1. Purpose

Vantage Health Protection Ltd is committed to protecting the personal data of Service Users, employees, and other stakeholders. This policy outlines our approach to ensuring compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Vantage Health Protection Ltd recognizes its duty of confidentiality to Service Users and staff. Respecting an individual’s right to a private life, including confidentiality, ensures a trusting, caring, and supportive environment where both Service Users and staff are confident that their information will be securely protected and not shared unnecessarily or inappropriately.

It is our policy to share information only in the best interest of Service Users and with their consent. Information sharing will align with the UK GDPR, Data Protection Act 2018, Mental Capacity Act, and our Best Interests policies and procedures.

We aim to comply with all relevant legislation and adopt the Caldicott Principles.

2. Scope

This policy applies to all employees, contractors, and third parties processing personal data on behalf of Vantage Health Protection Ltd. It includes provisions for handling data collected through Indeed and other systems used for recruitment and business operations.

3. Policy Statement

3.1 Commitment

• Vantage Health Protection Ltd is dedicated to ensuring personal data is processed lawfully, fairly, and transparently.
• The organization safeguards data subjects’ rights, including access, rectification, erasure, and objection.

3.2 Principles of Data Processing

All personal data must be:

1. Processed lawfully, fairly, and transparently.
2. Collected for specific, explicit, and legitimate purposes.
3. Adequate, relevant, and limited to what is necessary.
4. Accurate and kept up to date.
5. Retained only as long as necessary.
6. Processed securely to protect against unauthorized access or loss.

4. Responsibilities

4.1 Data Protection Officer (DPO)

Vantage Health Protection Ltd understands that a DPO is required if the organization:

• Conducts large-scale processing of special categories of data.
• Engages in regular and systematic monitoring of data subjects.
• Is a public authority or body.

4.2 Appointment of a DPO

If required, the DPO will:

• Be appointed based on professional qualities, knowledge of data protection laws, and practices.
• Monitor compliance, advise on Data Protection Impact Assessments (DPIAs), and act as the contact point with the ICO and data subjects.
• Be independent in their role and report directly to senior management.

4.3 Privacy Officer (If DPO Is Not Required)

If Vantage Health Protection Ltd does not require a formal DPO, a Privacy Officer will be nominated to oversee day-to-day data protection compliance. The Privacy Officer will:

• Handle data subject requests and breaches.
• Provide advice and guidance on UK GDPR compliance.
• Liaise with external advisors if necessary.

4.4 Employee Responsibilities

All staff must:

• Process personal data only as instructed.
• Report data breaches or concerns immediately.
• Complete mandatory data protection training.

5. Special Categories of Data

5.1 Definition

Special categories of data include information on race, health, religious beliefs, and other sensitive details.

5.2 Processing Special Categories of Data

If Vantage Health Protection Ltd processes special categories of data, it will:

• Conduct DPIAs before starting processing.
• Ensure data is processed only for legitimate purposes, such as delivering health and social care services.

6. Regular and Systematic Monitoring

6.1 Definition

Regular and systematic monitoring involves tracking and profiling individuals, such as monitoring website usage or fitness data from wearable devices.

6.2 Compliance

If Vantage Health Protection Ltd engages in regular monitoring, it will ensure:

• Transparency with data subjects about monitoring practices.
• Compliance with data protection principles, particularly lawful processing and data minimization.

7. Recruitment Data via Indeed

7.1 Data Collection

Recruitment data collected via Indeed may include:

• Personal information (e.g., name, contact details, CVs).
• Employment history and qualifications.

7.2 Data Use and Retention

• Recruitment data will be processed solely for hiring decisions.
• Retention periods will comply with legal requirements and internal policies.

7.3 Candidate Rights

Candidates can:

• Request access to their data.
• Request corrections or deletions where appropriate.
• Object to data processing for legitimate reasons.

8. Handling Data Breaches

8.1 Reporting Breaches

• All data breaches must be reported immediately to the DPO or Privacy Officer.
• Serious breaches will be assessed and, if necessary, reported to the ICO within 72 hours.

8.2 Confidentiality in Breaches

Staff involved in breaches may face disciplinary action if found negligent.

9. Data Security and Quality

9.1 Secure Record Keeping

• All records must be stored securely and accessible only to authorized personnel.
• Written records must be shredded after the appropriate retention period.

9.2 Anonymization and Pseudonymization

• Anonymized data will be used where possible.
• Pseudonymization may be applied where identifiable data needs to be secured but retained for operational purposes.

10. Social Media Use

Staff are prohibited from discussing Service Users, employees, or the company on social media platforms. Breaches of this rule may lead to disciplinary action.

11. Monitoring and Review

This policy will be reviewed annually or as required by legal changes. Continuous improvement measures will include regular audits and staff training sessions.

12. Compliance with ICO Requirements

• Vantage Health Protection Ltd will register as a data controller with the ICO.
• The organization will fully cooperate with ICO audits or investigations.

13. Accessibility

• This policy will be made available to all employees via internal systems.
• Updates will be communicated promptly to staff.