NEWCROSS HEALTHCARE PRIVACY NOTICE
We are committed to protecting and respecting your privacy and ensuring the security of your personal and health information.
Last updated July 2024
This notice provides an outline of when and why we collect personal information, how we use it and the conditions under which we may disclose it to third parties. It is important that you read this notice together with specific notices that is applicable to your context.
If you have any questions regarding this notice or our privacy practices in general, please email us at dataprotection@newcrosshealthcare.com.
Legal Information
Newcross Healthcare Solutions Limited, a company incorporated in England and Wales under number 03184321 whose registered office is at 5th Floor, 48 Chancery Lane, London, United Kingdom, WC2A 1FJ.
This notice is issued on behalf of the Newcross Healthcare group of companies so when we mention ”Newcross Healthcare”, “we”, “us” or “our” in this privacy notice, we are referring to the relevant company in the Newcross Healthcare Group responsible for processing your data. Newcross Healthcare is the controller, and responsible for this website. This means we decide how your personal data is processed and for what purposes.
What is personal data?
Personal data relates to an individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into its possession.
The processing of personal data in the UK is governed the General Data Protection Regulation 2016/679 (the “GDPR”) as incorporated into UK law, the Data Protection Act 2018 (“DPA”) and also by the Privacy and Electronic Communications (EC Directive) Regulations 2003.
Contact details of the Data Protection Officer (‘DPO’)
If you have any queries or questions about this notice then please contact our DPO by emailing dataprotection@newcrosshealthcare.com.
What personal data do we collect and how do we collect it?
One of the purposes of this Privacy Notice is to explain how we collect and process personal data. The primary ways we collect information are as follows:
Visit one of our websites
Receive healthcare and social care services from us directly or indirectly through other institutions
Subscribe to our service through your institution
Contact us directly, e.g. using email, chat, contact forms or contact centre
Request marketing information to be sent to you
Participate in an online survey
Participate in research
Submit a job application
Data provided by you as part of our employment onboarding process and subsequent operational processes.
Provide us feedback
Visit one of our office locations
Participate in our outreach activities
We encourage you to read this Privacy Notice. It has been written to ensure you understand how we collect information, how it is safeguarded, what is collected, how it is processed, where it is processed, with whom we may share it, and your rights under the law.
We collect and process a range of information about you. This includes:
CRM data of Institutional Customer Contacts and Authorised contacts of certain Care Recipients:
Includes your name, photo and contact details via email address and telephone number;
Profile and Skills data of Health Care workers and employees in other roles:
Includes your photo, name, grade, length of service with Newcross, Vaccinations status (like Covid19, Flu, MMR, Hepatitis B), Skills and training data, Environment experience data, Clearance to work data (ID checks, Right to work, DBS checks), Professional registration details (like SSSC);
Healthcare data of Care Recipients:
Includes your name, photo, contact details, demographic details, health details,
any contact including a record of the correspondence, call recordings.
Online Interaction data:
Includes your IP address, operating system and browser type, your traffic data, location data, weblogs and other communication data, the resources that you access and how you interact with the resources.
Interaction data:
any contact including a record of the correspondence, call recordings, image captured in outreach activities or through surveillance systems.
We collect this information in a variety of ways. For example, data is collected through online forms, mobile app, website cookies, correspondence with you, subscription to our newsletters and event registrations.
To enable the provision of health care services, we may also collect and process other personal data to enable the performance of the contract between you and us. This will be communicated and agreed through specific contract documentation and/or specific privacy notices.
Some of the specific privacy notices are listed below which you can access via Our policies | Newcross Healthcare
If you are contact of our client
If you are a HealthForceGo mobile app user
If you are a community care recipient (service user) served by Newcross Healthcare directly
If you are a job seeker
If you are part of our work force
If you interact with our contact centre
In some cases, we collect personal data about you from third parties, which includes, among others, clients, regulators, law enforcement agencies, background search firms, analytics providers, lead generation companies, hiring platforms, research partners, outreach partners, and event organisers.
We do collect special categories of personal data about specifically information about your health as a health care provider and we do collect information about criminal convictions and offences as part of our hiring and operational process.
How do we process your personal data?
We comply with our obligations under the DPA and GDPR by keeping personal data up to date (subject to your notification of any required updates to your personal data); by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting personal data from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data.
We use your personal data for the following purposes: –
To operate this website and deliver the services that customers have requested;
To undertake profiling to enable us to improve the customer experience and tailor the information we provide;
To carry out our obligations arising from any contracts entered into between you and us;
To provide health and social care services to you and handle the entire operation lifecycle related to it;
To meet our legal and regulatory obligations;
To inform individuals about our services which we believe may be of legitimate interest to you;
To inform individuals of news, events, activities or services running throughout the year;
To contact individuals via surveys to conduct research about their opinions of current services or of potential new services that may be offered;
To notify you about changes to our services;
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data);
To monitor and store communications including email correspondence for the purpose of ensuring compliance with laws, policies and auditing;
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you;
To use data analytics to improve our website, services, marketing, customer relationships and experiences;
If you are a customer, supplier, employee, contractor or users of our services, then we may use your personal data for other purposes that are described in other privacy notices available on the website or through specific contract documentation.
Lawful Basis for Processing Your Data.
At Newcross Healthcare, we are committed to processing your personal data only within the parameters allowed by law. We will typically only use your data in the following situations:
when you provide us with consent to process your personal data, which you may revoke at any time and for any reason;
when it is necessary for our legitimate interests;
when we need to comply with legal or regulatory requirements; and
when we need to fulfill our obligations to provide the contracted services.
We have provided a table below that outlines the different ways we may use your personal information, with each use tied to a legal basis for processing. Where appropriate, we have also indicated where we have a legitimate interest to process your data.
Processing Activity | Personal Data | Lawful Basis |
Requesting information and relationship management including emails to us, requests for marketing information, enquiries about services, responding to feedback, notifying you about changes to our terms and conditions, notifying you about changes to our privacy notice, sending you communication through our newsletters and news bulletins, asking you to update your contact information, communicating with you about our service. | Identity data, contact data, communication data and marketing preferences of Customer’s staff and Service Users. | Article 6(1)(b), Performance of a Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract. Article 6(1)(c), Legal Obligation: The processing is necessary for us to comply with the law (not including contractual obligations). Article 6(1)(f), Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. |
Provide health or social care service which covers the entire operation lifecycle starting with making a booking, identifying the health care staff, approving the assigned staff, provision of care, providing feedback and approving timesheet. | Professional profile and Health details of our health care staff. Health details of our care recipients. | Article 6(1)(a), Consent: the individual has given clear consent to process personal data. This basis is applicable for certain community care recipients who provide consent to NHS to enable us to view their data using NHS GP Connect. Article 6(1)(b), Performance of a Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract. Article 9(2)(h), provision of health or social care |
Service desk support for the service. | If working with our service desk to troubleshoot an issue, we may also gather information about the type of computer systems you use, including associated devices such as microphones and video cameras as these are relevant to the services offered. The information may also include your IP address, operating system, browser type, language preferences, and other relevant details to help us ensure your service is working correctly. The communications you have with our contact centre will be recorded for training and quality assurance purposes. If you do not wish to be recorded, you may have to ask for callback and disconnect the call. | Article 6(1)(b), Performance of a Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract. Article 6(1)(f), Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. For instance, this basis is applicable for Call recording. Article 6(1)(a), Consent: The individual has given clear consent to process personal data for a specific purpose. This basis is applicable only for text messages sent by service desk. |
Website and User Behavioural analytics. | Please be informed that we use a third-party analytics service called Google Analytics to collect, analyze and tally metrics regarding website visits. Analytics help us to determine many things, including the quantity of visitors over time, the geographic location from which visitors arrive, timeframes of high and low usage, the sites most frequented, the pages most frequented, and other helpful data. The Company processes data in ways to ensure individual identity is not stored, only anonymous metrics. Furthermore, it is forbidden for Google to determine, or attempt to determine, the identity of individuals visiting our websites, and this anonymity is inherited by Newcross Healthcare. Our mobile app, Health Force Go uses Pendo, Firebase for user behavioural analytics. | Article 6(1)(f), Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. |
Recruitment process and Employment. This includes all applicant and employee engagement activities. | Personal data including demographics, contact information, grades, certifications, CVs, general data, tests, other government issued identity documents, health details, vaccination details, professional registration details, right to work details, Criminal and other background Checks | Article 6(1)(a), Consent: The individual has given clear consent to process personal data for a specific purpose. This basis is applicable for job applicants when we do criminal background checks. Article 6(1)(b), Performance of a Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract. Article 6(1)(f), Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. This basis is applicable for employees. Article 9(2)(b), obligations of employment law: This is applicable to processing diversity and health data of our staff. Article 9(2)(h), provision of health or social care: This is applicable for handling professional profile, health and vaccination details of our health care staff. Article 9(2)(g), substantial public interest: This is applicable with relate to performing criminal and other background checks of our health care staff. |
Market research and User surveys aimed at designing and improving our services. | Research data as designed by the concerned researcher, and it may involve health data of the research participants. | Article 6(1)(a), Consent: The individual has given clear consent to process personal data for a specific purpose. Article 6(1)(f), Legitimate Interests |
Employee Outreach activities which involve publishing Newsletters and other content through emails and other online media. | Professional profile (including photo and video) and Health details of our health care staff. Identity (including photo, video) and Health details of our health care recipients. | Article 6(1)(a), Consent: The individual has given clear consent to process personal data for a specific purpose. Article 6(1)(f), Legitimate Interests |
Customer Marketing and Outreach activities which involve publishing Newsletters and other content through emails and other online media. | Professional profile (including photo and video) and Health details of our health care staff. Identity (including photo, video), Contact and Health details of our health care recipients and contact details of the representatives of care recipients. | Article 6(1)(a), Consent: The individual has given clear consent to process personal data for a specific purpose. Article 6(1)(f), Legitimate Interests |
Automated decision making and profiling
Newcross Healthcare reserves the right to use AI (Artificial Intelligence) and non-AI based computational logic to automate its operations and shall provide just in time privacy notices where relevant.
Newcross Healthcare performs auto allocation of staff to client booking based on algorithm that matches staff’s work preferences, client’s preferences, named individual exclusions, staff pullouts, clients’ job needs (including gender) with staff’s profile, skills and availability.
Newcross Healthcare uses bots in its contact centre to respond to your queries and to perform initial triaging on routing your requests to appropriate contacts within the contact centre.
Profiling is undertaken through the use of analytics in pursuance of our legitimate interests and as outlined in the section How do we process your personal data? above.
Cookies
Our website uses cookies to make our site work and to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve it. Please see our Cookie Notice for details: https://www.newcrosshealthcare.com/cookie_policy/
Categories of recipients
Your personal data will be treated as strictly confidential and will only be shared with the recipients detailed below for the purpose stated.
Customer contacts of our Institutional clients – to enable them to hire you for their open staffing needs
Authorised contacts of certain care recipients – to communicate on your behalf with us.
Marketing communication facilitators – to keep you updated on our products and services;
Online advertising providers – to keep you updated on our products and services;
Website engagement companies (e.g. live chat) – to help us to assist you and respond to your queries;
Analytics providers – to help us improve your online experience;
Third parties for joint promotions with that party – to help us organise events;
Third Parties acting as our processors or service providers – to enable us to provide the services;
Third Parties acting as processors or service providers of our Institutional Clients – to enable us to support the Clients’ operations;
Companies within the Newcross Healthcare Group –to support the overall provision of our products and services;
Fraud prevention agencies – to prevent fraud;
Alternative dispute resolution – for complaint escalation;
Law enforcement agencies, government bodies, regulatory organisations, courts or other public authorities – where required by law.
Transfers outside of the UK and Safeguards for International transfers
Your data may be transferred to countries outside UK in instances where we are required to transfer your data to another member of the Group for any of the purposes listed at How do we process your personal data? above, where our or our recipients’ servers used for storing personal data are based outside of the UK.
If you use our services whilst you are outside of the UK, your data may be transferred outside the UK in order for us to provide you with those services.
Data will only be transferred outside of the United Kingdom (as appropriate) only where a declaration of adequacy and Data Protection Agreement or equivalent agreement is in place. If the country in which the data is to be transferred has no declaration of adequacy in place, then we will request the third party to enter into a legal agreement that reflects those standards through the use of UK International Data Transfer Agreement (IDTA).
Security, Compliance and Certification Assurance.
At Newcross Healthcare, we have a security and compliance team actively working to keep your information protected, auditing the security posture and improving safeguards from unauthorized access, accidental loss, disclosure or destruction. Toward this, we employ physical, technical, and administrative safeguards to protect the personal information we collect and process. Administrative and organisational policies and procedures are documented in the Information Security Management System (ISMS) where appropriate controls are designed to maintain an adequate level of data confidentiality, integrity and availability. Newcross Healthcare has ISO/IEC 27001 certification.
Your Data Protection Rights.
Under the GDPR, you have the ability to exercise via the DPO the following rights with respect to your personal data:
Request access to your personal data (commonly known as a “data subject access request, SAR, or DSAR”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no lawful reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), if it is shown we have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Request restriction of processing of your personal data. You have the right to request that we restrict the processing of your personal data in certain circumstances, limiting the way we use your data. This may be because you have issues with the content of information we hold, its accuracy, or how it is processed.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Object to automated decision-making including profiling. You have the right to not be subject to a decision based solely on automated processing. Processing is “automated” where it is carried out without human intervention and where it produces legal effects or significantly affects you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
If you or your representative wish to exercise any of the above rights, please contact us at dataprotection@newcrosshealthcare.com.
You will not have to pay a fee to access your personal data or to exercise any of your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
In exercising these rights, we may need to request specific information from you to help us confirm your identity and ensure the right to access your personal data or to exercise any of your rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to clarify or speed up our response. We aim to respond to all legitimate requests within the timeframes set by applicable laws and regulations.
If we wish to use your personal data for a new purpose that is not covered by this privacy notice and which is incompatible with the purposes described in this notice, then we will provide you with a new notice explaining this new use prior to commencing the processing and setting out the relevant purposes and processing conditions. Where necessary, we will seek your prior consent to the new processing.
Data retention
We will only retain your personal data for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
You can ask us to delete your data and we shall address it in a timely manner, subject to legal and regulatory obligations and keep you informed of it. We may anonymise your personal data so that it can no longer be associated with you for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Links to Third party websites
Our Website may also contain links to websites of third-parties. We have no control over the content or operation of these websites, nor do we control the confidentiality or privacy practices of the website operators. Consequently, any personal information you submit through such website is governed by the privacy policies of the website in question. It is therefore your responsibility to find out about the third-party policies in order to protect your personal information when visiting these third-party websites.
Right to lodge a complaint with ICO
To exercise all relevant rights, or for queries, please in the first instance contact us on the contact details provided above.
Should you have a concern about our information rights practices, you have the right to complain directly to our supervisory authority, the ICO.
Their address and contact details are as follows:
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
Alternatively, you can email them via the following link: Contact us | ICO
Contact details for data protection authorities in the European Economic Area, are available at https://edpb.europa.eu/about-edpb/board/members_en
For other countries please contact our DPO at dataprotection@newcrosshealthcare.com.
Your Obligations
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
We also expect you to honour the privacy rights of individuals whom you interact with. Few instances are noted here and it is not exhaustive in nature. Please take consent from our Care Providers before taking their picture. Please anonymise the public feedback you submit online about Newcross Healthcare staff so that it does not identify the individual and hurt their interests.
Updates to this Notice
We may update this notice from time to time in response to changing legal, technical or business developments.
When we update our notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
You can see when this privacy notice was last updated by checking the “last updated” date displayed at the top of this privacy notice.
