General Privacy Statement

Protecting Privacy, Supporting Simply Good Care

At Harbour Healthcare, protecting your privacy is at the heart of everything we do. With homes across England and Wales, we handle your personal information with the highest standards of care, fully in line with UK GDPR and the Data Protection Act 2018.

We collect and use your information for clear, lawful purposes and take all measures to keep it secure. Transparency and accountability are central to our approach — we want you to understand how your data is collected, used, shared, and safeguarded.

We use your information to provide employment, deliver care, and support residents with kindness and person-centered attention. This statement explains how your personal information is processed, stored, and protected.

Data Controller

Harbour Healthcare Ltd is the data controller responsible for your personal information. Each home may hold individual registrations with the Information Commissioner’s Office (ICO).

Data Protection Officer (DPO):
Sarah Campbell – DPO
The Lodge House, Dodge Hill, Heaton Norris, Stockport, Cheshire SK4 1RD
Email: DPO-GDPR@harbourhealthcare.co.uk

Regulation and Compliance

Our services are regulated by the Care Quality Commission (CQC) in England and the Care Inspectorate Wales (CIW). We follow strict data protection standards to keep your information secure and your rights protected.

Contents

1. What is Personal Data?
2. What Information Do We Collect About You?
3. How Do We Use Information About You?
4. Sharing Your Personal Information
5. Sharing Your Information via DCCR & Connect GP (PCS)
6. Do I Have to Consent?
7. Your Information Rights
8. Accessing Personal Data / Care Records
9. Will We Send Your Information Outside the UK?
10. How Long Will We Keep Your Information?
11. How Do We Keep Your Information Secure?
12. CCTV Use
13. Social Media & Marketing
14. Safeguarding, Coroners, and Legal Access
15. Data Breach Procedure
16. How to Contact Us
17. Complaints
18. Organisations We Work With

1. What is Personal Data?

Personal data is any information that can identify you, directly or indirectly. This includes name, contact information, identification numbers, visual images, or other unique identifiers.

2. What Information Do We Collect About You?

We may collect information when you visit, work, or interact with our homes. This may include:

• Name, address, telephone, email
• Employment details (employer, job role)
• Emergency contact details
• Visual images (ID documents, CCTV footage)
• Correspondence (letters, emails, calls)
• Dates and times of visits or interactions

Special Category / Sensitive Data:

• Health and medical information
• Cultural, religious, or spiritual beliefs
• Sexual orientation and gender identity, where relevant for care, safeguarding, or equality monitoring
• Criminal convictions and offences, where required by law or safeguarding
• Safeguarding incidents or reports

We only collect sensitive information when necessary and in line with the law.

3. How Do We Use Information About You?

We may use your information to:

• Record visits or employment interactions
• Communicate about care, visits, or employment
• Comply with legal and regulatory obligations
• Assist investigations by police, safeguarding teams, or coroners
• Maintain the safety and wellbeing of residents, staff, and visitors

Legal Basis for Processing:

• Contractual obligations
• Legal compliance (regulatory, safeguarding, coroners)
• Protecting life or health
• Public interest (safeguarding, care standards)
• Legitimate business interests (safe and well-managed homes)
• Consent (optional marketing or photography)

Special Category Data:

• Health or social care provision
• Safeguarding
• Public health reasons
• Explicit consent

4. Sharing Your Personal Information

We may share data with:

• NHS organisations, including Connect GP (PCS)
• Devon and Cornwall Care Record (DCCR)
• Local authorities and safeguarding teams
• Coroners, police, or legal representatives
• Regulators: CQC, CIW, Social Care Wales, DBS, HSE, ICO, NMC
• Approved suppliers and contractors under strict data protection agreements

We do not sell personal data or use it for marketing without consent.

5. Sharing Information via DCCR & Connect GP (PCS)

Some health and care information may be shared securely via DCCR or Connect GP (PCS) to support continuity of care, reduce duplication, and improve safety.

More information is available on the DCCR public website.

6. Do I Have to Consent?

Consent is only required where you have a genuine choice, such as optional marketing, surveys, or photographs. Refusal does not affect core care or employment services.

7. Your Information Rights

Under UK GDPR, you can:

• Be informed about how your data is used
• Access copies of your data
• Correct inaccuracies
• Request deletion where lawful
• Restrict or object to processing
• Request data portability (where applicable)

Requests are handled by the DPO within legal timeframes.

8. Accessing Personal Data / Care Records

Care records may include staff names and roles involved in care or services. Unrelated staff information will not be shared. Records can be requested in paper or electronic form. Proof of identity may be required.

9. Will We Send Your Information Outside the UK?

Data is generally stored in the UK. Transfers outside the UK use appropriate safeguards, such as standard contractual clauses.

10. How Long Will We Keep Your Information?

Information is retained only as long as necessary for legal obligations or the purpose for which it was collected.
Full details are available in our Records Retention and Destruction Policy on our website alongside the privacy policies.

11. How Do We Keep Your Information Secure?

• Encryption and secure storage
• Strong access controls and password protection
• Regular audits and monitoring
• Confidentiality and data use policies

12. CCTV Use

CCTV may be used in communal and external areas for safety and security. CCTV is not in all homes and never in private areas. Footage is accessed only by authorised staff and may be shared with Police, local authorities, regulators, or legal representatives where lawful. Clear signage is displayed.

13. Social Media & Marketing

• We may share updates about our homes or services on social media
• Residents, visitors, or staff photos will never be posted without consent
• Marketing communications require explicit opt-in

14. Safeguarding, Coroners, and Legal Access

Information may be shared with:

• Safeguarding teams, multi-agency hubs, and local authorities
• Coroners and their officers
• Police or emergency services
• Legal representatives or solicitors
• Regulatory bodies, as required by law

15. Data Breach Procedure

Breaches will be managed according to GDPR and the Data Protection Act 2018. Affected individuals and the ICO will be notified where required. Contact the DPO for concerns.

16. How to Contact Us

Sarah Campbell – Data Protection Officer (DPO)
Harbour Healthcare Ltd
The Lodge House, Dodge Hill, Heaton Norris, Stockport, Cheshire SK4 1RD
Email: DPO-GDPR@harbourhealthcare.co.uk

17. Complaints

If unhappy with how your data is handled, contact the DPO first. You also have the right to complain to the ICO: ICO Complaints

18. Organisations We Work With

Data may be shared with:

• Local authorities in England and Wales
• Law enforcement (police)
• Regulators (CQC, CIW, DBS, Social Care Wales, HSE, ICO, NMC)
• NHS organisations (Connect GP, DCCR, hospitals, ICBs, GP surgeries)
• Approved suppliers and contractors
• Legal representatives or solicitors where necessary

Harbour Healthcare is not responsible for third-party privacy statements; contact these organisations directly for queries.

Harbour Healthcare | Version 1.0 | January 2026 – January 2027