Privacy Notice

Blue Heart Care Group – Privacy Notice

Blue Heart Care Group (“we”, “our”, or “the Company”) provides residential care, supported living, and related care services. In order to deliver safe, effective, and lawful care, we must process personal data, including special category (sensitive) personal data.

We act as a data controller in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Notice explains how we collect, use, store, and protect personal information relating to:

• Service users and their families
• Employees and workers
• Job applicants
• Contractors and agency staff
• Visitors and professionals

Contents

1. Collection and Use of Personal Data
   a. Purpose of processing and lawful basis
   b. Legitimate interests
   c. Statutory and contractual requirements
   d. Recipients of personal data
2. Information Obtained from Other Sources
3. Data Retention
4. Your Rights
5. Cookies
6. Log Files
7. Links to External Websites
8. Sale or Transfer of the Business
9. Data Security
10. Changes to this Privacy Notice
11. Complaints or Queries
12. Data Retention Timescales

1. Collection and Use of Personal Data

Blue Heart Care Group collects and processes personal data to deliver safe, person-centred, and legally compliant care services. Because we provide regulated care, much of the information we process includes health and safeguarding data, which is classified as special category data under UK GDPR.

We only collect information that is relevant, necessary, and proportionate for the delivery of our services.

Personal data may be collected:

• Directly from you
• From your family member or legal representative
• From local authorities or commissioners
• From healthcare professionals
• From previous employers (for staff)
• Through application forms, assessments, contracts, or correspondence

1(a). Purpose of Processing and Lawful Basis

We process personal data for the following purposes:

To Deliver Care Services

• Assessing individual care and support needs
• Creating and reviewing care plans
• Monitoring wellbeing and health conditions
• Managing medication administration
• Supporting daily living activities
• Managing risks and safeguarding concerns

Lawful basis:

• Article 6(1)(b) – Performance of a contract
• Article 6(1)(c) – Legal obligation
• Article 6(1)(d) – Vital interests
• Article 9(2)(h) – Provision of health or social care

To Safeguard Individuals

• Reporting safeguarding concerns
• Sharing information with safeguarding authorities
• Preventing abuse, neglect, or harm
• Recording incidents and investigations

Lawful basis:

• Legal obligation
• Vital interests
• Substantial public interest (safeguarding of vulnerable individuals)

To Meet Legal and Regulatory Requirements

• Compliance with CIW / CQC regulations
• Health and safety compliance
• Maintaining statutory records
• Responding to inspections and audits

Lawful basis:

• Legal obligation

To Manage Employment and Staffing

• Recruitment and onboarding
• Right-to-work checks
• DBS checks
• Payroll and pension processing
• Training and supervision records
• Disciplinary and grievance procedures

Lawful basis:

• Contractual necessity
• Legal obligation
• Legitimate interests

To Communicate with Families and Representatives

• Providing updates
• Managing feedback and complaints
• Arranging meetings and reviews

Lawful basis:

• Contractual necessity
• Legitimate interests
• Consent (where appropriate)

For Service Improvement and Quality Monitoring

• Internal audits
• Incident trend analysis
• Staff performance review
• Risk assessments

Lawful basis:

• Legitimate interests
• Legal obligation

We do not rely solely on automated decision-making in the delivery of care.

1(b). Legitimate Interests

We may process personal data where we have a legitimate and balanced business interest. This includes:

• Maintaining accurate and up-to-date records
• Ensuring safe staffing levels
• Improving care quality
• Protecting the organisation against legal claims
• Preventing fraud or misuse of services

Before relying on legitimate interests, we carry out a balancing assessment to ensure your rights and freedoms are not overridden.

1(c). Statutory and Contractual Requirements

In order to provide care services or employment, certain information must be provided. This may include:

• Proof of identity
• Right-to-work documentation
• Health and medical information
• Emergency contact details
• DBS clearance (for staff)
• Financial and payroll details

This requirement arises under legislation including:

• Health and Social Care Act 2008
• Care Act 2014
• Safeguarding Vulnerable Groups Act 2006
• Employment Rights Act 1996
• Immigration legislation
• HMRC regulations

If required information is not provided, we may be unable to deliver care services or offer employment.

1(d). Recipients of Personal Data

We may share personal data, where necessary and lawful, with:

• Local authorities and commissioning bodies
• GPs, hospitals, and healthcare professionals
• Safeguarding boards and authorities
• Regulatory bodies (e.g., CIW or CQC)
• Disclosure and Barring Service (DBS)
• Payroll and pension providers
• HMRC
• IT system providers (care management software)
• Legal advisers or insurers

All third parties are required to process data securely and in accordance with data protection law.

We do not sell personal data.

 

1. Legitimate Interests

We may process personal data where we have a legitimate and proportionate business reason to do so, including:

• Maintaining accurate service user and staff records
• Improving the quality and safety of our care services
• Internal audits and compliance monitoring
• Communicating relevant service information
• Managing staffing and operational planning

We always balance our legitimate interests against your rights and freedoms.

1. Statutory and Contractual Requirements

Certain personal data is required under legislation including (but not limited to):

• Health and Social Care Act 2008
• Care Act 2014
• Safeguarding Vulnerable Groups Act 2006
• Employment Rights Act 1996
• Immigration, right-to-work and DBS legislation
• HMRC, payroll, pension auto-enrolment and tax regulations

Regulatory bodies such as the Care Inspectorate Wales (CIW), Care Quality Commission (CQC) (if applicable), local authorities, and safeguarding teams may require specific documentation.

If you do not provide required personal data, we may be unable to provide care services or employment.

1. Recipients of Personal Data

We may share personal information with:

• Local authorities and commissioning bodies
• Healthcare professionals (GPs, nurses, hospitals)
• Safeguarding authorities
• Regulatory bodies (e.g., CIW or CQC)
• Disclosure and Barring Service (DBS)
• Payroll and pension providers
• HMRC
• IT and secure care management system providers
• Professional advisers (legal, HR, insurance)

We only share the minimum information necessary and ensure appropriate safeguards are in place.

2. Information Obtained from Other Sources

In addition to the information provided directly by you, Blue Heart Care Group may obtain personal data from third parties where this is necessary to deliver safe, effective, and lawful care services, or to meet employment and regulatory requirements.

We only collect information that is relevant, proportionate, and required for a clear purpose.

2(a). Categories of Personal Data Collected

Depending on whether you are a service user, employee, applicant, contractor, or representative, we may obtain the following categories of information:

Identity and Contact Information

• Full name
• Date of birth
• Address
• Telephone number
• Email address
• National Insurance number (for staff)
• Emergency contact details

Care and Support Information (Service Users)

• Care needs assessments
• Support plans
• Risk assessments
• Medical diagnoses
• Medication records
• GP and healthcare provider details
• Hospital discharge summaries
• Safeguarding information
• Incident and behavioural records
• Capacity assessments (where applicable)

This information is classified as special category data and is processed under Article 9(2)(h) of UK GDPR (health and social care provision) and relevant safeguarding legislation.

Employment and Recruitment Information (Staff)

• Employment history
• References
• Qualifications and professional registrations
• DBS disclosure information
• Right-to-work documentation
• Training and competency records
• Occupational health information (where required)

Criminal conviction data is processed in accordance with the UK GDPR, Data Protection Act 2018, and DBS Code of Practice.

Financial Information

• Payroll details
• Bank account information (for staff payments)
• Pension contribution information
• Funding or commissioning information (for service users where applicable)

Monitoring and Equality Information

Where required for regulatory, safeguarding, or equality monitoring purposes, we may collect:

• Ethnicity
• Gender
• Disability status
• Religious beliefs (where relevant to care planning)

This information is only processed where lawful and necessary.

2(b). Sources of Data

We may obtain personal data from the following sources:

For Service Users

• Local authorities or commissioning bodies
• Social workers
• GPs and healthcare professionals
• Hospitals and discharge teams
• Community mental health teams
• Family members or legal representatives
• Safeguarding authorities

For Employees and Applicants

• Referees and previous employers
• Disclosure and Barring Service (DBS)
• Professional registration bodies
• Recruitment agencies
• Occupational health providers
• Government bodies (e.g., HMRC)

Website and Digital Sources

When you interact with our website, we may collect limited technical data through:

• Cookies
• Website analytics tools
• Server log files

This may include IP address, browser type, and pages visited.
This information is used for system security, performance monitoring, and website improvement.

Transparency and Fair Processing

Where we receive personal data from third parties, we will:

• Ensure the data has been shared lawfully
• Use it only for the purpose for which it was provided
• Inform you where required under data protection law

We do not obtain personal data from publicly available sources unless it has been clearly made public by you and is relevant to the purpose for which we are processing it.

We do not purchase personal data from marketing lists or data brokers.

3. Data Retention

Blue Heart Care Group retains personal data only for as long as necessary to fulfil the purposes for which it was collected, including the provision of care, safeguarding responsibilities, employment management, and compliance with legal and regulatory obligations.

We follow the UK GDPR, the Data Protection Act 2018, and applicable health and social care retention guidance when determining how long information is kept.

We do not retain personal data indefinitely unless there is a lawful reason to do so.

How We Determine Retention Periods

Retention periods are determined based on:

• Legal and statutory requirements
• Regulatory guidance (e.g. CIW or CQC expectations)
• Safeguarding obligations
• Limitation periods for legal claims
• Contractual requirements
• Best practice in health and social care record management

Where more than one retention period may apply, we will apply the longest relevant lawful period.

Service User Records

Care records contain health and safeguarding information and are retained in accordance with health and social care guidance.

This may include:

• Care plans
• Risk assessments
• Incident records
• Safeguarding documentation
• Medication records
• Capacity assessments

These records are retained for a period consistent with regulatory guidance and legal limitation periods, particularly where safeguarding or risk information is involved.

Where a service user leaves our care, records will be securely archived and retained for the required period before confidential destruction.

Safeguarding Records

Safeguarding documentation may be retained longer where necessary due to:

• Ongoing investigations
• Serious incident reviews
• Legal proceedings
• Regulatory requirements

Safeguarding records are retained in line with statutory guidance and may be held for extended periods where the risk profile requires it.

Staff and Employment Records

Personnel files may include:

• Contracts of employment
• Disciplinary and grievance records
• Supervision notes
• Training records
• Right-to-work documentation
• DBS information

Unless a longer retention period applies, staff records are typically retained for six years after employment ends, in line with the Limitation Act 1980.

Right-to-work documentation is retained for two years after employment ends, in accordance with immigration legislation.

Payroll, pension, and tax records are retained for 3–6 years in line with HMRC requirements.

Recruitment Records

Unsuccessful applicant information is retained only for as long as necessary to:

• Demonstrate fair recruitment practices
• Respond to potential claims

This is typically retained for up to 6–12 months, unless consent has been given to retain details for future opportunities.

DBS Information

DBS certificates are not retained. We may retain:

• DBS certificate number
• Date of issue
• Level of check
• Decision outcome

This is done in line with the DBS Code of Practice.

Financial and Business Records

Financial documentation, including:

• Invoices
• Contracts
• Funding agreements
• Insurance documentation

is retained for six years in accordance with accounting and tax legislation.

Secure Storage and Disposal

When personal data is no longer required:

• Paper records are securely shredded or confidentially destroyed
• Electronic records are permanently deleted from systems and backups in line with secure deletion procedures
• Archived files are securely stored with restricted access

We regularly review stored data to ensure that information is not retained longer than necessary.

Data Processed Under Consent

Where processing is based on consent, we will review the necessity of retention periodically. If consent is withdrawn and no other lawful basis applies, the data will be securely deleted.

Withdrawal of consent does not affect processing carried out prior to withdrawal.

 

Here is a fully expanded and legally robust version of:

4. Your Rights

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have specific rights regarding the personal data we hold about you.

Blue Heart Care Group is committed to ensuring that individuals can exercise their rights clearly, fairly, and without unnecessary delay.

These rights apply to service users, employees, applicants, family members, and other individuals whose personal data we process.

4.1 Right to Be Informed

You have the right to be informed about:

• What personal data we collect
• Why we collect it
• How it is used
• Who it may be shared with
• How long it is retained
• How it is protected

This Privacy Notice forms part of how we meet that obligation.

4.2 Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you.

This includes:

• Care records
• Employment records
• Correspondence
• Assessment documentation

Requests must be made in writing. We may require proof of identity before releasing information.

We will respond within one month unless the request is complex, in which case the response period may be extended in accordance with data protection law.

In certain circumstances, we may lawfully withhold information, for example:

• Where disclosure would adversely affect the rights of another person
• Where safeguarding concerns exist
• Where legal privilege applies

If information is withheld, we will explain the reason where lawful to do so.

4.3 Right to Rectification

You have the right to request that inaccurate or incomplete personal data be corrected.

If we agree the information is inaccurate, we will correct it without undue delay.

If we believe the information is accurate, we will record your request and may add a note to the record reflecting your view.

4.4 Right to Erasure (“Right to Be Forgotten”)

You may request the deletion of your personal data in certain circumstances.

However, this right is limited in health and social care settings. We may not be able to erase information where it is required:

• To comply with legal obligations
• For safeguarding purposes
• For regulatory compliance
• To establish, exercise, or defend legal claims
• For the provision of ongoing care

If we cannot erase the data, we will explain why.

4.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your data where:

• You contest its accuracy
• The processing is unlawful but you do not want it erased
• We no longer need the data but you require it for legal claims
• You have objected to processing and we are considering your objection

When processing is restricted, we may store the data but not use it unless permitted by law.

4.6 Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you may request to receive your data in a structured, commonly used, and machine-readable format.

This right is unlikely to apply to most care records but may apply in certain employment or contractual contexts.

4.7 Right to Object

You have the right to object to processing where we rely on legitimate interests as our lawful basis.

If you object, we will assess whether we have compelling legitimate grounds to continue processing.

This right does not apply where processing is required by law or necessary for safeguarding or care provision.

4.8 Rights in Relation to Automated Decision-Making

Blue Heart Care Group does not make decisions about individuals based solely on automated processing.

All care and employment decisions involve human oversight.

4.9 Right to Withdraw Consent

Where we rely on consent to process your personal data, you may withdraw that consent at any time.

Withdrawal of consent does not affect:

• Processing already carried out
• Processing based on another lawful basis

Exercising Your Rights

To exercise any of your rights, please contact:

Data Protection Lead
Blue Heart Care Group
Data Protection Lead
Blue Heart Care Group
Unit 31, Orion Street, Enterprise Way, Newport, NP20 2DX
martin@blueheartcare.co.uk

We may request proof of identity before responding to protect confidentiality.

There is normally no fee for exercising your rights, although a reasonable administrative fee may be charged for manifestly unfounded or excessive requests.

Complaints

If you are not satisfied with how we have handled your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113

We encourage you to contact us first so we can attempt to resolve any concerns.

5. Cookies

Blue Heart Care Group uses cookies and similar technologies on our website to ensure it functions properly, remains secure, and provides a positive user experience.

This section explains what cookies are, how we use them, and the choices available to you.

5.1 What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They help websites recognise your device and remember certain information about your visit.

Cookies may collect technical data such as:

• IP address
• Browser type and version
• Device type
• Operating system
• Pages visited
• Time and date of visits
• Referring website

Cookies do not give us access to your computer or personal files.

5.2 Types of Cookies We Use

We may use the following categories of cookies:

Strictly Necessary Cookies

These cookies are essential for the website to function properly. They enable core features such as security, accessibility, and page navigation.

Without these cookies, the website cannot operate effectively.

Legal basis: Legitimate interests.

Performance and Analytics Cookies

These cookies help us understand how visitors use our website by collecting anonymous information about:

• Page visits
• Navigation patterns
• Time spent on pages
• Website performance

This allows us to improve website design, content, and functionality.

Where analytics tools are used (such as Google Analytics), data is typically aggregated and does not directly identify individuals.

Legal basis: Consent (where required).

Functionality Cookies

These cookies allow the website to remember your preferences, such as:

• Language settings
• Accessibility preferences
• Form completion details

Legal basis: Consent or legitimate interests, depending on use.

5.3 Managing Cookies

When you first visit our website, you may be presented with a cookie banner allowing you to:

• Accept all cookies
• Reject non-essential cookies
• Customise your preferences

You can also control cookies through your browser settings. Most web browsers allow you to:

• Block cookies
• Delete existing cookies
• Receive alerts before cookies are placed

Please note that disabling certain cookies may affect website functionality.

5.4 Third-Party Cookies

Some cookies may be placed by third-party service providers who support our website functionality (for example, analytics or hosting providers).

We ensure that third-party providers process data in accordance with data protection legislation and appropriate contractual safeguards.

5.5 Changes to Our Cookie Practices

We may update our use of cookies from time to time to improve our services or meet legal requirements. Any significant changes will be reflected in this Privacy Notice or in a separate Cookie Policy.

6. Log Files

Blue Heart Care Group may collect and maintain log files when users access our website or digital systems. Log files are used to ensure system security, monitor performance, and support technical administration.

6.1 What Information Is Collected

Log file data may include:

• Internet Protocol (IP) address
• Browser type and version
• Internet Service Provider (ISP)
• Date and time of access
• Pages visited
• Referring and exit pages
• Device type and operating system
• Error logs and system activity

This information is automatically generated by servers and website infrastructure.

6.2 Purpose of Log File Data

We use log file information for legitimate operational and security purposes, including:

• Monitoring website performance
• Diagnosing technical issues
• Preventing unauthorised access
• Detecting cyber threats or malicious activity
• Maintaining system security
• Supporting investigations where required

Log data helps us protect both users and organisational systems.

6.3 Identifiability

Log file data is generally not used to identify individuals directly.

While IP addresses may technically be considered personal data under UK GDPR, we do not routinely link IP addresses to named individuals unless required:

• For security investigations
• To comply with legal obligations
• To investigate suspected misuse of our systems

6.4 Retention of Log Data

Log files are retained only for as long as necessary for security and monitoring purposes.

Retention periods may vary depending on:

• The sensitivity of the system
• Security requirements
• Legal or regulatory obligations

Once no longer required, log data is securely deleted or anonymised.

6.5 Lawful Basis

The processing of log file data is based on:

• Legitimate interests (ensuring system security and operational integrity)
• Legal obligations (where monitoring is required for regulatory compliance)

We ensure that log monitoring is proportionate and does not unnecessarily intrude on individual privacy.

 

7. Links to External Websites

The Blue Heart Care Group website may contain links to external websites, partner organisations, regulatory bodies, or third-party service providers for informational purposes.

These links are provided for convenience and do not signify endorsement of those websites or their content.

7.1 Responsibility for Third-Party Websites

Once you leave our website, we are not responsible for:

• The privacy practices of external websites
• The content or security of third-party sites
• How third parties collect, use, or store your personal data

Each external website operates under its own privacy notice and data protection practices.

We strongly recommend that you review the privacy policy of any external website before providing personal information.

7.2 Third-Party Services Embedded on Our Website

In some cases, our website may include third-party tools or embedded content, such as:

• Maps
• Videos
• Online forms
• Analytics tools

These providers may collect technical information about your interaction with their services. Where this occurs, processing is governed by the third party’s own privacy notice.

We take reasonable steps to ensure that any third-party providers we engage process data in accordance with applicable data protection laws.

7.3 External Regulatory Links

Our website may include links to regulatory bodies such as:

• The Information Commissioner’s Office (ICO)
• Care Inspectorate Wales (CIW) or Care Quality Commission (CQC)

These links are provided for transparency and regulatory information only.

7.4 Security Disclaimer

While we take care to link only to reputable sources, we cannot guarantee the ongoing security or content of external websites. Accessing third-party websites is done at your own discretion.

Here is the expanded and regulator-ready version of:

8. Sale or Transfer of the Business

Blue Heart Care Group may, from time to time, undergo organisational changes such as restructuring, merger, acquisition, refinancing, or sale of part or all of the business.

In such circumstances, personal data may form part of the business assets that are transferred.

8.1 Disclosure During Business Transactions

If the Company is:

• Sold or merged with another organisation
• Subject to investment or restructuring
• Transferring services to another regulated provider
• Involved in insolvency or administration proceedings

personal data may be disclosed to:

• Professional advisers (legal, financial, HR, compliance)
• Prospective purchasers or investors
• Regulatory bodies
• Successor organisations

Such disclosure will be limited to what is necessary for due diligence and transaction purposes.

8.2 Safeguards During Transfer

Where personal data is shared as part of a business transfer:

• Appropriate confidentiality agreements will be in place
• Data sharing will comply with UK GDPR and the Data Protection Act 2018
• Only relevant and necessary data will be disclosed
• Special category (health and safeguarding) data will be handled with enhanced protections

If a transfer is completed, the new owner or provider will become responsible for processing personal data and will be required to continue protecting it in accordance with data protection law.

8.3 Continuity of Care and Safeguarding

In regulated care settings, the continuity and safety of service users is paramount.

Where services are transferred:

• Care records will be transferred securely
• Regulatory bodies (e.g., CIW or CQC) will be informed as required
• Safeguarding responsibilities will continue uninterrupted

Personal data will only be transferred where necessary to ensure lawful and safe continuation of care services.

8.4 Notification

Where required by law, we will notify individuals of a change in data controller following a business transfer.

Here is a fully expanded, inspection-ready version of:

9. Data Security

Blue Heart Care Group takes the security and confidentiality of personal data seriously. We implement appropriate technical and organisational measures to protect personal information against unauthorised access, loss, misuse, alteration, or disclosure.

Our security measures are designed to reflect the sensitivity of the data we process, particularly health and safeguarding information.

9.1 Organisational Measures

We maintain internal policies and procedures to ensure personal data is handled securely and lawfully. These include:

• Data protection and confidentiality policies
• Staff training in data protection and information governance
• Safeguarding procedures
• Access control policies
• Clear desk and secure storage procedures
• Incident reporting and breach management procedures

All staff are required to maintain confidentiality and are subject to disciplinary action if they breach data protection requirements.

9.2 Technical Measures

We use appropriate technical safeguards, which may include:

• Secure servers and firewalls
• Encrypted systems and secure cloud storage
• Role-based access controls
• Password protection and multi-factor authentication
• Secure care management software
• Regular system updates and security patches
• Anti-virus and anti-malware protections

Access to sensitive data is restricted to authorised personnel who require it to perform their duties.

9.3 Physical Security

Where paper records are maintained, we ensure:

• Locked filing cabinets
• Secure office premises
• Restricted access to administrative areas
• Controlled visitor access

Archived records are securely stored and confidentially destroyed when no longer required.

9.4 Data Breach Management

We have procedures in place to detect, investigate, and respond to personal data breaches.

If a breach occurs that is likely to result in a risk to individuals’ rights and freedoms:

• We will notify the Information Commissioner’s Office (ICO) where required
• We will inform affected individuals where there is a high risk
• We will take steps to mitigate and prevent recurrence

All breaches are recorded and reviewed to improve future safeguards.

9.5 Data Sharing and Third Parties

Where we share data with third-party providers (such as payroll providers, IT providers, or regulatory bodies), we ensure:

• Data Processing Agreements are in place where required
• Providers meet appropriate security standards
• Only necessary data is shared

We do not sell personal data.

9.6 Limitations of Internet Security

While we take appropriate steps to protect personal data, no method of electronic transmission or storage is completely secure.

Individuals are encouraged to avoid sending highly sensitive information through unsecured email or public networks unless appropriate encryption is used.

Here is the expanded and professionally structured version of:

10. Changes to This Privacy Notice

Blue Heart Care Group may update this Privacy Notice from time to time to reflect changes in:

• Legal or regulatory requirements
• Health and social care guidance
• Our services or operational practices
• Technology or security arrangements
• Organisational structure

We are committed to ensuring that this Privacy Notice remains accurate, transparent, and compliant with current data protection legislation.

10.1 Review Process

This Privacy Notice is reviewed periodically as part of our governance and compliance framework.

We may update it where:

• New legislation or regulatory guidance is introduced
• Regulatory bodies (such as CIW or CQC) update expectations
• We introduce new systems, services, or data processing activities
• Internal audits identify areas requiring clarification

10.2 Notification of Changes

Where changes are minor (for example, formatting or clarification), the updated version will simply be published on our website with a revised date.

Where changes are significant and materially affect how personal data is processed, we will:

• Provide clear notification where appropriate
• Update service users, staff, or relevant individuals directly if required by law

The latest version will always be available on our website or upon request.

10.3 Effective Date

This Privacy Notice is effective from:
12/02/2026

It looks like you may have meant Section 11 – Complaints or Queries (as Section 12 is the final section in the document). I’ll draft Section 11 fully expanded below.

11. Complaints or Queries

Blue Heart Care Group is committed to handling personal data lawfully, fairly, and transparently. If you have any questions, concerns, or complaints about how we collect, use, or protect your personal information, we encourage you to contact us in the first instance so that we can investigate and resolve the matter promptly.

11.1 How to Contact Us

If you wish to:

• Exercise your data protection rights
• Raise a concern about data handling
• Request clarification about this Privacy Notice
• Report a suspected data breach

Please contact:

Data Protection Lead
Blue Heart Care Group
Unit 31, Orion Street, Enterprise Way, Newport, NP20 2DX
martin@blueheartcare.co.uk

We may request proof of identity before disclosing information to ensure confidentiality is maintained.

11.2 How We Handle Complaints

When a complaint is received:

• It will be acknowledged promptly
• It will be reviewed in accordance with our internal complaints and data protection procedures
• We may contact you for further clarification
• A response will be provided within a reasonable timeframe

Where a complaint relates to safeguarding or regulatory matters, it may also be reviewed under our safeguarding or governance procedures.

11.3 Right to Complain to the Information Commissioner’s Office (ICO)

If you are not satisfied with our response, or you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Telephone: 0303 123 1113

You are not required to contact us before approaching the ICO, but we encourage you to do so as we may be able to resolve your concern more quickly.

Here is a fully structured and inspection-ready version of:

12. Data Retention Timescales

Blue Heart Care Group retains personal data in accordance with legal, regulatory, contractual, and operational requirements. Retention periods are determined by statutory obligations, safeguarding responsibilities, and limitation periods for legal claims.

Where multiple retention periods apply, the longest lawful period will be followed.

Once retention periods expire, records are securely destroyed or permanently deleted.

12.1 Service User Records

Includes:

• Care plans
• Risk assessments
• Medication records
• Incident and safeguarding records
• Capacity assessments
• Daily notes and care documentation

Retention:
Retained in line with health and social care record management guidance and regulatory expectations.
Typically retained for a minimum of 6 years after care ends, or longer where safeguarding, risk, or legal considerations apply.

Where the service user was a child or vulnerable person, records may be retained for an extended period in accordance with safeguarding guidance.

12.2 Safeguarding Records

Includes:

• Safeguarding referrals
• Investigation documentation
• Serious incident reports

Retention:
Retained in line with statutory safeguarding guidance.
May be retained for extended periods where required for risk management, regulatory compliance, or legal proceedings.

12.3 Personnel and Employment Records

Includes:

• Contracts of employment
• Disciplinary and grievance records
• Supervision notes
• Training records
• Performance reviews

Retention:
Typically 6 years after employment ends, in line with the Limitation Act 1980.

12.4 Recruitment Records

Includes:

• Application forms
• CVs
• Interview notes
• Pre-employment checks

Retention:
Unsuccessful applicants: Up to 6–12 months, unless consent is given to retain for future opportunities.

12.5 Right-to-Work Documentation

Includes:

• Passport copies
• Visa documentation
• Immigration status checks

Retention:
2 years after employment ends, in accordance with Home Office requirements.

12.6 DBS Information

Includes:

• DBS certificate number
• Date of issue
• Level of check
• Outcome decision

Retention:
DBS certificates themselves are not retained.
Disclosure information is retained only as long as necessary and in line with the DBS Code of Practice.

12.7 Payroll, Tax and Pension Records

Includes:

• Wage records
• PAYE documentation
• Pension contribution records
• Statutory pay records

Retention:
3–6 years, depending on HMRC and pension legislation requirements.

12.8 Working Time Records

Includes:

• 48-hour opt-out agreements
• Annual leave records

Retention:
2 years, in accordance with Working Time Regulations.

12.9 Financial and Business Records

Includes:

• Contracts
• Invoices
• Funding agreements
• Insurance documentation

Retention:
6 years, in accordance with accounting and tax legislation.

12.10 Website and Log Data

Includes:

• Website analytics
• Server logs

Retention:
Retained only as long as necessary for security and performance monitoring purposes.

12.11 Secure Disposal

When retention periods expire:

• Paper records are securely shredded or confidentially destroyed
• Electronic records are permanently deleted in accordance with secure deletion procedures
• Archived records are reviewed periodically to ensure compliance

We do not retain personal data longer than necessary.