Privacy Policy

1. Who We Are

Accredilink Community Response Taskforce ("we", "us", "our") is a not-for-profit organisation providing domiciliary care, respite care, sit-in services, emergency response, palliative care, social care, training, and event medical services across Denbighshire, Conwy, and Wrexham in North Wales.

We are regulated by Care Inspectorate Wales (CIW) and registered with the Information Commissioner's Office (ICO).

Registered address: The Hummingbird, 27-29 High St, Denbigh LL16 3HY
Phone: 01824 538688
Email: enquiries@accredilinkcare.co.uk
Website: accredilinkcare.co.uk

For the purposes of data protection legislation, Accredilink Community Response Taskforce is the data controller.

2. What Personal Data We Collect

The types of personal data we collect depend on your relationship with us. We may collect the following categories of information:

Service users and their families

• Full name, date of birth, address, and contact details
• Next of kin and emergency contact information
• Health and medical information, including diagnoses, medication, allergies, and GP details
• Care needs assessments and personalised care plans
• Mental capacity assessments and best interests decisions
• Daily care records, visit notes, and incident reports
• Information about your social care funding (local authority, CHC, or self-funding)
• Dietary requirements, religious or cultural preferences, and language preferences (including Welsh language)
• Photographs (only with explicit consent, for identification or care purposes)

Staff and job applicants

• Full name, date of birth, address, and contact details
• National Insurance number and right-to-work documentation
• DBS (Disclosure and Barring Service) check results
• Social Care Wales registration details
• Qualifications, training records, and professional references
• Employment history and CV
• Health information relevant to fitness to work
• Bank details for payroll purposes
• Emergency contact details

Website visitors

• Information you provide through our contact form (name, email, phone, message)
• Technical data such as IP address, browser type, and pages visited (see our Cookie Policy)

Enquiries and referrals

• Name, contact details, and nature of your enquiry
• Information about the person requiring care (if making a referral on behalf of someone else)

3. Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful basis for processing your personal data. We rely on the following bases depending on the context:

• Contract: Processing is necessary for the performance of a care contract with you, or to take steps at your request before entering into a contract (Article 6(1)(b)).
• Legal obligation: Processing is necessary to comply with our legal obligations, including those under CIW regulations, the Social Services and Well-being (Wales) Act 2014, health and safety legislation, employment law, and safeguarding duties (Article 6(1)(c)).
• Vital interests: In an emergency, we may process your data to protect your life or the life of another person (Article 6(1)(d)).
• Legitimate interests: Processing is necessary for our legitimate interests, such as improving our services, training, quality assurance, and marketing (where this does not override your rights) (Article 6(1)(f)).
• Consent: Where none of the above bases apply, we will ask for your explicit consent before processing your data. You have the right to withdraw consent at any time (Article 6(1)(a)).

Special category data

Health and medical data is classified as "special category data" under UK GDPR and receives additional protections. We process this data on the following basis:

• It is necessary for the provision of health or social care (Article 9(2)(h))
• It is necessary for safeguarding purposes, to protect a vulnerable individual (Article 9(2)(c))
• You have given explicit consent (Article 9(2)(a))

4. How We Use Your Data

We use personal data for the following purposes:

• To assess your care needs and create a personalised care plan
• To deliver safe, effective domiciliary care and related services
• To manage your care on an ongoing basis, including reviews and updates
• To administer medication safely and maintain accurate records
• To communicate with you, your family, and relevant healthcare professionals
• To fulfil our regulatory obligations to Care Inspectorate Wales
• To comply with safeguarding duties and report concerns to the relevant authorities
• To process invoices, direct payments, and local authority or NHS funding
• To manage our workforce, including recruitment, training, supervision, and payroll
• To respond to enquiries and referrals
• To investigate complaints, incidents, and near-misses
• To improve the quality of our services through audit and quality assurance
• To maintain the security and functionality of our website

5. Who We Share Your Data With

We will never sell your personal data. We may share your data with the following parties where it is necessary and lawful to do so:

• Care Inspectorate Wales (CIW): As our regulator, CIW may access care records during inspections and investigations.
• Local authorities (Denbighshire, Conwy, Wrexham): Where your care is funded or commissioned by the local authority, or where we have safeguarding concerns.
• NHS Wales / Betsi Cadwaladr University Health Board: Where your care involves NHS Continuing Healthcare, or where we need to share information with your GP, district nurses, or hospital teams for your care.
• Social Care Wales: In relation to staff registration and fitness-to-practise matters.
• Safeguarding teams: Where we have concerns about abuse, neglect, or exploitation, we have a legal duty to share information with local authority safeguarding teams and, where necessary, the police.
• Emergency services: In an emergency, we will share relevant information with paramedics, hospital staff, and the police.
• IT and software providers: Our care management system and IT providers process data on our behalf under strict data processing agreements.
• DBS and referencing services: For staff recruitment and vetting.
• HMRC: For payroll and tax obligations.
• Professional advisors: Including our legal and insurance advisors, where necessary.
• Public Services Ombudsman for Wales: If you make a complaint that is escalated to the Ombudsman.

All third parties who process data on our behalf are required to have appropriate security measures in place and to process data only in accordance with our instructions and applicable data protection law.

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Adult care records: Retained for 8 years after the last entry, or 3 years after the death of the service user (whichever is later), in line with NHS Wales and social care guidance.
• Safeguarding records: Retained for a minimum of 35 years, or indefinitely where abuse has been alleged or established.
• Staff employment records: Retained for 6 years after employment ends.
• Unsuccessful job applications: Retained for 6 months after the recruitment process concludes, then securely destroyed.
• Financial records: Retained for 7 years as required by HMRC.
• Complaint records: Retained for 10 years.
• Website enquiry data: Retained for 2 years, then securely deleted.

When personal data is no longer needed, it is securely deleted or destroyed in accordance with our data disposal procedures.

7. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right of access: You can request a copy of the personal data we hold about you (known as a Subject Access Request or SAR).
• Right to rectification: You can ask us to correct any personal data that is inaccurate or incomplete.
• Right to erasure: You can ask us to delete your personal data in certain circumstances (the "right to be forgotten"). This does not apply where we are legally required to retain the data.
• Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
• Right to data portability: You can request that we transfer your data to another provider in a structured, commonly used format.
• Right to object: You can object to our processing of your data where we rely on legitimate interests as our lawful basis.
• Rights related to automated decision-making: You have the right not to be subject to decisions based solely on automated processing. We do not currently use automated decision-making in our care services.

To exercise any of these rights, please contact us at:

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

8. Data Security

We take the security of your data seriously. We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encrypted electronic storage and secure access controls
• Password-protected systems with role-based access permissions
• Secure, locked storage for paper records
• Regular security assessments and software updates
• Mandatory data protection training for all staff
• Data processing agreements with all third-party IT providers
• Incident and data breach response procedures

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform you directly where required.

9. Cookies

Our website uses cookies to ensure it functions correctly and to improve your experience. For full details of the cookies we use, how we use them, and how you can manage your cookie preferences, please see our Cookie Policy.

10. International Data Transfers

We do not routinely transfer personal data outside the United Kingdom. Where any data processing involves a transfer outside the UK (for example, through cloud-based software providers), we ensure that appropriate safeguards are in place, including adequacy decisions, standard contractual clauses, or binding corporate rules, as required by UK GDPR.

11. Children's Data

Our care services are primarily provided to adults. We do not knowingly collect personal data from children through our website. Where we do process children's data (for example, where a care user's family includes minors as next of kin), we do so in accordance with UK GDPR requirements and with appropriate safeguards.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. The latest version will always be available on this page with the date of the last update shown at the top. We encourage you to review this policy periodically.

Where changes are significant, we will make reasonable efforts to notify affected individuals directly.

13. Contact Us

If you have any questions about this privacy policy or how we handle your personal data, please contact us:

• Email: enquiries@accredilinkcare.co.uk
• Phone: 01824 538688
• Post: Accredilink Community Response Taskforce, The Hummingbird, 27-29 High St, Denbigh LL16 3HY

You can also use our contact form to get in touch.