Your privacy

Statement of Commitment

Focus Independent Adult Social Work CIC is committed to protecting and respecting your privacy. As a Community Interest Company providing statutory social care services, we are entrusted with sensitive and personal information about the people we support, our staff, and our partners. We take this responsibility seriously and adhere to the highest standards of data protection and confidentiality.

Table of Contents

1. Introduction
2. Information We Process
   2.1 Service Users
   National Data Opt-Out
   2.2 Friends/Relatives
   2.3 Staff
   2.4 Students/Trainees
   2.5 Other Individuals
   2.6 Website Visitors
3. How We Store Your Personal Information
4. Lawful Basis for Processing
5. Your Rights
6. Accessing Your Information
   How to Make a Request
   Accessing Someones Else’s Information
7. AI Transcription
8. CCTV and Automatic Number Plate Recognition (ANPR)
9. Queries and Complaints
10. Our Policies
11. Changes to Our Privacy Notice

Welcome to the Privacy Notice for Focus Independent Adult Social Work CIC.

This notice explains:

• What personal data we collect and why
• How we store and protect the data we collect
• The lawful bases we rely on
• Your rights under data protection law
• How to raise concerns or make requests

 We are the Data Controller for the information we handle. This means we decide how and why your data is used, and we are responsible for ensuring it is safe, secure, and used appropriately.

We follow the UK GDPR, the Data Protection Act 2018, the Data Use and Access Act 2025, and other relevant laws. We also recognise the Common Law Duty of Confidentiality and follow the Caldicott Principles to make sure personal information in health and social care is handled responsibly and ethically.

We take all reasonable steps to protect your information and prevent unauthorised access, disclosure, loss, or damage. If something happens that could affect your rights or interests, we will assess the situation and respond in line with our data protection duties.

Please note: The examples listed in each category are not exhaustive. We may process other types of personal data where necessary to deliver services, meet legal obligations, or support our operations.

We process personal data from and relating to:

• Service users
• Carers
• Professionals
• Staff
• Students
• Visitors to our website

We apply the appropriate lawful basis for each type of data, and we only share information when there is a lawful basis to do so and it is necessary and proportionate.

2.1 Service Users

What we collect:

• Basic details (name, address, date of birth, next of kin)
• Contact records (appointments, visits, communications)
• Financial details (where appropriate for funding arrangements)
• Special category data such as health and social care needs, ethnicity, religion, and sexual orientation.

Why we collect it:

• To assess needs and plan care
• To deliver and coordinate statutory services
• To meet legal obligations (e.g. safeguarding, CQC requirements)
• Where we get your information from:
• Directly from you or your representatives
• Third parties (e.g. professionals, referral forms, calls)

Who we may share it with:

• Health and care professionals
• Local authorities
• Family or friends (with your permission)
• Legal and regulatory bodies (e.g. CQC, law enforcement)

National Data Opt-Out

Information collected during your care may also be used to:

• Improve the quality of care
• Support research
• Help prevent illness
• Monitor safety
• Plan better services

This only happens where the law allows it, and your privacy is protected. Data is usually anonymised.

You can choose whether your confidential patient information is used for these purposes. Your choice will not affect your individual care.

To find out more or to opt out visit www.nhs.uk/your-nhs-data-matters or call 0300 303 5678

2.2 Friends/Relatives

What we collect:

• Contact details
• Records of communication
• Why we collect it:
• Recognised Legitimate Interest (e.g. emergency contacts)
• To support care and communication
• Consent (where applicable)

Where we get your information from:

• Directly from you or the service user
• Third parties (if legally required)
• Who we may share it with:
• Health and care professionals
• Local authority
• Law enforcement (if required)

2.3 Staff

What we collect:

• Personal details
• Payroll and financial information
• Training and learning records
• DBS check information
• Special category data (where necessary)

We process special category data for purposes such as sick pay or maternity leave. DBS checks are processed under legal duties in the Data Protection Act 2018 and the Rehabilitation of Offenders Act 1974.

Why we collect it:

• Employment, HR and payroll
• Training and development
• Legal and regulatory requirements
• Where we get your information from:
• Directly from you
• Third parties (e.g. references, DBS service)

Who we may share it with:

• HMRC
• Payroll/pension providers
• CQC and safeguarding bodies
• DBS Service (Care Plus Group)
• Law enforcement (if required)

2.4 Students/Trainees

What we collect:

• Contact details
• Educational records
• Supervision notes
• References and qualifications

Why we collect it:

• To support training and placements
• To assess competence
• To meet institutional and regulatory requirements
• Where we get your information from:
• Direct from you
• Your university or training provider
• Supervisors or assessors

Who we may share it with:

• Your educational institution
• Regulatory or professional bodies
• Law enforcement (if required)

2.5 Other Individuals Whose Data We May Process

We may also process personal data relating to:

• Contractors
• Visitors (e.g. sign-in details, CCTV footage, and Wi-Fi access logs)
• Job applicants (CVs, interview notes, references)
• External professionals and referrers
• Board members or trustees

We apply the same standards of confidentiality, security, and lawful processing to all individuals. Information is only shared where lawful, necessary, and proportionate.

2.6 Website Visitors

Website: www.focusadultsocialwork.co.uk

If you contact us through our website, we may collect limited personal data such as your name and email address.

Why we collect it:

• To respond to enquiries
• To improve our services
• To meet legal requirements

Cookies

Our website uses cookies to improve your experience and understand how our services are used. For full details, please see our Cookies Policy.

We follow the NHS Records Management Code of Practice to keep your information safe, confidential, and used only when necessary. We keep your data only for as long as needed for legal, regulatory, or care‑related purposes. After this, information is securely destroyed in line with our retention policies.

We work with a trusted local IT provider that holds:

• Cyber Essentials Plus certification
• ISO 27001 accreditation for information security

Most of our digital records are securely stored on the NHS Spine, which allows authorised health and social care professionals to access information safely and efficiently.

To protect your data, we use:

• Encryption
• Strict access controls for authorised staff
• Regular security audits
• Annual completion of the NHS Data Security and Protection Toolkit (DSPT)
• Ongoing monitoring for potential security risks

Some information may also be kept in paper form, such as printed care plans or handwritten notes. These are:

• Stored in locked cabinets or secure office spaces
• Accessible only to authorised staff
• Destroyed securely when no longer needed, following our retention policies

These measures ensure your personal information is handled and stored to a high standard of security and confidentiality.

As a social work organisation delivering statutory services, we process personal data under the UK GDPR, the Data Protection Act 2018, the Data Use and Access Act 2025 and the Common Law Duty of Confidentiality. The lawful basis we use depends on the type of information and why we need it. Our primary lawful bases are listed below.

Personal Data 

For most day‑to‑day social work activities and staff employment, we rely on:

Special Category Data

Some information is more sensitive, such as care or health‑related details. We process this under:

Criminal Offence Data (Article 10 UK GDPR)

We only process criminal offence data where it is necessary and proportionate for:

• Statutory social care functions
• Safeguarding duties
• Employment‑related requirements

This may include criminal history, allegations, investigations, police involvement, MAPPA notifications, or court instructions.

We process this information under the relevant provisions of Schedule 1 of the Data Protection Act 2018, including:

• Paragraph 2 – Employment, social security, and social protection
• Paragraph 6 – Statutory and government purposes
• Paragraph 10 – Preventing or detecting unlawful acts
• Paragraph 18 – Safeguarding children and vulnerable adults

Criminal offence data is handled with extra care because of its sensitivity.

Common Law Duty of Confidentiality

We also follow the Common Law Duty of Confidentiality. This means we only share confidential information when:

• You have given consent, or
• The law allows or requires it.

The information we hold about you is your data. We keep it confidential and make sure it is used appropriately.

Under UK data protection law, you have the following rights:

1. Right to be Informed – to know how your information is collected, used, and stored.
2. Right of Access – to ask for a copy of the personal data we hold about you.
3. Right to Rectification – to ask us to correct information that is wrong or incomplete.
4. Right to Erasure – to ask for your data to be deleted. Some social care records cannot be deleted because we are required by law to keep them for specific periods.
5. Right to Restrict Processing – to limit how your data is used. This may not apply where we must continue processing for safeguarding or legal reasons.
6. Right to Data Portability – to request your information in a format that allows you to reuse it with other services.
7. Right to Object – to object to certain types of processing (for example, direct marketing or some uses based on public task or legitimate interests).
8. Rights relating to Automated Decision‑Making and Profiling – to be protected from decisions made solely by automated systems without human involvement.

You can request access to the personal information we hold about you by making a Subject Access Request (SAR).

How to Make a Request

You can submit a SAR in any of the following ways:

• Online: Complete our online Data Request Form
• Email: send your request to data@nhs.net
• Post: write to us at the address above (marked for the Information Governance Team)
• Verbally: in person or over the phone

In all cases, we will need proof of identity before we can start processing your request.
If we need more information, we may contact you by phone.

When to expect a response

We aim to respond within one calendar month of receiving adequate identification (ID) and sufficient clarity of what it is you are requesting. The deadline is paused until we receive this information.
In some situations, this may be extended to up to three months (for example, if the request is complex). We will let you know if an extension is needed. Please see the ICO website for more information.

Accessing Someone Else’s Information

If you are requesting information on behalf of someone else, you must provide evidence that you have the legal authority to act for them, such as:

• A Lasting Power of Attorney
• Signed consent from the individual
• A court order

If the person is deceased, your request may be covered by the Access to Health Records Act 1990. More information is available on the NHS website.

In partnership with the local authority, we are trialling a secure, AI‑powered transcription tool called Minute. This tool has been developed as part of a government‑supported initiative focused on the safe, secure and transparent use of AI in public services.

We use the tool to support our statutory duties and to help us maintain accurate and timely records. It also reduces administrative burden and allows staff to focus more time on direct support and decision‑making, improving our service.

The tool converts audio to text, which is then processed to help create a final document or note. The final document or note is always reviewed by the relevant staff member before anything is added to the record.

The tool does not analyse, assess, monitor, or form judgments about service users or staff, and it is not used to train or improve AI models. It is simply a more efficient and reliable replacement for traditional note‑taking. This processing does not involve automated decision‑making or profiling under Article 22 UK GDPR.

Recording

To use the tool, we are required to record certain meetings and conversations. We do this using secure Focus laptops or phones. Recordings may be made for any meetings where accurate note‑taking is required. We do not carry out any continuous or covert recording.

All participants will be notified before recording begins, and individuals may ask questions or seek clarification at any time.

Recordings may include:

• Personal data
• Special category data (e.g., health or social care information)
• Criminal offence data (occasionally)

Recordings may be taken during:

• Internal staff meetings, including supervisions
• Online or hybrid meetings
• Meetings or visits with adult social care service users
• Meetings with external professionals
• Any other meetings where accurate notes are required

The lawful bases for processing are described in the main Lawful Basis section of this Privacy Notice.

Where is information processed?

• Recordings and transcripts are stored securely in the UK.
• A small part of the technical processing happens temporarily within secure systems in Sweden, but no data is stored or retained outside the UK at any stage.

How long do we keep recording and transcripts?

Recordings and transcripts are temporary working files. They are kept only until the social worker or relevant staff member has reviewed them and produced the final approved notes.

After this point, the recordings and automated transcripts are deleted. Minute does not retain copies.

The final approved notes become part of the formal case record and are kept in line with our adult social care retention policies, in accordance with statutory requirements.

Only the worker can access the recording, and they remain fully responsible for the accuracy of the record. 

Your Rights

Your GDPR rights still apply. You have the right to be informed about how your data is used, to request access or rectification, to request restriction, and to object to processing carried out under Public Task. No automated decisions are made about you under Article 22 UK GDPR.

If you have any questions about this processing or the trial, please contact our Information Governance Team using the details below.

For the purposes of building and vehicle access control, our premises are equipped with Closed-Circuit Television (CCTV) and Automatic Number Plate Recognition (ANPR) systems. Both systems are managed and maintained by Navigo.

We have real-time access to CCTV footage and ANPR data to facilitate safe and secure entry for individuals and authorised vehicles. However, we do not retain or store any recordings or data from these systems ourselves.

If you wish to request access to CCTV footage or ANPR data that may contain your personal information, please contact Navigo directly.

You have the right to raise concerns about how we handle your personal data. If you have concerns or questions, contact our Information Governance Team:

Information Governance Team
Focus Independent Adult Social Work C.I.C,
Heritage House,
Fisherman’s Wharf,
Grimsby,
DN31 1SY

Phone: 0300 330 2940
Email: focus.data@nhs.net

If you’re not satisfied with our response, please contact our Data Protection Officer (DPO) for an internal review:

Data Protection Officer
Focus Independent Adult Social Work C.I.C,
Heritage House,
Fisherman’s Wharf,
Grimsby,
DN31 1SY

Phone: 0300 330 2940
Email: focus.dpo@nhs.net

If still dissatisfied, you may appeal to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF

https://ico.org.uk/concerns/
Phone: 0303 123 1113

As part of our commitment to transparency, you can view our Information Governance policies here:

• Data Protection Policy
• Information Governance Policy
• Information Security Policy
• Confidentiality Policy
• Records Management and Data Quality Policy
• Social Media Policy

We are currently updating our Information Governance policies to ensure they reflect current legislation and best practice. Revised versions will be published shortly.

We update our Privacy Notice to reflect changes in the law, our services, and the ways we use personal information

Updates will be posted on our website and, where necessary, communicated directly.

Key changes:

February 2026

• Lawful bases clarified
• AI section improved for information and clarity
• Controller status clarified
• General clarity and navigation improvements (clearer wording, links added etc.)

October 2025

• AI transcription trial
• DUUA 2025 inclusion
• Table of contents added
• CCTV and ANPR added
• Cookie section removed and replaced with a link to the full cookie policy
• Reorganised data subject categories
• Simplified most sections to improve readability