;
· to monitor how well we are meeting our service performance expectations;
· to enforce or apply our website terms of use, our policy terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety;
· to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with; and
· to take part in, or be the subject of, any sale, purchase, merger or takeover of all or part of the Sunnybrook Care business.
MARKETING AND PREFERENCES
We may use your personal information to send you marketing by post, by phone, through social media, by email and by text.
We can only use your personal information to send you marketing material if we have your permission or a legitimate interest as described above.
If you don’t want to receive emails from us, you can click on the ‘unsubscribe’ link that appears in all emails we send. If you don’t want to receive texts from us you can tell us by contacting us at any time.
SHARING YOUR INFORMATION
If we share your personal information, we will make sure appropriate protection is in place to protect your personal information in line with data-protection laws. Everyone working within our Organisation has a legal duty to keep information about you confidential. Similarly, anyone who receives information from us also has a legal duty to keep it confidential.
We share your information within the Sunnybrook Care Home company, with funders arranging services on your behalf, with people acting on your behalf (for example, brokers and other agents) and with others who help us provide services to you (for example, other health-care providers and medical-assistance providers) or who we need information from to allow us to handle or confirm entitlements (for example, finance team within social services or professional associations). We also share your information in line with the law. For more information about who we share your information with, please see below.
We sometimes need to share your information with other people or organisations for the purposes set out in this privacy notice.
For all our customers, we share your information with:
· other members of the Sunnybrook Care Home company;
· doctors, clinicians and other health-care professionals, hospitals, clinics and other health-care providers (including your GP and pharmacist) and any individuals you have nominated as your representative as and when required. This data sharing enables us to establish the type of care and support you need. It also allows us to design the right care package to suit your individual circumstances, including if (in future) you decide to receive care from an alternative provider.
· suppliers who help deliver products or services on our behalf; In order to deliver our service to you we rely on third parties to provide specialist support to us. To provide this support they will have access to, or a duty of care over your personal information. These providers are:
o IT and Telecoms Support companies – to ensure the safe, secure and resilient operation of our IT infrastructure including computers, servers, phones and mobile devices
o Software support companies – to provide specialist support and resolve issues with the software that we run, for example the systems we use to store and manage your customer records
o Marketing systems providers – to organise marketing communications and for the delivery and analysis of email communications
o Data archiving companies – responsible for the secure storage and destruction of records.
These providers are under a written contract to ensure the same level of privacy and security that we promise to you.
· people or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud-prevention or safeguarding purposes, including with the Care Quality Commission); This includes information required by public bodies to evidence our compliance with the applicable regulatory framework. We are also required to share personal information with external social or health care professionals, including public bodies and local safeguarding groups (in some circumstances) to ensure your safety.
· the police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order;
· if we (or any member of the Sunnybrook Care Home company) sell or buy any business or assets, the potential buyer or seller of that business or those assets; and
· a third party who takes over any or all of the Sunnybrook Care Home company’s assets (in which case personal information we hold about our customers or visitors to the website may be one of the assets the third party takes over).
When we provide residential care services, we share your information with:
· our partners, for example, brokers, insurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt-collection agencies, credit-reference agencies, fraud-detection agencies, regulators, data-protection supervisory authorities;
· those paying for the services we provide to you, including insurers, public-sector commissioners;
· those providing your care and other benefits; (we will share minimal and relevant information within Sunnybrook Care Home in order to provide safe and effective services to you.)
· government authorities and agencies, including the Health Protection Agency (for infectious diseases such as TB and meningitis); and
We will not share, sell or trade your personal information with any other third party without your consent.
There may be other circumstances when we must share information with other agencies. In these rare circumstances we are not required to seek your consent.
Examples of this are:
If there is a concern that you are putting yourself at risk of serious harm
If there is a concern that you are putting another person at risk of serious harm
If there is a concern that you are putting a child at risk of harm
If we have been instructed to do so by a court
If the information is essential for the investigation of a serious crime
If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object
If your information falls within a category that needs to be notified for public health or other legal reasons, e.g. Certain infectious diseases
ANONYMISED AND COMBINED INFORMATION
We may use anonymised information (with all names and other identifying information removed) or information that is combined with other people’s information, or reveal it to others, for research or statistical purposes. You cannot be identified from this information and we will only share the information in line with legal agreements which set out an agreed, limited purpose and prevent the information being used for commercial gain.
TRANSFERING INFORMATION OUTSIDE EEA
All your personal data is stored and processed on systems that are within the European Economic Area (EEA) and offer the same level of legal protection and rights over your data.
In certain situations, we transfer your personal information to the following countries which are located outside the European Economic Area (EEA).
This is done in order to provide our employee with your name, address, contact details and care needs information which they require to deliver a safe service. This information is only shared once you have accepted the employee as part of the service we provide.
This international transfer is under Article 49(1)(b) – the transfer is necessary for the performance of a contract between the data subject and the controller.
Such countries do not have the same data protection laws as the United Kingdom and EEA. Any transfer of your personal information will be subject to appropriate or suitable relevant safeguards that are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal information.
HOW LONG WE KEEP YOUR PERSONAL INFORMATION
We keep your personal information in line with set periods calculated using the following criteria.
· How long you have been a customer with us and when you will stop being our customer.
· How long it is reasonable to keep records to show we have met the obligations we have to you and by law.
· Any time limits for making a claim.
· Any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations.
· Any relevant proceedings that apply.
The Lengths of periods are below:
We will hold the personal information kept within your electronic customer file for the length of your contract plus 3 years
We will hold the personal information kept within your hard copy customer files for 3 years from the date of the last entry
We will hold the personal information kept within our feedback procedure for 1 year so that we can identify trends and patterns in our service
We will hold financial records and transactions for 7 years in line with our legal requirements
YOUR RIGHTS
You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer of information you have provided, to withdraw permission you have given us to use your information and to ask us not to use automated decision-making which will affect you. For more information, see below.
You have the following rights (certain exceptions apply).
· Right of access: the right to make a written request for details of your personal information and a copy of that personal information
· Right to rectification: the right to have inaccurate information about you corrected or removed
· Right to erasure ('right to be forgotten'): the right to have certain personal information about you erased. Please note that if you ask us to delete any of your personal information which we believe is necessary for us to comply with our contractual or legal obligations, we may no longer be able to provide care and support services to you
· Right to restriction of processing: the right to request that your personal information is only used for restricted purposes
· Right to object: the right to object to processing of your personal information in cases where our processing is based on the performance of a task carried out in the public interest or we have let you know the processing is necessary for our or a third party’s legitimate interests. You can object to our use of your information for profiling purposes where it is in relation to direct marketing.
You have the right to restrict how and with whom we share information in your records that identifies you. If you object to us sharing your information we will record this explicitly within your records so that all healthcare professionals and staff involved with your care are aware of your decision. If you choose not to allow us to share your information with other health or social care professionals involved with your care, it may make the provision of treatment or care more difficult or unavailable. Please discuss any concerns with the member of staff advising you so that you are aware of any potential impact. You can also change your mind at any time about a disclosure decision.
· Right to data portability: the right to ask for the personal information you have made available to us to be transferred to you or a third party in machine-readable formats
· Right to withdraw consent: the right to withdraw any consent you have previously given us to handle your personal information. If you withdraw your consent, this will not affect the lawfulness of Sunnybrook Care Home’s use of your personal information prior to the withdrawal of your consent and we will let you know if we will no longer be able to provide you your chosen service
· Right in relation to automated decisions: you have the right not to be subject to a decision based solely on automated processing which produces legal effects concerning you or similarly significantly affects you, unless it is necessary for entering into a contract with you, it is authorised by law or you have given your explicit consent. We will let you know when such decisions are made, the lawful grounds we rely on and the rights you have.
Please note: Other than your right to object to the use of your data for direct marketing (and profiling to the extent used for the purposes of direct marketing), your rights are not absolute: they do not always apply in all cases and we will let you know in our correspondence with you how we will be able to comply with your request.
If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. If we do not meet your request, we will explain why.
In order to exercise your rights please contact info@forgetmenotburnham.co.uk
REASONS WE CAN COLECT AND USE YOUR PERSONAL INFORMATION
We rely on the following grounds within the GDPR:
Article 6(1)(a) – processing is conducted with your consent to process personal data for specified purposes
Article 6(1)(b) – processing is necessary for the performance of our contracts to provide individuals with care and support services
Article 6(1)(c) – processing is necessary for us to demonstrate compliance with our regulatory framework and the law
Article 6(1)(f) – to process your personal data in pursuit of legitimate interests, which include;
o Marketing purposes – the privacy impact on you is expected to be minimal. Marketing will be specific to services we believe are of interest to you using information from enquiries we receive from you, you can unsubscribe at any time
o Corporate due diligence and financial modelling, service development and innovation – the privacy impact on you is expected to be minimal. We will process your data internally to ensure our business is stable, trusted and innovating to provide the best possible service to you
GDPR recognises that additional care is required when processing special category (sensitive) data such as your health. We process this under the following grounds within GDPR;
Article 9(2)(h) – processing is necessary for the provision of social care or the management of social care systems and services
KEEPING YOUR PERSONAL INFORMATION SECURE
The confidentiality and security of your information is of paramount importance to us. We have appropriate organisational and technical security measures in place to prevent personal information from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
DATA PROTECTION CONTACTS
If you have any questions, comments, complaints or suggestions in relation to this notice, or any other concerns about the way in which we process information about you, please contact our Data Protection Officer and Privacy Team at info@forgetmenotburnham.co.uk
If you would like to exercise any of those rights, please:
o Contact us using the details above – making clear that you wish to exercise one of your privacy rights
o Let us have enough information to identify you (e.g. your name and address)
o Let us have proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill), and
o Let us know the information to which your request relates, including any account or reference numbers, if you have them
o If you would like to unsubscribe from any marketing emails you can also click on the ‘unsubscribe’ button at the bottom of the marketing emails. It may take up to 14 days for this to take place
HOW TO COMPLAIN
We hope that we can resolve any query or concern you raise about our use of your information.
Data Protection Officer
V. Elliott
Sunnybrook Care Home, Leaholme Gardens, Slough, SL1 6LD
info@forgetmenotburnham.co.uk
You also have a right to make a complaint to your local privacy supervisory authority. Sunnybrook Care Home’s main establishment is in the UK, where the local supervisory authority is the Information Commissioner:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, United Kingdom
SK9 5AF
Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
You can also lodge a complaint with another supervisory authority which is based in the country or territory where: you are living, you work, or the alleged infringement took place.
Changes to this privacy promise
This privacy promise was first published on 22 Oct 2025, and last updated on 22 Oct 2025. We may change this privacy promise from time to time, when changes are significant we will draw your attention to this via email and on our website.