Data Protection and Privacy Policy
Who are We?
ARROW Continuing Healthcare Consultants is a sole-trader company operating in the UK.
References in this Privacy Notice to “ARROW,” “we,” “us,” or “our” mean ARROW Continuing Healthcare Consultants.
ARROW specialises in securing care funding for adults with health-related care needs. Detailed information about our company and services is available on our website at www.arrowchc.org
Who Is Responsible for Your Data?
ARROW acts as the “data controller” under the Data Protection Act 2018 (the “Act”) and the UK General Data Protection Regulation (UK GDPR).
We are committed to respecting and protecting your privacy. Please read this Privacy Notice carefully to understand how we process your personal data.
For any questions, ARROW’s Head of Data Privacy can be contacted at [email protected].
Purpose and Scope of This Privacy Notice
The UK GDPR defines “personal data” as any information related to an identified or identifiable living individual (known as a “data subject”).
This Privacy Notice explains:
This Privacy Notice applies to personal data provided to us:
Data Processing Principles
Under UK GDPR, personal data must be:
Lawful Basis for Processing
Under Article 6 of UK GDPR, processing personal data requires at least one lawful basis:
What Is Personal Data?
Personal data refers to any information that can identify an individual, such as:
How Do We Use Personal Data?
We process personal data to:
Sharing Personal Data
We share personal data only when necessary:
Your Data Subject Rights
Under the UK GDPR, you have rights regarding your personal data, including:
Data Security and Retention
We apply robust technical and organisational measures to safeguard your personal data. Data is retained only for as long as necessary to fulfil the purposes for which it was collected, after which it is securely deleted or anonymised.
For further information or queries, please contact:
[email protected]
How Do We Use Client Data?
At ARROW Continuing Healthcare Consultants, we collect and process client data to provide professional, tailored services while ensuring compliance with legal, regulatory, and ethical obligations. Below are the primary ways in which client data is used:
Commitment to Data Protection
We are committed to safeguarding client data by implementing robust security measures to prevent unauthorised access, loss, or misuse.
Data collected is only retained for as long as necessary to fulfil its intended purpose, after which it is securely deleted or anonymised.
By collecting and processing data responsibly and transparently, ARROW strives to maintain the trust and confidence of our clients while delivering professional and compassionate services.
What Data Do We Collect About Employees?
To operate our business and fulfil legal obligations, ARROW collects and processes specific information about employees. This data includes:
How We Use Employee Data
Employee data is processed for:
What Data Do We Collect from Job Applicants?
When individuals apply for positions at ARROW, we collect data to facilitate recruitment. This data may include:
How We Use Job Applicant Data
What Data Do We Collect from Website and Social Media Users?
When individuals interact with our website or social media channels, we collect personal data through automated tracking and direct input. This may include:
How We Use Website Data
Where Do We Store and Process Personal Information?
Personal data may be stored and processed outside the UK or EEA. ARROW ensures that:
How Do We Keep Personal Information Secure?
We use robust measures to protect personal data, including:
How Long Do We Store Personal Information?
Data retention periods depend on legal, contractual, and operational requirements:
How Do We Share Personal Data?
We share personal data only when legally permitted and ensure it is protected by:
Training and Awareness
ARROW is committed to ensuring all employees are trained on data protection responsibilities. Regular updates and interactions with bodies such as the Information Commissioner’s Office (ICO) reinforce our commitment to maintaining compliance and best practices.
Your Data Rights
We respect the rights of data subjects under the UK GDPR, including:
Updating Your Information
If your personal information changes, you can update or correct it by contacting us. Similarly, you can opt out of marketing communications at any time by using the unsubscribe link in emails or contacting us directly.
Withdrawing Consent
Where processing relies on your consent, you can withdraw it at any time by contacting us.
How Do I Contact You?
If you wish to exercise your rights, withdraw consent, or ask any questions, please contact:
Head of Data Privacy
ARROW Continuing Healthcare Consultants
47 Salisbury Road, Norwich, Norfolk, NR1 1TU
Email: [email protected]
We will respond promptly and appropriately.
Making a Complaint
If you are dissatisfied with our handling of your personal data, you can lodge a complaint with the Information Commissioner’s Office (ICO):
By Post: Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
By Phone: 0303 123 1113
For more information, visit www.ico.org.uk.
Review of This Privacy Notice
This Privacy Notice is reviewed regularly to ensure it remains accurate and up to date. The most recent update was in January 2024.
ARROW Continuing Healthcare Consultants is a sole-trader company operating in the UK.
References in this Privacy Notice to “ARROW,” “we,” “us,” or “our” mean ARROW Continuing Healthcare Consultants.
ARROW specialises in securing care funding for adults with health-related care needs. Detailed information about our company and services is available on our website at www.arrowchc.org
Who Is Responsible for Your Data?
ARROW acts as the “data controller” under the Data Protection Act 2018 (the “Act”) and the UK General Data Protection Regulation (UK GDPR).
We are committed to respecting and protecting your privacy. Please read this Privacy Notice carefully to understand how we process your personal data.
For any questions, ARROW’s Head of Data Privacy can be contacted at [email protected].
Purpose and Scope of This Privacy Notice
The UK GDPR defines “personal data” as any information related to an identified or identifiable living individual (known as a “data subject”).
This Privacy Notice explains:
- The lawful basis for processing the personal data we collect or that is provided to us.
- Our purpose for processing your personal data.
- Your rights as a data subject, such as the right to access the information we hold about you.
This Privacy Notice applies to personal data provided to us:
- Directly by you, a third party acting on your behalf, clients and their authorised agents, or from publicly available sources (e.g., Companies House or internet searches).
- Through third parties, who must inform individuals of how their data is shared with ARROW. Where necessary, reference may be made to this Privacy Notice.
Data Processing Principles
Under UK GDPR, personal data must be:
- Processed lawfully, fairly, and transparently.
- Collected for specified, explicit, and legitimate purposes.
- Adequate, relevant, and limited to what is necessary.
- Accurate and kept up to date.
- Retained only as long as necessary.
- Processed securely to protect against unauthorised access, loss, or destruction.
- Is processed in line with the rights of data subjects.
- Is not transferred outside the European Economic Area (EEA) unless adequate protections are in place.
- Clearly explain the purpose of data collection and processing.
- Have a lawful basis for processing, such as consent.
- Retain data only for the necessary duration and ensure timely deletion.
- Implement technical and organisational measures to safeguard data.
- Staff handling personal data are appropriately trained and understand their legal responsibilities.
- Data queries are handled promptly and courteously.
- Regular audits and assessments of data processing activities are conducted.
Lawful Basis for Processing
Under Article 6 of UK GDPR, processing personal data requires at least one lawful basis:
- Consent: You have provided specific, informed, and unambiguous consent.
- Contractual Necessity: Processing is required to fulfil a contract or take steps prior to entering into one.
- Legal Obligation: Processing is necessary to comply with legal requirements (e.g., tax or social security).
- Vital Interests: Processing is required to protect someone’s life.
- Public Interest: Processing is necessary to perform a task in the public interest with a legal basis.
- Legitimate Interests: Processing is necessary for ARROW’s legitimate business interests or those of a third party unless overridden by your rights.
What Is Personal Data?
Personal data refers to any information that can identify an individual, such as:
- Name, address, email, or phone number.
- Records of correspondence (e.g., via email, phone, or post).
- Sensitive personal data (special category data), such as:
- Health and medical records.
- Financial information, including bank account details.
- Information you provide directly (e.g., when emailing, calling, or purchasing services).
- Publicly available sources (e.g., internet searches, Companies House).
- Third parties, such as authorised agents or service providers.
How Do We Use Personal Data?
We process personal data to:
- Fulfil contractual obligations:Provide services you have purchased.Share necessary data with contractors or third parties for service delivery
- Administer accounts and correspondence:Use contact details (e.g., name, email, phone number) for account setup and administration.
- Comply with legal obligations:Prevent fraud, detect crime, and respond to regulatory or legal requests.
- Provide personalised servicesTailor content or experiences (e.g., location-based services).
- Marketing communications:Deliver relevant updates and promotions.Provide opt-out options for marketing emails, although critical contractual communications may still be sent.
Sharing Personal Data
We share personal data only when necessary:
- Within ARROW:Access to personal data is restricted to employees requiring it for service provision.
- With third-party service providers:These providers include payment processors, cloud hosting services, and data analytics platforms.Third parties may not use your data for purposes beyond their contractual obligations to us.
- For legal purposes:When required by law or regulatory authorities.
- In business transactions:Personal data may be shared in cases of incorporation, mergers, or transfers of business operations.
Your Data Subject Rights
Under the UK GDPR, you have rights regarding your personal data, including:
- Right to Access: Obtain a copy of the personal data we hold about you.
- Right to Rectification: Request corrections to inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data (subject to certain conditions).
- Right to Restrict Processing: Limit how your data is processed in specific circumstances.
- Right to Data Portability: Receive your data in a machine-readable format or have it transferred to another controller.
- Right to Object: Object to processing for specific purposes, such as direct marketing.
Data Security and Retention
We apply robust technical and organisational measures to safeguard your personal data. Data is retained only for as long as necessary to fulfil the purposes for which it was collected, after which it is securely deleted or anonymised.
For further information or queries, please contact:
[email protected]
How Do We Use Client Data?
At ARROW Continuing Healthcare Consultants, we collect and process client data to provide professional, tailored services while ensuring compliance with legal, regulatory, and ethical obligations. Below are the primary ways in which client data is used:
- Client Management: Personal data is processed to effectively communicate with clients and assess their unique needs. This ensures that the services we provide are relevant, personalized, and address the specific requirements of each client.Data helps us deliver on our commitment to securing care funding for adults with health-related care needs by understanding each client’s circumstances comprehensively.
- Service Delivery: Client data, including sensitive personal information, is utilized to prepare and submit necessary documentation (e.g., health and medical records) for care funding applications.Data is shared with authorized third parties, such as expert assessors or healthcare providers, when necessary to deliver our services.
- Administrative Purposes: Data is used to manage and organize business processes, including maintaining client records, producing client-facing documents, coordinating correspondence, and improving our internal operations.Information is used to host client events, manage schedules, and ensure seamless client relationship management.
- Regulatory and Compliance Requirements: To meet our legal, regulatory, and ethical obligations, we may collect and process personal data, including for identity verification purposes.This ensures compliance with applicable laws and professional standards governing our business.
- Enhancing Service Quality: We use client data to evaluate and improve the quality of our services. This may include analysing feedback or identifying patterns to optimize our processes.
- Legal Purposes: In some cases, we may process client data to fulfil legal obligations, defend our rights, or resolve disputes. This is handled with strict confidentiality and in adherence to applicable legal frameworks.
Commitment to Data Protection
We are committed to safeguarding client data by implementing robust security measures to prevent unauthorised access, loss, or misuse.
Data collected is only retained for as long as necessary to fulfil its intended purpose, after which it is securely deleted or anonymised.
By collecting and processing data responsibly and transparently, ARROW strives to maintain the trust and confidence of our clients while delivering professional and compassionate services.
What Data Do We Collect About Employees?
To operate our business and fulfil legal obligations, ARROW collects and processes specific information about employees. This data includes:
- Personal Identifiers: Name, address, email, phone number, date of birth, gender, and nationality.
- Employment Information: Work history, employment records, and references.
- Legal and Financial Information: National Insurance number, bank account details, and other financial records.
- Verification Documents: Passport information, driving licenses, and other identification documents.
- Emergency Contact Details: Next of kin and emergency contacts.
How We Use Employee Data
Employee data is processed for:
- Compliance with employment laws and regulations.
- Managing personnel and ensuring smooth employment administration (e.g., payroll, benefits, and tax reporting).
- Providing references for current or former employees as requested.
- Enhancing operational efficiency and staff management.
What Data Do We Collect from Job Applicants?
When individuals apply for positions at ARROW, we collect data to facilitate recruitment. This data may include:
- Personal Information: Name, date of birth, gender, and nationality.
- Professional Details: Qualifications, previous employment history, and references.
How We Use Job Applicant Data
- To assess qualifications and suitability for roles.
- To communicate with applicants throughout the recruitment process.
- To manage our recruitment records and processes.
What Data Do We Collect from Website and Social Media Users?
When individuals interact with our website or social media channels, we collect personal data through automated tracking and direct input. This may include:
- Provided Data: Name, email address, phone number, and any information shared via forms or messages.
- Technical Data: IP address, browser type, device information, and activity metrics (e.g., page views, clicks, downloads).
- Interaction Data: Survey responses, comments on blogs, or social media interactions.
How We Use Website Data
- Administration: To troubleshoot, analyse, and improve our website functionality and user experience.
- Functionality: To provide features that require user input (e.g., contact forms).
- Security: To protect the integrity and safety of our digital platforms.
- Promotion: To analyse the effectiveness of marketing campaigns and user engagement.
Where Do We Store and Process Personal Information?
Personal data may be stored and processed outside the UK or EEA. ARROW ensures that:
- Data is processed in accordance with this Privacy Notice and relevant laws.
- Appropriate safeguards, such as contractual clauses, are in place to ensure data protection, even when transferred to regions with differing privacy laws.
How Do We Keep Personal Information Secure?
We use robust measures to protect personal data, including:
- Access Controls: Restricting access to sensitive data to authorized personnel.
- Technical Safeguards: Secure encryption, firewalls, and regular security audits.
- Policy Compliance: Ensuring third-party contractors comply with our data protection standards.
- Staff Training: Educating employees about confidentiality, security, and data protection practices.
How Long Do We Store Personal Information?
Data retention periods depend on legal, contractual, and operational requirements:
- Personal data is only retained as long as necessary for its purpose.
- Once no longer needed, data is securely deleted, destroyed, or anonymised.
How Do We Share Personal Data?
We share personal data only when legally permitted and ensure it is protected by:
- Contractual safeguards with third parties.
- Security mechanisms to prevent unauthorised use.
- Clients and authorized agents for legitimate purposes.
- Third-party providers (e.g., IT, cloud hosting, analytics).
- Professional advisors, auditors, or law enforcement, when required.
Training and Awareness
ARROW is committed to ensuring all employees are trained on data protection responsibilities. Regular updates and interactions with bodies such as the Information Commissioner’s Office (ICO) reinforce our commitment to maintaining compliance and best practices.
Your Data Rights
We respect the rights of data subjects under the UK GDPR, including:
- Right to Be Informed: As outlined in this Privacy Notice.
- Right of Access: To know what data we hold.
- Right to Rectification: To correct inaccuracies.
- Right to Erasure: To request data deletion.
- Right to Restrict Processing: To limit how data is used.
- Right to Data Portability: To transfer your data to another service.
- Right to Object: To processing based on legitimate interests or marketing.
- Rights Related to Automated Decision-Making: Including profiling.
Updating Your Information
If your personal information changes, you can update or correct it by contacting us. Similarly, you can opt out of marketing communications at any time by using the unsubscribe link in emails or contacting us directly.
Withdrawing Consent
Where processing relies on your consent, you can withdraw it at any time by contacting us.
How Do I Contact You?
If you wish to exercise your rights, withdraw consent, or ask any questions, please contact:
Head of Data Privacy
ARROW Continuing Healthcare Consultants
47 Salisbury Road, Norwich, Norfolk, NR1 1TU
Email: [email protected]
We will respond promptly and appropriately.
Making a Complaint
If you are dissatisfied with our handling of your personal data, you can lodge a complaint with the Information Commissioner’s Office (ICO):
By Post: Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
By Phone: 0303 123 1113
For more information, visit www.ico.org.uk.
Review of This Privacy Notice
This Privacy Notice is reviewed regularly to ensure it remains accurate and up to date. The most recent update was in January 2024.
