Privacy Policy

Summary of initiative/policy

This policy relates to the distribution of free CARE branded badges to the paid adult social care workforce in England. The Department of Health and Social Care (DHSC) has worked with The APS Group (Crown Commercial supplier), who have created an online ordering site to allows registered users to order badges for their organisation. The APS Group will be responsible for the order fulfilment and distribution of badges and are verifying orders using CQC-provided details and other details for non-CQC organisations (internet research).

Data Controller

The Department of Health and Social Care are the data controller and APS the data processor acting under our instruction.

What personal data we collect

Personal information is collected on the APS site (name, email address, delivery address, number of badges required) for registered users of the site to enable the fulfilment of the orders. All users will use their email address on APS’ site to create a username and password, to track orders.

For CQC registered providers, the email address linked to their CQC listing/entry and Organisation Data Service (ODS) code will be used to verify that orders are from legitimate CQC registered care organisations. ODS codes are unique codes created by the Organisation Data Service within NHS Digital used to identify organisations across health and social care.

Similar information will be collected for orders from non-CQC care organisations with order sizes over 25, where APS will manually check that the postal addresses and phone numbers provided belong to adult social care organisations.

How we use your data (purposes)

The information provided will be used to fulfil CARE badge orders and to verify orders are from social care providers.

The Department of Health and Social Care will receive anonymised Management Information to monitor progress, problem-solve and forecast trends.

Legal basis for processing personal data

Article 6 of the General Data Processing Regulations:

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Data Processors and other recipients of personal data

APS is the Data Processor and will only share data with other parties when necessary to successfully fulfil the order. This will be limited to sharing name and address personal data with the delivery partner, DX, for the badges to be delivered.

International data transfers and storage location(s)

As standard we do not transfer your personal data outside the European Economic Area (EEA).

Retention and disposal policy

The portal will be open for as long as the badges are available therefore data will be stored for this period of time only to allow for the verification process to be completed. Data will be destroyed when the portal closes.

Disposal of data will be through disabling users’ accounts which are generated via the email addresses, after the portal closes. This means that the accounts will be anonymized with all email addresses removed. All databases of email addresses will also be deleted.

APS’s customer service team have the ability to disable and anonymize users at the request of a user at any time.

How we keep your data secure

APS uses HTTPS communication so data is completely secure. APS hold certificates for Information Commissioner's Office (ICO) Registration certificate, Cyber essential plus certificate and ISO/IEC certificate which comply to high levels of security standards.

In addition, users can request removal of their personal data and the APS run customer services team can disable and anonymize users.

Your rights as a data subject

By law, data subjects have a number of rights and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.

These rights are:

  1. The right to get copies of information – individuals have the right to ask for a copy of any information about them that is used.
  2. The right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected.
  3. The right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used.
  4. The right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.
  5. The right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case.

Comments or complaints

Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact data_protection@dhsc.gov.uk in the first instance or write to:

Data Protection Officer
1st Floor North
39 Victoria Street
London
SW1H 0EU

Anyone who is still not satisfied can complain to the Information Commissioners Office. Their website address is www.ico.org.uk and their postal address is:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Automated decision making or profiling

No decision will be made about individuals solely on the basis of automated decision making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.

Changes to this policy

This privacy notice is kept under regular review, and new versions will be available on our privacy notice page on our website. This privacy notice was last updated on 11/12/2020