Hampshire County Council Children’s Social Care: Swanwick Lodge

Privacy Notice

Introduction

Hampshire County Council (HCC) is responsible for the management of Swanwick Lodge Children’s Home which provides a secure home, support and care for looked after children from across the country. In order to do this, HCC is required to collect and use your personal information.

This has been created to help explain why we collect this information, how long we keep this information for (retention period), what allows us to do this (the lawful basis), who we might have to share it with and what rights you have including how you can view the information held about you. (NB: we use the word “you” to refer to either the child receiving services or an adult acting on behalf of a child, such as a parent or carer).

Why do we collect and use information about you?

Hampshire County Council is responsible for any personal information we collect or receive, which under Data Protection Legislation makes us what is known as the ‘Data Controller’. We may collect this information either directly from you or it may be shared with us by someone else (a third party). This might be from a school, doctor, or another organisation that we work with or a service you use.

We collect and record information about the work we do and the people we are in contact with. This helps us to make decisions about the services we provide, ensures we comply with the law and means we can be held accountable for what we do.

We will use the information we collect for the purposes of:

  • providing necessary support to address your needs and keep you and your family safe
  • providing a service to you, and/or your family including responding to enquiries or concerns you may have
  • monitoring progress and impact of our services, including the production of management information
  • providing appropriate medical or pastoral care
  • providing information to other organisations under our statutory duties as your carer
  • reviewing, evaluating and improving the quality of our services and procedures and monitoring the impact our services have
  • complying with the submission of statutory returns; and
  • ensuring compliance with our obligations under the accuracy principle of the UK General Data Protection Regulation (Article (5)(1)(d)), making sure our records about you and your family are up to date

The following sections provide further detail around the information we process setting out what allows us to do this (lawful basis), who we may share it with, how long we keep it for (the retention period), alongside telling you about your rights in relation to your information.

The categories of information that we collect, hold and share

The following personal and special category information could be processed over the course of the placement:

  • Your personal information (such as name, address, date of birth, contact details) and information about your characteristics (such as ethnicity, gender, religion, language)
  • Your medical information to support your medical care such as prescription information or any medical conditions you may have or be at risk of developing
  • Information relating to your education
  • Information about your family’s background so we can establish how best to keep you safe
  • CCTV footage containing your image to comply with our legal obligations to co-operate with any relevant investigations and keep you and Swanwick Lodge staff safe
  • Information from professionals and agencies about you or your family in support of your care

The lawful basis on which we use this information

Under Data Protection Legislation we must have what is known as a ‘lawful basis’ for being able to process (collect, use, store and share) your personal information. The lawful basis that HCC will mostly use is called ‘Public Task’. This is where the law requires us to deliver certain services or support known as our ‘statutory functions’. Where we have a statutory function and need to process your information to achieve it, the ‘public task’ lawful basis allows us to do this. Even though we might have a lawful basis, we still need to make sure that the information we process is necessary, relevant, and proportional to the task we are completing.

Sometimes we must collect certain information about you which is considered more sensitive and is known as ‘Special Category’ information. This includes things such as your ethnicity, religion, or health information. If we process this type of information, we need another lawful basis from both the UK GDPR and the Data Protection Act (2018). We have listed the specific lawful basis we use under UK GDPR and the Data Protection Act (2018) we use below:

  • Article 6(1)(e) – the processing is necessary to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law;
  • Article 9(2) (g) – Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures; and
  • Sch.1, Pt.2, 1 – Substantial public interest conditions, for processing under the DPA2018

These articles under the GDPR and the DPA2018 are supported by the following specific legislation

  • Sections 10, 11 of the Children Act 2004
  • Sections 17 and 83 of the Children Act 1989
  • Section 7 of the Young People’s Act 2008
  • Section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013
  • The Local Authority Social Services Act 1970
  • Section 22(3)(a), S22(4) and (5), S27, S33 Children Act 1989
  • Care Planning Regulations 2010, Regulation 4
  • Section 14Z1(2) National Health Service Act 2006
  • Section 26 Health and Social Care Act 2012
  • Regulation 13(3)(f) Care Planning, Placement and Case Review (England) Regulations 2010
  • Regulation 7 Care Planning, Placement and Case Review (England) Regulations, 2010
  • Regulation 33(1) Care Planning, Placement and Case Review (England) Regulations 2010
  • Section1 Schedule 1 Care Planning, Placement and Case Review (England) Regulations 2010; and
  • The Equality Act 2010

By using the ‘Public Task’ lawful basis, this means we do not need your permission (your consent) to process your information, but we do need to tell you what we are doing with it. This is what this privacy notice sets out to do.

However, should any activity we undertake not have a ‘Public Task’ lawful basis, then we will explain this to you and inform you as to which lawful basis is being used, which may be to seek your clear and explicit consent.

Storing and Securing Data

Records are kept securely and will be held by us for a specified length of time, depending on the type of service that we have provided. If you were or are currently placed in the care Hampshire County Council, we keep records for 100 years from your date of birth. If you are in the care of another local authority they will be able to tell you the length of time they will hold your records.

The information provided to us will be held within the County Council’s social care case management system. The County Council’s social care case management system is hosted by the County Council in secure data centres based in the UK. Information is encrypted when in transit between County Council users of the system and the data centre the information is hosted within.

Relevant paper documents (such as handwritten letters, paper forms) will be scanned to create an electronic record and stored within the County Council’s Document Management System (DMS), with the paper version being destroyed. If the document is provided to us in an electronic format (such as an email or PDF), the electronic version will be used and uploaded to our DMS. The file will be linked to the record created in our social care case management system for reference.

The County Council’s DMS is hosted by the County Council in a secure UK based data centre, which is based on Hampshire County Council’s premises. The County Council takes its data security responsibilities seriously and has policies and procedures in place to ensure your personal data is:

  • prevented from being accidentally or deliberately compromised
  • accessed, altered, disclosed or deleted only by those authorised to do so
  • accurate and complete in relation to why we are processing it
  • continually accessible and usable with daily backups; and
  • protected by levels of security ‘appropriate’ to the risks presented by our processing

The County Council also ensures its IT Department is certified to the internationally recognised standard for information security management, ISO27001.

Who do we share information with?

Children’s Services may work with other organisations and agencies (such as GPs, Health services, schools/academies/colleges, other Local Authorities, voluntary or charitable organisations) to ensure that the right services can be made available to you.

In certain circumstances, the law requires us to share information with agencies. This can include the Police or Courts but also with central Government. If the law requires the County Council to share information with third parties, then we will usually use our public task lawful basis as explained above. All data provided to third parties is transferred securely.

Each case is unique, but the following list sets out which organisations we share information with should it be necessary, relevant and proportional for us to do so:

  • Health Services (including dentist and doctor’s surgeries)
  • Schools/academies/ colleges
  • Other Local Authorities
  • Voluntary or Charitable Organisations
  • Hampshire Constabulary and other Police Forces
  • Hampshire Fire Brigade
  • Hampshire Safeguarding Children Partnership
  • Working Together to Safeguard Children Statutory Partners
  • Hampshire Foster Carers?
  • Independent Foster Carers and Providers?
  • External overnight respite providers?
  • Care support providers
  • County Council and District Authorities services, such as public health, housing, sport, culture and leisure services, licensing authorities and youth services
  • Southampton Football Club
  • the British Transport Police
  • the National Probation Service and Community Rehabilitation Companies?
  • Prisons and Young Offender Institutions?
  • Directors of Secure Training Centres?
  • Secure Colleges?
  • Third party organisations undertaking research on the Council’s behalf e.g., Coram Voice?
  • Youth Offending Teams/Services

Requesting access to your personal data and your rights

You also have the right to:

  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by solely automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations

Please note that under the UK GDPR, there is a right to erasure but the right to erasure does not provide an absolute ‘right to be forgotten’

Where the information is being processed under the ‘Public Task’ lawful basis, this right does not automatically apply. You also have the right to request access to the records we hold about you and this is referred to as a Subject Access Request (SAR).

To make a request there is a form available, which has been created to assist you in helping you think about what information you are trying to obtain. The form can be requested from the Children’s Services SAR team or alternatively an electronic version of the form and further information about this process can be accessed online.

We have one month once any necessary checks have been completed to provide you with your records, however, we can extend this by a further two months if your request is complex or you make numerous requests but if this happens, we will write to you explaining this.

If factual details are wrong, we will change them when you give us evidence of the correct information. However, a disagreement in opinion would not be counted as factually inaccurate. If you disagree with what is written in the records, we will add your account of events to the file, but the existing entry would not be removed. If you wish to raise an issue with the accuracy of your records, you should contact [email protected] in the first instance.

We have one month to make any necessary changes to the records, and we will write to you to tell you what action has been taken, including if we are refusing the request.

Further information

For further information on how we handle personal information, your data rights, how to raise a concern about the way we are processing your information and the County Council’s Data Protection Officer, please see our General Privacy Notice or you can raise any concerns you have directly to the Information Commissioner’s Office, as the supervisory authority.