Adult Social Care: Privacy Notice

Reading Borough Council (RBC), Adult Social Care, Civic Offices, Bridge Street, Reading, RG1 2LU. 

Reading Borough Council is registered as a controller with the Information Commissioner’s Office (ICO)

You can find us on the ICO website – our registration number isZ5495098

Email:  Information Governance IGTeam@reading.gov.uk 

RBC is committed to protecting and respecting your privacy in compliance with UK General Data Protection Regulation, Data Protection Act 2018 and other Local Authority legislation.

This Privacy Notice sets out important details about information that RBC and staff responsible for the services we provide, may collect and hold about you, how that information may be used and your legal rights.

We will review this Privacy Policy on a regular basis, and we advise you to check back on our website for the latest version.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes.

The type of personal data we collect

Personal data only includes information relating to natural persons.

Pseudonymised data can help reduce privacy risks by making it more difficult to identify individuals, but it is still personal data.

We currently collect and process the following information:

• name
• age and date of birth
• address
• contact information (telephone number, email address and so on)
• gender
• nationality
• children’s personal details and contact information
• next of kin personal details and contact information
• financial information (such as bank details, income, benefits)
• visual images

Special Category (sensitive data) could include:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data (where used for identification purposes)
• health
• sex life
• sexual orientation

Medical Information including:

• NHS number
• GP surgery
• admissions to medical facilities
• alerting information (relating to the person’s medical information)
• allergies
• details of medical appointments and assessments
• care plan (including interventions and problems)
• deprivation of liberty safeguards (DoLS) and other safeguarding information
• early interventions
• health promotion information
• information relating to medications
• preventative medical procedures
• details and results of medical procedures and events (including discharge and diagnoses)
• risk management plans
• risks and warnings relating to medical issues

Criminal offence data will be processed under the 28 conditions of Schedule 1 of the Data Protection Act 2018 which are available for the processing of criminal offence data. These are set out in paragraphs 1 to 37. You will be told where this is used.

How we get the personal information and why we have it

We use the information you have given us or supplied from others involved to carry out specific functions and statutory duties, where required by law, or by consent from the individual for such as:

• delivering services and support to you
• manage those services we provide to you.
• check the quality of services we provide to you.
• provide a safe service.
• Where it is necessary to safeguard and promote your well-being
• Where it is necessary to investigate and protect you against the risk of abuse or neglect
• where it is necessary to determine your capacity and best interests
• referral to other partner organisations i.e., health services, advocacy etc.
• to help investigate any worries or complaints you have about our services
• Where it is necessary for carrying out obligations under social protection law, public health law or in the substantial public interest
• Where it is necessary in order to determine the costs of services and in planning your budget

This is likely to include your personal data see Personal Data – see definition in section “The Type of Personal Information we collect”.

We may also hold more sensitive information about you, see Sensitive Data (see definition in section “The Type of Personal Information we collect”.

We may collect information from you;

• If you contact us via telephone calls which may be recorded and retained for a limited period for training and monitoring purposes and to help improve our services.
• If you communicate with us via email or social media
• You visit the RBC for an appointment.

Sometimes we receive information or seek information about you from third parties in various formats, for example by letter, email, telephone, in face-to-face meetings or online forms.  Examples of third parties are:

• Other Local Authorities
• Commissioned service providers such as home care agencies, care homes, supported accommodation, day care, personal assistants, or partner agencies 
• Public Health
• RBC Housing
• West of Berkshire Safeguarding Adults Board
• GPs
• Clinicians
• Government agencies such as: Police, Department of Work and Pensions, HMRC, Courts, Home Office, Department of Education, Department for Health and Social Care, Youth Justice Service
• Emergency Duty Service (out of hours)
• Private and voluntary organisations such as advocacy services, IMCAs
• RBC – Brighter Futures for Children
• Integrated care systems
• Hospices
• Family members and non-family members
• Any other person or organisation exercising statutory functions or engaged in activities or support in relation to adults in the authority’s area.

How will RBC use the information it holds about me?

We use information about you in connection with

• The service we provide,
• assessments, and
• providing advice and signposting to other support networks or agencies

We may use your phone number (or email address where you have provided it to us) to contact you in advance of appointment for reasons connected with your service/support.  Where you have provided us with your mobile number or email address, we may send you confirmations/reminders of your appointments via text message or email and we may respond to your email enquiries via email.

We may also use information about you for

• quality assurance,
• maintaining our business records,
• developing and improving our products and services, and
• monitoring outcomes where we believe there is a business need to do so and our use of information about you, does not cause harm to you.

This may include our staff planning and workload management systems to help support our staff to develop and plan the most appropriate levels of care to our service users and to ensure we have got the right levels of productivity and efficiency and good outcomes for service users.

We may also use information about you where there is a legal or regulatory obligation on us to do so (such as the prevention of fraud or safeguarding) or in connection with legal proceedings.

We may also use information about you where you have provided your consent to us doing so.

We do not carry out automated decision making or profiling.

Staff access to your personal and sensitive data

We carefully control who has access to your information.  Staff only have access where they are required to do so to provide support (i.e., Social Worker and Business Support).  Where possible we limit the access that staff have on our IT systems.  We also carry out spot checks and audits to see if there has been any inappropriate access. Where that occurs, disciplinary action may be taken against the staff, and in serious cases court action. If the data breach includes access to your information, we will contact you.  We also have an obligation if it is a serious data breach to inform the Information Commissioners Office.

In order to reduce risk of a data breach RBC have in place robust policies and procedures and we carry out training for all staff on an annual basis.

All staff providing service who are registered with the appropriate professional and regulatory bodies, i.e., Social Care England and have a responsibility to uphold the highest standards when handling service user/client information.

How we keep your information safe and secure

• RBC is required to complete the NHS Digital Data Security & Protection Toolkit. This is a tool that provides assurance that we are meeting standards on handling patient/client information.
• We have Data Protection Policies in place to ensure staff understand the ‘must’ or ‘must not do’ with service user/client data.
• Staff are required to complete induction training in Information Governance and to complete annual update training.
• Spot checks are carried out across all RBC departments.
• Our IT is managed by our ICT Team who ensure that all safeguards are in place to protect data held on IT systems are protected and secure from unauthorised access, loss or damage.
• Passwords are changed on a regular basis.
• Where incidents do happen, our investigations will include actions we take, and lessons learnt.

Will RBC share information about me with others/

Yes; We set out these reasons below and assure you that in each case, we share only such information as is appropriate, necessary and proportionate.

Sharing information with those involved in your health assessment, care or treatment.

1. We will share your information with those involved in delivering a service to you for the purposes of assessing your care and support needs.
2. We will also share information about you with other members of staff involved in the delivery of services for administration purposes (such as Public Health, RBC Housing, care providers, Primary Healthcare). This will be limited to what is required for them to fulfil their role.
3. Other authority’s services to provide you with support services (such as housing, education, benefits) and we may share information about you with other support services that are external to RBC where required in connection with your support and care.
4. We may share information about you with anyone you have asked us to communicate with or whose details you have provided as an emergency contact (such as your next of kin).

Sharing information with third parties who are not involved in your RBC direct support

We may share information about you with external organisations such as:

• our lawyers,
• auditors,
• Insurance companies
• NHS organisations, and
• regulatory bodies such as the Local Government Ombudsman, the Information Commissioners Office (ICO), Care Quality Commission (CQC) or Disclosure Baring Service

We will only do this where we have a legal basis to do so or with your consent.

We may also share information about you with third party suppliers, which provide us with

• electronic systems
• reporting systems

We may also share information about you with those providing us with information technology systems, this includes:

• an incident management and recording system, and
• a system for electronic prescribing as well as
• other software applications (and related services)

In each case, we would share only such information as was relevant, necessary and proportionate.

Sharing with regulators or because of a legal obligation

We may share information about you with our regulators, including the

• Health & Safety Executive
• Public Health England
• Care Quality Commission

Sometimes, we are required to disclose information about you because we are legally required to do so. This may be because of a:

• court order
• safeguarding
• regulatory body has statutory powers to access records as part of their duties to investigate complaints, accidents, legal matters, health or social worker professionals’ fitness to practise.

Before any disclosure is made, we will satisfy ourselves that any disclosure sought is required by law or can be justified in the public interest.

Information about you may also be shared with the police and other third parties where reasonably necessary for the prevention or detection of crime.  On occasion, this may include the Home Office and HMRC.

Audits, surveys and initiatives

In common with all Public Bodies, we also look at the quality of the service we provide:

• Service user assessment and participate in national audits and initiatives,
• to ensure that service users are getting the best possible outcomes from the service, and
• to help service users make informed choices about the service they receive.

We can assure you that your personal information always remains under our control. Any information we provide for national audits and initiatives outside of RBC will not contain any information in which any service user can be identified unless it is required by law.  Any publishing of this data will be in anonymised statistical form. RBC may partake in local audits where there has been a Serious Incident in order for to identify any potential risks to yourself or other service users.

What lawful basis does RBC have for using information about me?

Data protection law requires that we set out the legal basis for holding and using information about you.  We have set out the various reasons we use information about you and alongside each, the legal basis for doing so.  Given that some information we hold about you is particularly sensitive (as described above), we need an additional legal basis.

Processing shall be lawful only if and to the extent that at least one of the following applies:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• processing is necessary for compliance with a legal obligation to which the controller is subject.
• processing is necessary in order to protect the vital interests of the data subject or of another natural person.
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For the purpose of delivering services within Adult Social Care and sharing your information we use Article 6(e) above.

Where we have to share your information because we are required to do so under law, we use Article 6(c) above.

Special category data:  Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for processing the information is Article 9 UK GDPR:

(a) Your consent
(g) Processing is necessary for reasons of substantial public interest
(h) Processing is necessary for provision of health or social care treatment

You can read the guide to lawful basis for processing special category data on the Information Commissioner’s Office website.

Your consent

Where we use consent to process your personal data, we will explain to you what we are asking you to agree to and why. If we have consent to use your personal data, you have the right to remove it at any time. If you want to remove your consent, please contact our IG Team igteam@reading.gov.uk. 

If you remove your consent, we are unlikely to be able to provide continued services to you.

Legal obligation and public task

Legal obligation and public task

Our ‘legal obligation’ and tasks that we are required to carry out as a local authority, can be found in:

• Health and Care Act 2022
• Care Act 2014
• Health and Social Care Act 2012
• Health and Social Care Quality and Safety Act 2015 Section 251(b)
• Mental Capacity (Amendment) Act 2019
• Housing Act 2004
• Local Government Act 2003
• The Care & Support (Charging and Assessment of Resources) Regulations 2014
• Care and Support and Aftercare (Choice of Accommodation) Regulations 2014

Where and for how long does RBC store information about me?

The information about you that we hold, and use is held securely in the United Kingdom and stored electronically and in paper format and on secure servers.

No records are stored outside the EU.

We retain your records for certain periods (depending on the particular type of record) under our retention of records policy.  RBC follows the recommend best practice contained in this document retention document:  https://www.reading.gov.uk/the-council-and-democracy/council-strategies-plans-and-policies/data-protection/ . This is to ensure that information is properly managed and is available whenever and wherever there is a justified need for that information, including:

• to support service user and continuity of support
• to support evidence-based professional practice
• to assist in audits
• to support our public task
• to meet legal requirements

Your records may not be retained in hard copy form where a digital copy does exist.

Health and Social Care data (Connected Care)

‘Share your Care,’ locally known as ‘Connected Care’, is a secure IT system for sharing information about a service user’s care, needs and medical conditions across social care and health organisations. The system enables instant, secure access to social care and patient records across Berkshire, for professionals involved in that person’s care.

The aim of Connected Care is to give the service user:

• Better coordinated and safer care across health and social care enabled through the sharing of real-time information.
• Better coordination of discharges from hospital into social care
• Earlier intervention to maximise the opportunities or reablement services leading to greater independence for patients.
• improve the quality and standards of care provided.
• research into the development of new treatments
• prevent illness and diseases.
• monitor safety.
• plan services
• The person only having to tell their story once.

More information can be found here:  What is the Integrated Care System? | BOB ICB

Sharing your care with new technology | Berkshire Healthcare NHS Foundation Trust

How to opt-out (national data opt-out)

Since September 2021, all regulated social care providers in England now comply with the national data opt-out. Under the national data opt-out everyone who uses publicly funded health and/or care services can stop health and care organisations from sharing their confidential patient information with other organisations if it is not about managing or delivering their own care. This may, for instance, be for research or planning purposes.

As a Council, we are compliant with the national data opt-out where it applies and have put processes in place so we can apply any national data opt-out choice.

If you are receiving support from adult social care, then the NHS may share your NHS number with Adult Social Care. This is so that the NHS and adult social care are using the same number to identify you whilst providing your care. By using the same number, the NHS and adult social care can work together more closely to improve your care and support.

In terms of the Data Protection Act 2018 the Council is both the Data Controller and the Data Processor.

You can change your national data opt out choice at any time by using the online service or by selecting Your Health in the NHS App, and selecting choose if data from your health records is shared for research and planning.

You can find out more about how patient information is used at:

• the NHS Health Research Authority covering health and care research.
• the Understanding Patient Data how and why patient information is used, the safeguards and how decisions are made.

Client level data

The Secretary of State for Health and Social Care has directed NHS Digital to establish a system for the collection and analysis of Client-Level Adult Social Care Data from local authorities. 

The information being provided to NHS Digital supports the government’s drive toward the integration of health and social care specifically for:

• monitoring, at a population level, particular cohorts of service users and designing analytical models which support more effective interventions in health and adult social care.
• monitoring service and integrated care outcomes across a pathway or care setting involving adult social care.
• developing, through evaluation of person-level data, more effective prevention strategies and interventions across a pathway or care setting involving adult social care
• designing and implementing new payment models across health and adult social care
• understanding current and future population needs and resource utilisation for local strategic planning and commissioning purposes including for health, social care and public health needs.

The legal bases on which NHS Digital collects the information are sections; 254(1) and (6), 260(2)(d), 261(3), 262(3)(b), 262(7) and 304(9), (10) and (12) of the Health and Social Care Act 2012 and Regulation 32 of the National Institute for Health and Social Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013.

Reading Borough Council is legally required under Section 259(5) of the Health and Social Care Act 2012 to provide the information to NHS Digital under the Data Provision Notice (DPN).

The National Data Opt-Out does not apply to the submission of data to NHS Digital for this collection as the DPN is a legal requirement with which the Council must comply.

You can find out more information about the collection of Client Level Data at:

• the Secretary of State Decision, Collection of Client Level Adult Social Care Data (No 2)
• Client Level Data Specification (which includes the types of personal data included in the submission)

What rights do I have?

Under certain circumstances, you have rights under data protection laws in relation to any personal information that we hold about you.

If you wish to exercise any of the rights set out below, please contact our Information Governance Team IGTeam@reading.gov.ukmailto: and for more information please see our webpage here:  Subject access requests – Reading Borough Council

Details of your rights are set out below.

The right to be informed. This privacy notice forms part of that, but we also aim to keep you fully informed during your appointments, via posters in RBC and leaflets when appropriate.

The right to access your personal information. You are usually entitled to a copy of the personal information we hold about you and details about how we use it.

Your information will usually be provided to you in the form you request, if we are unable to do that, we will inform you. If you have made the request electronically (e.g., by email) the information will be provided to you by electronic means where possible.

You are entitled to the following under data protection law:

Under data protection law we must usually confirm whether we have personal information about you. If we do hold personal information about you, we usually need to explain to you:

• The purposes for which we use your personal information.
• The types of personal information we hold about you.
• Who your personal information has been or will be shared with.
• Where possible, the length of time we expect to hold your personal information. If that is not possible, the criteria we use to determine how long we hold your information for.
• If the personal data we hold about you was not provided by you, where we obtained the information from.
• Your right to ask us to amend or delete your personal information (if appropriate).
• Your right to ask us to restrict how your personal information is used or to object to our use of your personal information (if appropriate). Your right to complain to the Information Commissioner’s Office.
• We also need to provide you with a copy of your personal information.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity (this will be proportionate) and ensure your right to access your personal information (or to exercise any of your other rights). We may also contact you to ask you for further information in relation to your request to speed up our response.

We respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

The right to request correction of your personal information

We take reasonable steps to ensure that the personal information we hold about you is accurate and complete and up to date.  However, if you do not believe this is the case, you can ask us to update or amend it.

The right to request erasure of your personal information

In some circumstances, you have the right to request the erasure of the personal information that we hold about you.  This is also known as the ‘right to be forgotten’.  However, there are exceptions to this right and in certain circumstances we can refuse to delete the information in question.

The right to object to the processing of your personal information

In some circumstances, you have the right to object to the processing of your personal information.

The right to request a transfer of your personal information

In some circumstances, we must transfer personal information that you have provided to us to you or (if this is technically feasible) another individual/ organisation of your choice. The information must be transferred in an electronic format.

The right to object

You can ask us to stop sending processing your information for any other purposes other than the service you receive from us.

The right not to be subject to automatic decisions (i.e., decisions that are made about you by computer alone)

You have a right to not be subject to automatic decisions (i.e., decisions that are made about you by computer alone) that have a legal or other significant effect on you. 

The right to withdraw your consent

You have the right to withdraw your consent where we rely upon this as a legal ground for processing your information.

The right to complain to the Information Commissioner’s Office

You have the right to complain to the Information Commissioner’s Office if you are unhappy with the way that we have dealt with a request from you to exercise any of these rights, or if you think we have not complied with our legal obligations under data protection law.

Making a complaint will not affect any other legal rights or remedies that you have.

More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/ and the Information Commissioner’s Office can be contacted by post, phone, or email as follows:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113 (local rate) or 01625 545 745 (if you prefer to use a national rate number)

Email: casework@ico.org.uk

For further questions or to exercise any rights set out in this Privacy Policy, please contact: RBC Data Protection Officer (DPO): Nayana George: IG Team IGTeam@reading.gov.uk.