Version 1.0 | Effective date: [DATE] | Last reviewed: [DATE] | Next review due: [DATE + 12 months]
What this policy covers. This privacy policy explains how CareLink Direct collects, uses, stores and shares your personal information. It applies to everyone who interacts with us — including service users, their families and representatives, NHS and local authority commissioners, case managers, legal professionals, jobseekers, and visitors to our website.
1. Who we are
CareLink Direct is a nurse-led complex care provider registered with the Care Quality Commission (CQC) for the regulated activity of Treatment of Disease, Disorder or Injury (TDDI). We deliver specialist home care across Sussex and Surrey.
Our registered legal entity is Careline 24 Ltd, trading as CareLink Direct.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, CareLink Direct is the data controller for personal data processed in connection with our services and website.
CQC Registration: CareLink Direct is registered with the Care Quality Commission (CQC provider ID: [INSERT]). As a CQC-registered provider we are subject to the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, which directly inform how we handle care records, clinical information, and information governance.
2. Who this policy applies to
This policy applies to all individuals whose personal data we process, including:
- Service users and their families — people receiving care from us, family members, next of kin, advocates, and self-funding individuals
- NHS and ICB commissioners and professionals — ICB and CHC teams, hospital discharge teams, community nurses and matrons, and MDT professionals
- Local authority commissioners and social care teams — commissioning teams, social workers, adult safeguarding teams, and CHC and DoLS coordinators
- Case managers and legal teams — independent case managers, solicitors (personal injury and clinical negligence), insurers, medico-legal experts, and Court of Protection deputies
- Job applicants, staff and contractors
- Website visitors and enquirers
3. What personal data we collect
Service users and their families
- Full name, date of birth, address and contact details
- Next of kin and emergency contact information
- Health and medical information — diagnosis, conditions, medications, clinical history, observations and care records (see Section 4)
- Mental capacity assessments, best interest decisions, and any relevant DoLS authorisations
- Risk assessments and care plans
- GP, consultant and other professional contact details
- Funding information — NHS Continuing Healthcare status, local authority commissioning arrangements, or self-funding details
- Preferences, communication needs, and cultural, religious and personal background relevant to person-centred care
- Incident and accident reports
- Feedback and complaint records
NHS, ICB, local authority commissioners and professional referrers
- Name, job title, employing organisation and work contact details
- Referral information and case summaries
- Commissioning and contract documentation
- Communications and correspondence
- Professional registration details where relevant (e.g. NMC, HCPC, BASW)
Case managers and legal teams
- Name, professional title, firm or organisation, and contact details
- Case reference information
- Documents and reports relating to care packages, including medico-legal assessments
- Correspondence and case notes
Job applicants and staff
- Name, address, contact details and right to work documentation
- CV, employment history, qualifications and references
- DBS (Disclosure and Barring Service) check information
- Occupational health and fitness to work information
- Training records and competency assessments
- Payroll, pension and tax information
- Disciplinary and grievance records where applicable
Website visitors
- IP address and device or browser information (collected automatically via cookies — see Section 10)
- Pages visited, time on site and referring pages
- Information submitted via enquiry forms: name, contact details and nature of the enquiry
We only collect data we need. We collect personal data that is necessary, relevant and adequate for the purpose it is collected. We do not buy marketing lists or use third-party data brokers.
4. Special category (health) data
Because we provide nurse-led clinical care, we necessarily process special category data — specifically health and medical information — about the people we support. The UK GDPR requires a higher standard of protection for this type of data.
Special category data we process includes:
- Clinical diagnoses, medical history and ongoing health conditions
- Medications, prescriptions and medication administration records
- Nursing care records, clinical observations and NEWS scoring
- Care plans for complex procedures including tracheostomy care, ventilation support, PEG and JEJ feeding, catheter care, bowel care, stoma care, wound care and seizure management
- Mental health information, capacity assessments and safeguarding records
- Palliative and end-of-life care documentation
- Accident, incident and near-miss reports
- Where relevant to person-centred care: racial or ethnic origin, religious beliefs, or sexual orientation
- For staff: occupational health information and, where required, criminal record data via DBS checks
Our legal basis for processing special category health data is primarily Article 9(2)(h) of the UK GDPR — processing necessary for the provision of health or social care services, subject to professional confidentiality obligations. We also rely on Article 9(2)(c) (vital interests) and Article 9(2)(b) (employment and social security obligations) in relevant circumstances. All clinical staff and carers who access health records are bound by professional confidentiality and receive information governance training as part of their induction and competency framework.
5. Legal basis for processing
We are required to identify a lawful basis for every type of processing we carry out. Where we process special category data, we rely on both a UK GDPR Article 6 basis and an Article 9 condition.
| Purpose | Article 6 basis | Article 9 condition | Applies to |
|---|---|---|---|
| Delivering care and clinical services | Art 6(1)(b) — contract; Art 6(1)(c) — legal obligation (Care Act, Health and Social Care Act) | Art 9(2)(h) — health and social care purposes | Service users |
| Safeguarding and protecting vulnerable individuals | Art 6(1)(c) — legal obligation; Art 6(1)(d) — vital interests | Art 9(2)(c) — vital interests; Art 9(2)(h) | Service users |
| Mental Capacity Act and DoLS compliance | Art 6(1)(c) — legal obligation | Art 9(2)(h) | Service users |
| Clinical governance, audit, incident management and CQC compliance | Art 6(1)(c) — legal obligation; Art 6(1)(f) — legitimate interests | Art 9(2)(h) | Service users, staff |
| Responding to enquiries and referrals | Art 6(1)(f) — legitimate interests; Art 6(1)(b) — pre-contract steps | Art 9(2)(h) where health data is shared in a referral | All enquirers and referrers |
| NHS, ICB and local authority commissioning | Art 6(1)(b) — contract; Art 6(1)(c) — legal obligation | Art 9(2)(h) | NHS, ICB, local authority |
| Case management and medico-legal packages | Art 6(1)(b) — contract; Art 6(1)(f) — legitimate interests | Art 9(2)(h) | Case managers, legal teams |
| Recruitment, employment and HR | Art 6(1)(b) — contract; Art 6(1)(c) — legal obligation | Art 9(2)(b) — employment; Art 9(2)(h) — occupational health | Staff and applicants |
| DBS checks (criminal record data) | Art 6(1)(c) — legal obligation | DPA 2018 Schedule 1, para 1 — safeguarding of vulnerable individuals | Staff and applicants |
| Website analytics | Art 6(1)(a) — consent (via cookie consent) | N/A | Website visitors |
| B2B marketing and professional communications | Art 6(1)(f) — legitimate interests (professional context); Art 6(1)(a) — consent where required | N/A | Professional contacts |
Legitimate interests: Where we rely on legitimate interests (Art 6(1)(f)) we have carried out a Legitimate Interests Assessment to confirm our interests are not overridden by your rights and freedoms. You may request a copy by contacting us at the address in Section 14.
6. How we use your data
Service users and their families
- Conducting initial assessments and developing personalised care plans
- Delivering safe, nurse-led care at home including complex clinical procedures
- Monitoring health, recording observations and escalating to GPs or hospital teams where needed
- Managing medicines safely, in line with CQC Regulation 12
- Sharing relevant clinical information with other healthcare professionals involved in the person’s care
- Keeping care plans and risk assessments current as needs change
- Managing safeguarding concerns lawfully and in line with local authority procedures
- Handling complaints and incidents, and using them to improve our services
- Meeting our CQC regulatory obligations, including record-keeping and inspection readiness
NHS, ICB and local authority commissioners
- Managing referrals, care packages and service agreements
- Sharing care summaries and documentation relevant to commissioned packages
- Communicating on package reviews, escalations and contract matters
- Complying with NHS and local authority reporting requirements
Case managers and legal teams
- Developing and delivering care packages for catastrophic injury and clinical negligence cases
- Producing documentation, clinical reports and audit trails for medico-legal purposes
- Communicating on case progress, package design and mobilisation
Job applicants and staff
- Assessing applications and suitability for roles
- Carrying out DBS and professional reference checks
- Onboarding, training and competency assessment
- Managing employment, payroll and HR processes
- Supporting revalidation for nurses and ongoing professional development
Website visitors
- Responding to enquiries submitted via the contact form
- Understanding how our website is used, to improve it (subject to cookie consent)
We do not use personal data for automated decision-making or profiling that produces a legal or similarly significant effect on any individual. All care and clinical decisions involve human judgement.
7. Who we share your data with
We share personal data only where there is a clear purpose and lawful basis, and only with parties who are required to protect it appropriately.
Healthcare and social care professionals
We share relevant care information with GPs, hospital consultants, community nurses, therapists, psychiatrists and other professionals involved in a person’s care — to ensure safe and coordinated care delivery. This is standard professional practice under health and social care law and does not require separate consent where it is in the person’s direct interest.
NHS and local authority bodies
Where care is commissioned by an ICB, CHC team or local authority, we share care records, reports and relevant documentation with those bodies as required under our commissioning arrangements and legal obligations.
Safeguarding authorities
We are required by law to report safeguarding concerns to the appropriate local authority adult or children’s safeguarding team, and in some cases to the police. We do not need consent to make a safeguarding referral where there is a risk of harm to the individual or others.
The Care Quality Commission (CQC)
As a CQC-registered provider, we may be required to share information with CQC inspectors or in response to regulatory enquiries, under our statutory obligations as a registered provider.
Case managers, solicitors and insurers
For care packages arranged through medico-legal processes, we share documentation and clinical reports with the instructing case manager, solicitor or insurer as agreed under the terms of the relevant care package or contract, and only to the extent necessary.
IT and software providers (data processors)
We use trusted third-party systems to manage care records, communications and HR. These providers act as our data processors and are contractually required to process data only on our instructions, maintain appropriate security, and not use it for their own purposes.
Website analytics providers
Our website uses Google Analytics and Microsoft Clarity. These services process pseudonymous data about website behaviour. Full details and your cookie choices are in Section 10.
Legal and professional advisers
We may share information with our solicitors, accountants or insurers where necessary to obtain professional advice or defend a legal claim.
We never sell your personal data to any third party. We do not share personal data for commercial marketing purposes without explicit consent.
8. How long we keep your data
We retain personal data for no longer than is necessary for the purpose it was collected, and in line with legal, regulatory and professional guidance. Our key retention periods are set out below.
| Type of record | Basis for retention period | Retention period |
|---|---|---|
| Adult care and clinical records (including care plans, risk assessments, medicines records, incident reports) | NHS Records Management Code of Practice 2021; CQC regulatory requirements; Limitation Act 1980 | 8 years from last entry (or until the person’s 26th birthday if 17 or under at last entry) |
| Children’s care and clinical records | NHS Records Management Code of Practice 2021 | Until the individual’s 26th birthday (or 25 years after last entry if the record relates to a child who has died) |
| Mental capacity assessments and DoLS records | Mental Capacity Act 2005; CQC guidance | 8 years from last entry |
| Safeguarding records | Local safeguarding procedures; Limitation Act 1980 | Up to 10 years (or until the individual’s 26th birthday if a child was involved) |
| Complaints and incident records | CQC Regulation 16; Limitation Act 1980 | 8 years |
| Employment and HR records (current staff) | Employment law; HMRC; DPA 2018 | Duration of employment + 6 years |
| DBS check records | DBS Code of Practice; ICO guidance | 6 months from date of check (certificate number only retained thereafter) |
| Unsuccessful job applications | Legitimate interests; equality monitoring | 6 months from decision |
| Commissioning and contract records (NHS, ICB, local authority) | Public contract law; Limitation Act 1980 | 7 years from contract end |
| Medico-legal case records (case managers and legal teams) | Limitation Act 1980; professional guidance | As specified in the relevant care package agreement, minimum 8 years from last entry |
| Website enquiry form submissions | Legitimate interests | 2 years from date of enquiry |
| Website analytics data (Google Analytics, Microsoft Clarity) | Consent; see cookie table (Section 10) | As per individual cookie durations — see Section 10 |
At the end of the applicable retention period, personal data is securely deleted or anonymised. Where data is held in paper format, it is securely shredded.
9. Your rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. Most rights can be exercised free of charge, and we will respond within one calendar month (which may be extended by a further two months for complex requests).
Right of access
You can request a copy of the personal data we hold about you (a Subject Access Request or SAR).
Right to rectification
You can ask us to correct inaccurate personal data or complete incomplete data we hold about you.
Right to erasure
You can ask us to delete your personal data in certain circumstances. This right does not apply where we are required to keep data by law — for example, clinical records or safeguarding records.
Right to restrict processing
You can ask us to limit how we use your data while a complaint or query is resolved.
Right to data portability
Where processing is based on consent or contract, you can ask us to provide your data in a structured, machine-readable format.
Right to object
You can object to processing based on legitimate interests, including any direct marketing. We will stop unless we can demonstrate compelling legitimate grounds.
Rights re. automated decisions
You have the right not to be subject to decisions made solely by automated processing that significantly affect you. We do not carry out such processing.
Right to withdraw consent
Where we rely on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, or to make a Subject Access Request, please contact us using the details in Section 14. We may need to verify your identity before we can respond.
Requests from third parties: If you are a family member, solicitor, case manager or advocate making a request on behalf of a service user, we will require appropriate authority (such as written consent from the individual, evidence of lasting power of attorney, or a court order) before releasing personal data.
10. Cookies and website analytics
What are cookies?
Cookies are small text files placed on your device when you visit a website. Some cookies are essential for the site to function. Others help us understand how visitors use the site so we can improve it. Under the Privacy and Electronic Communications Regulations 2003 (PECR) and the UK GDPR, we are required to obtain your consent before placing non-essential cookies on your device.
How we use cookies
Our website uses two analytics tools — Google Analytics and Microsoft Clarity — to understand how visitors interact with our site. Neither tool is used to identify you personally, and neither processes special category health data. Both tools are enabled only when you accept analytics cookies via our cookie consent banner.
Google Analytics provides aggregate data about site visits, page views and user journeys. Microsoft Clarity provides session recordings and heatmaps that show how visitors scroll, click and navigate, helping us identify usability issues.
IP anonymisation: Google Analytics is configured with IP anonymisation enabled, meaning your full IP address is never stored. Microsoft Clarity similarly anonymises IP data. You can opt out of analytics cookies at any time via our cookie preference centre [link] or by using browser settings.
Cookie table
| Cookie name | Provider | Purpose | Category | Duration |
|---|---|---|---|---|
| Essential cookies — these are required for the website to function. They do not require consent. | ||||
| wordpress_* | WordPress | Maintains your session when you log in to the website (admin users only). Not set for standard visitors. | Essential | Session |
| wordpress_test_cookie | WordPress | Tests that the browser accepts cookies. Deleted after the test. | Essential | Session |
| [consent cookie name] | CareLink Direct | Stores your cookie consent preferences so we do not ask again on each visit. | Essential | 12 months |
| Analytics cookies — only set if you accept analytics cookies via our cookie banner. | ||||
| _ga | Google Analytics | Registers a unique ID used to generate statistical data on how you use the website. Used to distinguish visitors. | Analytics | 2 years |
| _ga_XXXXXXXXXX | Google Analytics | Used by Google Analytics 4 to persist session state across page views for the same measurement ID. | Analytics | 2 years |
| _gid | Google Analytics | Registers a unique ID used to generate statistical data on how you use the website. Resets daily. | Analytics | 24 hours |
| _gat | Google Analytics | Used to throttle request rate — limits the volume of data recorded on high-traffic sites. | Analytics | 1 minute |
| _clck | Microsoft Clarity | Persists the Clarity User ID and preferences, unique to that site, on the browser. Ensures subsequent visits to the same site are attributed to the same user ID. | Analytics | 1 year |
| _clsk | Microsoft Clarity | Connects multiple page views by a user into a single Clarity session recording. | Analytics | 1 day |
| CLID | Microsoft Clarity | Identifies the first time Clarity saw this user on any site using Clarity. Stored in a cross-domain cookie. | Analytics | 1 year |
| ANONCHK | Microsoft Clarity | Used to check if cookies are enabled in the browser and to register and report on page views. | Analytics | 10 minutes |
| MR | Microsoft / Clarity | Indicates whether to refresh the MUID cookie. Used across Microsoft domains. | Analytics | 7 days |
| MUID | Microsoft | Identifies unique web browsers visiting Microsoft sites. Used by Bing Ads and by Clarity as a unique user identifier. | Analytics / Tracking | 1 year |
| SM | Microsoft | Used in synchronising the MUID cookie across Microsoft sub-domains. | Analytics | Session |
Managing your cookie preferences
When you first visit our website, you will be shown a cookie consent banner. You can accept all cookies, accept essential cookies only, or manage your preferences in detail. You can change your choices at any time via our cookie preference centre [link].
You can also control cookies through your browser settings. Please note that disabling certain cookies may affect how the website functions. The following links explain how to manage cookies in the most common browsers:
To opt out of Google Analytics across all websites, you can install the Google Analytics Opt-out Browser Add-on. To learn more about how Microsoft Clarity handles data, visit the Microsoft Privacy Statement.
11. Transfers outside the UK
Some of our third-party service providers — including Google (Google Analytics) and Microsoft (Microsoft Clarity) — may process data on servers located outside the United Kingdom.
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place. For transfers to the United States, Google and Microsoft participate in frameworks that provide an equivalent standard of protection to UK data protection law, including Standard Contractual Clauses approved by the ICO. We do not transfer clinical care records or identifiable health data to countries outside the UK without explicit lawful authority.
12. How we keep your data secure
We take the security of personal data seriously, particularly given the sensitive clinical nature of the information we handle. Our security measures include:
- Access controls — personal data is accessible only to staff who need it to carry out their role, with role-based permissions
- Staff training — all staff receive data protection and information governance training as part of induction, and refresher training is provided regularly
- Device and system security — devices used to access care records are password-protected and encrypted where applicable
- Secure disposal — paper records are shredded securely; digital data is deleted using appropriate methods
- Data processor contracts — all third-party providers who process personal data on our behalf are required to have appropriate security measures in place, evidenced by written contracts
- Incident reporting — any suspected data breach is investigated and, where required by law, reported to the Information Commissioner’s Office within 72 hours and to affected individuals without undue delay
Reporting a data breach: If you believe your personal data has been lost, disclosed without authority, or otherwise compromised, please contact us immediately using the details in Section 14 so we can investigate and take appropriate action.
13. Changes to this policy
We review this privacy policy at least annually and whenever there is a material change to how we process personal data. When we make significant changes, we will update the effective date at the top of this page. Where changes materially affect service users or their families, we will notify you directly.
We encourage you to review this policy periodically. The current version is always available on our website.
14. How to contact us
If you have any questions about this privacy policy, want to exercise your data protection rights, or wish to raise a concern, please contact us:
CareLink Direct — Data Protection Contact
By post
CareLink Direct
[Registered Address]
Worthing, West Sussex
By email
[privacy@carelink-direct.co.uk]
By telephone
[INSERT PHONE NUMBER]
Subject Access Requests
Please mark correspondence “Subject Access Request” and include proof of identity
Complaints to the ICO
If you are unhappy with how we have handled your personal data and have not received a satisfactory response from us, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection supervisory authority. You can contact the ICO at ico.org.uk/make-a-complaint, by telephone on 0303 123 1113, or by post at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would, however, always welcome the opportunity to address your concern directly before you approach the ICO.