ONCARE PRIVACY POLICY

Last updated – 6th January 2020

This privacy policy (the “Policy”) is designed to give you information about how your personal data is collected and use in connection with your use of our services.

It tells you about how your personal data is protected and about your privacy rights. Section A contains information relating to all our data processing practices. Section B explains our handling of business contact personal data as a data controller. Section C explains our handling of personal data relating to agency personnel, care workers, care recipients and friends and family members (together “Service Users”) as a data processor.

This Policy covers the following areas:

Section A

  1. Who we are, and our relationship with care agencies 
  2. Who is responsible for the handling of your personal data?
  3. Additional information applicable to you 
  4. Sharing your personal data
  5. Sending your personal data outside the UK and EEA
  6. Data security
  7. Our contact details
  8. Changes to this Policy

Section B: Our processing of Business Contact information as a data controller

  1. The personal data we collect
  2. How we collect personal data
  3. Cookies
  4. For what purposes and on which legal bases do we process your personal data?
  5. How long do we keep your personal data?
  6. Your rights

Section C: Our processing of information relating to Service Users as a data processor

  1. The personal data collected on behalf of the Care Agencies
  2. How your data is collected
  3. Cookies
  4. The purposes and lawful basis on which we are instructed to process your personal data?
  5. How long do we keep your personal data?
  6. Your rights

This Policy should be read in conjunction with our Terms and Conditions (and any other documents referred to the terms).

Please read these documents carefully and contact us if you have any questions.

Section A

1. Who we are, and our relationship with care agencies 

We are a provider of a care management software solution which has been developed to facilitate the delivery and coordination of care visits and/or social care services on behalf of care agencies who purchase our product (“Care Agencies”). We own, operate and manage the domain weareoncare.com, the OnCare web application and the OnCare smartphone app which collectively make up the “OnCare platform”.

If you are a representative of an existing or prospective customer (a “business contact”), or a user our services (a “service user”) your information will be processed by OnCare Technologies Limited (“OnCare”, “we” or “us”). 

2. Who is responsible for the handling of your personal data?

Business Contacts

If you are a business contact, we may use your personal data in connection with your request for, use of, or interest in our services (as more particularly described in section B). 

Where this is the case, we will be the data controller of personal data you provide. This means we will be responsible for the safeguarding of your personal data which will be processed in accordance with sections A and B of this policy.

Service Users

If you are a service user (“agency personnel”, “a care worker”, “a client” (care recipient), or “a family member or friend” of a client) you may have received an invite to use the OnCare Platform by your Care Agency. 

Where we process personal data resulting from your use of the OnCare Platform, (or use of the Platform by your Care Agency) our role will be limited to that of a data processor. This means our role is limited to providing the platform on behalf of your Care Agency – who will be the data controller. 

The Care Agency will be the party responsible for the processing of your personal data which will be processed in accordance with their privacy policy. Further information about our data processing activities as a data processor are available in sections A and C of this Policy.

3. Additional information applicable to you 

Further information relating to the information we collect, our data collection activities, our use and entitlement to process your personal data, and our security and retention practices are available in:

  • Section B of this Policy for Business Contacts; and 
  • Section C of this Policy for Service Users.

4. Sharing your personal data

In order to assist the Care Agencies in the delivery of Care

Where we process your personal data on behalf of your Care Agency (as a data processor), we may share your personal data with your Care Agency, their personnel and their care workers to facilitate their delivery of client care. In doing so, personal data relating to Agency personnel, care workers and other persons responsible in the delivery of care may also be shared, with other care workers and as necessary with the clients (and their family members or friends who have been granted access to those accounts).

Third parties:

In the delivery of our services, or in accordance with our business relationship we will share your personal data with the following third parties as necessary:

  • Our service providers (acting as processors or sub processors) who provide IT and system administration services; 
  • Our professional advisers, including lawyers, accountants, auditors, bankers, insurers, who provide legal, accountancy, audit, banking, insurance or consultancy, or other services to us; 
  • HM Revenue & Customs, regulators and other authorities who require us to report on processing activities in certain circumstances;
  • Such other third parties involved in a change to our business, if we transfer any part of our business or assets to them or acquire any part of their business or assets, or otherwise merge any part of our and their businesses; in any of these cases, the new owners of our business may use your personal data in the same ways and for the same purposes as set out in this Policy.

Where we are able to do so, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. We only disclose the personal data each third party needs in order to provide the specified purposes, and we do not allow any of our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

5. Sending your personal data outside the UK and EEA

In connection with your use of our services and/or the provision of OnCare Platform, we or our service providers may transfer personal data out of the European Economic Area (EEA). 

We will only transfer your personal data outside the EEA, where we are satisfied that adequate levels of protection are in place to protect the integrity and security of any information being processed and compliance with applicable privacy and data protection laws. 

These measures may include the use of standard contractual/data protection clauses adopted by the European Commission and where transfers are to the United States of America, the EU-US Privacy Shield, or your consent.

Please get in touch with us if you would like more information about these safeguards.

6. Data security

To prevent unauthorised access, maintain data accuracy and ensure the correct use of information, we have put in place appropriate physical, electronic and managerial procedures designed to safeguard and secure the information we collect.

We limit access to your personal data to those of our employees, agents, contractors and other third parties who have a business need to know this data. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality. 

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any relevant regulator of a breach if we are legally required to do so.

7. Our contact details

If you have any questions about this Policy or would like to exercise any of the rights mentioned in sections 14 and 20 (Your rights) of this Policy, you can contact us in any of the following ways:

  • The Data Protection Officer, The Space Liverpool Street, 14 New Street, London, United Kingdom, EC2M 4HE
  • support@weareoncare.com

8. Changes to this Policy

The Policy may be amended from time-to-time if we make any important changes in the way that we collect, store and use personal data. We may notify you by sending an email to your last known email address or writing to your last known postal address to direct you to the Policy if the changes are material. Any changes will be effective immediately.

Section B: Our processing of Business Contact information as a data controller

9. The personal data we collect

When you interact with us, we may collect use, store and transfer different kinds of personal data about you. Personal data means any information about a living individual from which that person can be identified

Generally speaking, we will collect the following categories of information relating to you and/or your use of our services:

A) Identity and professional contact data such as your first and last name, your job title, professional telephone number and email address, work address and records of correspondence we have with you;

B) Information relating to our business relationship such as business bank details, signatures for payment terms, and payments made by you on behalf of your employer, and services they have bought from us;

C) Technical data including your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other details about the devices you use to access our website;

D) Usage data including information about how you use our website, products and services; and

E) Marketing and communications data including your preferences in receiving marketing material from us and our third parties and your communication preferences.

10. How we collect personal data

We may collect the personal data described above in a number of ways:

F) when you communicate with us so that we can make you a proposal or enter into a contract for our products/services either with us or one of our partners;

G) when we receive business cards, emails and other documents from individuals containing such data;

H) when you respond to marketing campaigns; 

I) when you visit our websites (and their subdomains)  at https://www.weareoncare.com/, and the landing pages of marketing campaigns that we may create and run from time to time; 

J) from trusted third-party analytics providers who provide us with information relating to our website traffic and how users interact with our website. 

K) sometimes we purchase it from third parties; such personal data falls into the same categories as those set out above in the section “The personal data we collect”.

The ways we collect personal data may change from time to time as notified by updates to this Policy. 

11. Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

12. For what purposes and on which legal bases do we process your personal data?

We set out below the purposes for which we use the personal data that we collect about you, with the legal basis that we rely upon for its use. 

The “legal bases” are set out in data protection laws: they allow companies to process personal data only when the processing is permitted by the specific “legal basis” set out in law. These grounds include: 

  • Consent: where you have consented to our use of your information.
  • Contract performance: where your information is necessary to enter into or perform our contract with you.
  • Legal obligation: where we need to use your information to comply with our legal obligations.
  • Legitimate interests: where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights.
  • Legal claims: where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.

In summary, we generally rely on our legitimate interests as a service provider to process your personal data as necessary to provide your business with the OnCare platform. To the extent that we rely upon your consent (for example where required for marketing or cookie placement purposes) as the legal basis under which we process your personal data, you are entitled to withdraw your consent at any time. Please contact us if you want to do so.

We will process your personal data only for purposes compatible with those set out in this section. If we are required to process your personal data for any purpose (which is incompatible with those listed here), we will notify you of this before doing so.

In more detail, we use your personal data for the following purposes on the following legal bases:

A) To setup and manage your account with us

Use justification: legitimate interests (to enable us to perform our obligations and provide our services to our clients).

B) To send you offers, promotions or other marketing to provide existing or prospective clients with updates and offers, where they have chosen to receive these communications. Where required by law, we will ask for consent at the time we collect the data to conduct any of these types of marketing. You will always have the option to unsubscribe or opt-out of further communication in any electronic marketing communication sent to recipients.

Use justification: legitimate interests (to keep existing and prospective corporate subscribers updated with news in relation to our products and services).

C) To develop and improve our business through the use of data analytics.

Use justification: consent on the basis of their prior opt in consent on the website.

D) To inform clients of changes about our services.

Use justification: legitimate interests (to notify clients about changes to our services).

E) For internal management, administrative and organisational reasons in the event that we: (i) are subject to negotiations for the sale of our business; (ii) are sold to a third party; or (iii) undergo a re-organisation, we may need to transfer some or all of your personal data to the relevant third party (or its advisors) as part of any due diligence process for the purpose of analysing any proposed sale or re-organisation. We may also need to transfer your personal data to that re-organised entity or third party after the sale or reorganisation for them to use for the same purposes as set out in this Policy.

Use justification: legitimate interests (in order to allow us to change our business)

F) In connection with legal or regulatory obligations we may process your personal data to comply with our regulatory requirements or communications with regulators which may include disclosing your personal data to third parties, the court service and/or regulators or law enforcement agencies in connection with enquiries, proceedings or investigations by such parties anywhere in the world or where compelled to do so. 

Use justifications: legal obligations, legal claims, legitimate interests (to cooperate with law enforcement and regulatory authorities).

Change of purpose:

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason which is compatible with the purpose for which we originally collected it. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

13. How long do we keep your personal data?

We generally only keep personal data for as long as is reasonably required for the reasons explained in this Policy. We do keep certain transactional records for more extended periods if we need to do this to meet legal, regulatory, tax or accounting needs. For instance, we are required to retain an accurate record of our dealings with our clients, this allows us to respond to any complaints or challenges you or others might raise later. We will also retain files if we reasonably believe there is a prospect of litigation.

14. Your rights

You may have some or all of the following rights to: 

  • object to the processing of your personal data, including profiling. You can object, on grounds relating to your particular situation, at any time. In which case, the data controller must stop processing the data that your objection relates to, unless it can show compelling legitimate grounds to continue that processing;
  • access your personal data. If you make this kind of request and the data controller holds personal data about you, they are required to provide you with information on it, including a description and copy of the personal data and why they are processing it;
  • request that the data controller provides you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format;
  • request erasure of your personal data in certain circumstances; 
  • request correction or updating of the personal data that the data controller holds about you and that is inaccurate; 
  • request the restriction of our processing of your personal data in some situations. If you request this, the data controller can continue to store your personal data but is restricted from processing it while the restriction is in place; 
  • complain to your local data protection authority about the collection or use of your personal data. For example, in the UK, the local data protection authority is the Information Commissioner’s Office. 

If you would like to exercise any of these rights in relation to the information we hold about you, please contact us. Our contact details can be found in section 7 (Our contact details) of this Policy. We will consider and respond to your request in accordance with the relevant law.

Section C: Our processing of information relating to Service Users as a data processor

As explained in section 2 (Who is responsible for the handling of your personal data?), we provide the OnCare Platform on behalf of, and in accordance with instructions from our Care Agency clients. The Care Agencies are responsible for the coordination and delivery of care, and as the data controller the safeguarding of your personal data. Our role is limited to that of a data processor.

What this means is that if you are a care worker, an individual receiving care, a friend or family member of a care recipient, or a member of staff within a Care Agency your personal data may be processed by us on instruction from a Care Agency. This means your personal data will be collected and processed in accordance with the Care Agency’s privacy policy. This Section C is not designed to replace that policy, but to give you additional information relating to our activities as a data processor.

15. The personal data collected on behalf of the Care Agencies

Personal data means any information about a living individual from which that person can be identified

If you have an OnCare account, or receive care from an Agency using our Platform we may collect, use, store and transfer your personal data through those interactions on behalf of the Care Agencies. Generally speaking, we will collect the following categories of information relating to you:

A) Identity and contact details (relating to care workers, agency office staff, clients (care recipients), friends/family members) such as: title, first name, last name, email address, telephone number.

B) Client background information (relating to clients (care recipients)) such as: date of birth, key contacts, likes/dislikes/hobbies, languages spoken, history and background.

C) Information relating to client care (relating to care workers and clients (care recipients)) such as: property access details, care outcomes, care plan/care needs, risk assessment, mobility information, perceived emotional state, scheduled care/previous care visits, notes and alerts from visits, notes relating to upcoming GP appointments, friends/family access associated to the OnCare account, communications logged against the client (GP calls, family requests).

D) Care delivery schedule/records (relating to care workers and clients (care recipients)) scheduled/previous visits, other care staff present at visits, activities carried out during visits, notes taken during visit, average ratings received from clients, GPS locations of each check in and check out.

E) Vocational data (relating to care workers) such as: qualifications, work history, photograph, which agencies care workers represent.

F) Records of correspondence you have with us, if you contact us, we will typically keep a record of that correspondence.

G) Technical data (all service users) such as: device, browser, your internet protocol (IP) address, operating system and platform used, password and login data, user ID numbers, location. 

H) Usage Data (all service users) including information about how you use our website, platform and services. 

16. How your data is collected

The use of the OnCare platform involves the collection of your personal data on instruction from the Care Agency to facilitate your use of the platform. The ways we collect personal data may change from time to time as notified by updates to this or the Care Agencies policies. Generally, we collect personal data in a number of ways:

  • when you communicate with us;
  • when personal data is added by other users of the Platform – for example information may be uploaded by Agency personnel, and care workers will include records of Care visits.
  • from trusted third-party analytics providers who provide us with information relating to our website traffic and how users interact with our website. 

17. Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

18. The purposes and lawful basis on which we are instructed to process your personal data?

Where we act as a data processor of personal data on behalf of our client Care Agencies, we will process personal data in accordance with our client’s instructions and our client’s lawful basis, or as necessary in order to comply with a legal or regulatory obligation to which we are subject. For more information on these purposes and lawful basis please see your Care Agency’s privacy policy.

Generally, we only process personal data in connection with the provision of the OnCare Platform on behalf of our Care Agencies customers. The OnCare Platform is designed to: 

A) enable Agencies to administer, manage and monitor the care visits and/or social care services carried out by their respective care workers;

B) enable care workers to create care visit reports, which contain details of that care worker’s care visit to a client; and

C) enabling Agencies and family members to view care visit reports relating to specific clients.

19. How long do we keep your personal data?

Where we act as a data processor on behalf of our Care Agency customers, we will only keep your personal data for the period notified to us by the Care Agency, or at the end of the provision of our services to the Care Agency – at which time we delete or return your personal data to them. Your data may continue to be processed by the Care Agency in accordance with their data retention and privacy policies. We may also keep certain records for more extended periods if we need to do this to meet legal, regulatory, or tax needs. 

20. Your rights

Please note:

  • if you are a Service User, our obligation is to assist the Care Agency with handling your subject rights requests; 
  • if you send us a subject request regarding any data we process as a processor, we will forward the request to the controller. We will not take any further actions unless explicitly requested to do so by the controller. We therefore recommend you contact the Care Agency directly;
  • If we are instructed to do so by the controller, we may ask you to provide additional information so that we, or our clients can satisfy ourselves as to your identity before we take further action.