The UK's General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) came into force on 25 May 2018 (together the Data Protection Legislation). Data Protection Legislation is designed to keep people’s personal information safe. Your privacy is of great importance to us.

The Care Professional Register of 20 London Road, Neath, SA11 1LA of the email enquiries@vcpr.uk and the registered domain www.vcpr.co.uk will process personal data and special category data which will be held electronically. This includes data that is displayed online in the publicly accessible register about Care Professionals. We do recognise the need to treat all data in an appropriate, responsible, and lawful manner, and by Data Protection Legislation.

The Voluntary Care Professional Register is the controller of the personal information you provide to it. This means the Care Professional Register determines how and why personal information relating to care professionals is collected and used.

This privacy notice sets out, amongst other things:

• What information we collect;
• Why we collect it;
• Who we share it with;
• How long we keep it for;
• What your rights are;
• Who to contact if you need more information or have concerns.

Changes to this Privacy Notice

We reserve the right to amend this Privacy Notice at any time. Any new versions of this Privacy Notice will be published on our website, and we advise that you check the front page of the notice as it will show an updated version number and review date on the published Privacy Notice. 

What data do we collect? 

The categories of personal information that the Care Professional Register collects, holds and shares, but is not limited to, the following:

• Personal information provided by and about care professionals who have voluntarily registered with us, including their names, region, registration status, DBS status, registration PIN and current job title on a publicly accessible online register.
• Personal information provided by and about care professionals who have voluntarily registered with us and chosen to share additional data about themselves on a profile page by our guidelines and subject to our monitoring to ensure that no third-party personal data is published.
• We may from time to time also hold securely, data about Care Professionals that we have received from other organisations and individuals. This will be about care professionals who are voluntarily registered with us in connection with their registration.
• This will include ongoing registration and deregistration investigations, hearings, decisions, and appeals. Any Care Professionals concerned will be informed of and have a copy of this data separately.
• Recruitment data, personnel records, and employment data for the staff team.

Whilst the majority of the personal data provided to us is mandatory as part of the register purpose, and the safeguarding of others. Some are also provided voluntarily. When we are collecting personal data, you will be informed if you are required to provide this data as part of your registration and your informed consent is needed for us to activate, continue and publish your registration and as part of this store your data. 

Where informed consent is required, we will provide you with specific and explicit information with regards to the reasons why the data is being collected, why we need to collect this, for what processing reason how the data will be used and how long it would be stored. We will also seek registrants’ consent to share information with relevant authorities where it is deemed necessary for safeguarding others from harm. 

We will tell you how consent may be withdrawn where consent has been required. 

Special Category Personal Data 

We may also collect, store, and use information about you that is classed as Special Category personal data. This includes information about a person's: 

• Racial or ethnic origin;
• Political opinions;
• Religious or philosophical beliefs;
• Biometric data;
• Data concerning an individual's health (including physical and mental health, medical conditions and sickness absence);
• Sex life or sexual orientation.

Criminal data and DBS data will be handled, processed, and stored using the same safeguards we operate with respect of special category data. We will only process special category personal data where a relevant processing condition is met. Usually, this will mean that an individual has given explicit informed consent, or it is necessary to safeguard others. We will tell you when we need consent and why. If you give us consent, you can withdraw it at any time by getting in touch with us however this may affect your registration in the case of DBS viewing and verifying as it is essential for registration. 

Ensuring your data is accurate 

We will keep the personal data we store about you accurate and up to date. We will take every reasonable step to erase or rectify inaccurate data without delay. Please tell us if your data changes to enable us to store the most accurate data about you. If you do become aware of any inaccuracies in the personal data, we hold about you inform us without delay. Failure to report changes promptly may result in us having out-of-date data stored. We will contact you periodically to check your details are still up to date. 

Why do we collect data? 

The Care Professional Register collects and uses only essential personal data relating to members of the staff team and those professionals who have voluntarily signed up to the Care Professional Register which is published online. 

We may also receive information regarding your registration from external agencies and this data is securely stored too. We must tell you if this additional data has been collected, received, and stored securely and responsibly too. 

The reasons we do this are: 

• To safeguard children and adults from harm;
• To support the administration processes and policies of being on the publicly held register.
• Mainly to ensure that a registered person is fit to remain registered and can satisfy the essential requirements of being registered.
• To comply with the law regarding the collection and sharing of data.

Whilst the majority of information we collect about you is mandatory, there is some information that can be provided voluntarily. Whenever we seek to collect information from you, we make it clear whether providing it is mandatory or voluntary. 

Our lawful basis for processing your personal data. 

We collect and use personal data only when the law allows us to. We process it where: 

• We need it to perform an official task in the public interest by maintaining a publicly viewable and searchable register of registered care professionals. All of whom have verified their credentials, have undertaken a commitment towards working to our practice statement, and have demonstrated an active DBS, a work and training record. This data has been collected and given by a data subject ‘you’ when applying to be a part of the register in meeting our terms and conditions of registration. 

• We rely upon consent to use some of your personal information where we have asked for your informed consent. There are instances where we do not rely upon consent to receive your data from others, store this and use this as part of registration and deregistration investigations and hearings. This is where data subjects have voluntarily updated their public profiles with additional information of their own volition according to our site usage terms and conditions. We treat all data about all data subjects equally and with the necessary safeguards to maintain your data privacy.

Where you are asked to give informed consent, you can withdraw this and be deregistered or have your registration reviewed. You can, as a data subject adjust your consent by contacting us at the telephone, email or address provided in this policy. To protect you and your data and who accesses it we will require you to prove who you are and provide verifiable Identification as part of our procedures. This also falls under Safeguarding. 

• There are instances where we do not rely upon consent to share your data with authorities (Local Authority Safeguarding teams and the police). This processing is where we have a legitimate interest to do so and are performing an official task in the public interest. This means that we run a register and must act to safeguard others from the likelihood of harm if the data we hold, you supply, or another genuinely supplies about you reveals the potential for harm or harm has happened to another person. This is known as safeguarding. We also rely upon a legitimate interest during the time of your registration, processing your data which includes storing, collecting, publishing and maintaining a registration record. We do this to perform an official task in the public interest.

How do we store your data? 

We will ensure that appropriate measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to you by processing your personal data. We have in place procedures and data security to maintain the security of all personal data. This is active from the point of us collecting it right through to its use or deletion. 

Maintaining data security means us being clear on how your data is used and why. We through this data privacy policy are setting out how we intend to maintain the confidentiality, integrity, and availability (for running a publicly searchable register) of your personal data. 

Who do we share data with? 

We will only share information about where we have your consent to do as part of the purpose of running a publicly searchable register. Unless it is specifically a scenario of safeguarding others from harm as described above and this would only be with either the Police or a Local Authority Safeguarding Team and yourself. 

How long will we keep information for? 

We keep information electronically and in paper format. We will not keep your personal data for longer than is necessary for the purpose(s) for which we process it. This means that data will be destroyed or erased from our systems when it is no longer required. We will not transfer personal data outside the UK unless such transfer is compliant with Data Protection Legislation. This means that we cannot transfer any personal data outside the UK unless: 

• The UK has decided that another country or international organisation ensures an adequate level of protection for personal data; or • The transfer of personal data is subject to appropriate safeguards, which may include:
• Binding corporate rules; or
• Standard data protection clauses adopted by the UK.
• One of the derogations in the UK GDPR applies (including if an individual explicitly • consent to the transfer).
• We do currently transfer personal data outside the UK as:
• We store personal data on cloud systems based in the UK that have backup systems that may sometimes be located outside the UK; • Some software providers (processors) use cloud storage located outside the UK.

Your rights

 Data Protection Legislation provides the following rights for individuals: 

• The right to be informed about how and why we use personal data;
• The right of access to data we hold;
• The right to have your data amended or corrected if it is inaccurate or incomplete;
• The right to have data erased in certain circumstances;
• The right to restrict processing in certain circumstances;
• The right to data portability in certain circumstances;
• The right to object to us processing data in certain circumstances;
• Rights in relation to automated decision making and profiling;
• The right to withdraw consent when we have sought consent to use data;
• The right to lodge a complaint with the Information Commissioner’s Office.
• Where the processing of your data is based on your consent, you have the right to withdraw this consent at any time. If you have queries about it, contact us to discuss this or write to us with your request.

An easy-to-follow process is set out in our GDPR policy. 

Subject Access Requests Individuals

(You) have a right to make a ‘subject access request’ to gain access to the personal information that the register holds about you. Individuals cannot make a Subject Access Request for any other individuals’ data, only their own. If you make a subject access request, and if we do hold information about you, we will: 

• Give you a copy of the information in a paper format or an electronic one this is your choice;
• Give you a description of it;
• Tell you why we are holding and processing it, and how long we will keep it for;
• Explain where we got it from;
• Tell you who it has been, or will be, shared with;

Please see the GDPR policy for how to do a Subject Access Request. We must respond to a request within a calendar month. We will do so in writing or email by day 3 after receiving the request to acknowledge your request and provide a date within the same calendar month that we will respond by. If you have queries about it, contact us to discuss this or write to us with your request. An easy-to-follow process is set out in our GDPR policy. 

Your right to object 

You have the right to object, at any time to the processing of your personal data which is necessary for the: 

• Performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or any other processing reason explained in this Privacy Notice.

If you object to the processing set out above, we must no longer process that personal data. Unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms. We may not include you on the register if you no longer wish us to process the data we need to include you upon it as we have a duty to safeguard the public from harm or risk. This does not affect your ability to ask us to remove all of your data too. If you have queries about it, contact us to discuss this or write to us with your request. An easy-to-follow process is set out in our GDPR policy. You can ask us to restrict processing also. 

Your right to Data Erasure 

You have the right to ask us to erase data, which is incorrect, out of date and needs to be updated. You have the right to ask us to also erase any data we hold about you. If you have queries about it, contact us to discuss this or write to us with your request. An easy-to-follow process is set out in our GDPR policy. 

Concerns 

If you do have any concerns about how we use your data, or how we have dealt with your data you can complain to us or raise a concern and we will swiftly investigate this for you. There are many reasons why you may want us to investigate your concerns including but not limited to; 

• We have not properly responded to your request for your personal information;
• We are not keeping your data/ information secure;
• We hold inaccurate information about you, and you have raised this with us previously.
• We have disclosed information about you, and you have raised this with us previously.
• We are keeping information about you for longer than is necessary; • We have collected information for one reason and is using it for something else; or
• We have not upheld any of your data protection rights.

First step would be to write to us or email, or phone us and give us an opportunity to investigate it for you. We aim to have investigated within a month however for more lengthy investigation that are more complex we may need to extend the timeframe, but we will keep you fully up to date throughout. We will retain a copy of your complaint and a copy of our investigation findings and store this securely for the time you remain on the register. An easy-to-follow process is set out in our GDPR policy. 

We are also here to help if you have not got a concern and would just like to find out more about data. 

Raising a concern or making a complaint does not affect your placement on the register. 

What do I do if I have a complaint and it has not been rectified or resolved by the register and the Data Protection Officer? Firstly, it is good to contact us to make us aware and we can investigate it thoroughly. We have three stages to our complaints policy. 

An easy-to-follow process is set out in our Complaints policy. 

The ICO 

You have the right to right to lodge a complaint with the Information Commissioner's Office (The ICO) 

There contact details are; 

Information Commissioner's Office 

Wycliffe House 

Water Lane Wilmslow 

Cheshire SK9 5AF 

Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. 

Website: https://ico.org.uk/concer HYPERLINK "https://ico.org.uk/concerns"n HYPERLINK "https://ico.org.uk/concerns"s 

Date of Privacy Notice 1st August 2023 Next Planned Review August 2024, unless updates or amendments to this Privacy Notice are required before that date. 

All changes and updates to the Privacy Notice will be included on our website.