Privacy Notice
This service privacy notice gives you information on how Conwy County Borough Council (“CCBC”) collects and processes personal data in connection with the Galw Gofal services (the “Services”). In accordance with the retained EU law version of the General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, this service privacy notice sets out what CCBC does in connection with the delivery of the Services with customer personal data, and any personal information relating to key holders, family, friends and carers, on call officers or contractors.
The information in this service privacy notice will be kept under review to incorporate any further changes communicated by the Information Commissioner’s Office (“ICO”).
This service privacy notice supplements our full privacy notice that contains more detailed information about our data processing (including about data security, data retention, and lawful processing bases) and you should read that in conjunction with this service privacy notice: Please see here.
We keep this service privacy notice under regular review. This version was last updated on 11/12/2023. Historic versions can be obtained by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Who are we?
The controller of your personal data is CCBC. In some circumstances, your personal data may be jointly controlled by CCBC and another local authority or service commissioner.
Provided by CCBC, Galw Gofal is a call monitoring service based in North Wales providing bilingual 24/7 support for the delivery of health and social care to help protect vulnerable people in their own homes or in the workplace and providing safety, security and continued independence.
The call monitoring service facilitates response for people using assistive technology (Telecare and Telehealth) and Lone Worker solutions.. We also provide an Out of Hours emergency telephone contact service for households across the country.
The Services are provided under the auspices of a non-statutory local authority collaboration undertaken within a legal framework. The collaboration is based on the lead authority model, with delegation of functions to fulfil the obligations of the agreement, deliver the service, including provision of support services IT, Finance, HR, Legal etc. to CCBC using powers in Section 101 of the 1972 Local Government Act, Section 2 of the Local Government Act 2000 and Section 47 of the 1990 Care Act. CCBC’s corporate policies apply to activities undertaken to deliver the Services and all contracts are entered into by CCBC.
The personal data we collect about you
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).We may collect, use, store and transfer different kinds of personal data about you as follows:
- Identity Data includes title, first name, last name, marital status and gender of data subjects, emergency contacts, out of hours emergency contacts, anyone else living in the same property as the service user, the service user’s landlord (where such landlord has commissioned the Services on behalf of a service user), domiciliary care agencies or support workers to a service user, named contractors, duty officers and managers provided by any joint controller which has commissioned the Services on behalf of any service user(s); if age, address, and telephone numbers;
- Contact Data includes address, telephone number and email address of data subjects, emergency contacts, out of hours emergency contacts, anyone else living in the same property as the service user, the service user’s landlord (where such landlord has commissioned the Services on behalf of a service user), domiciliary care agencies or support workers to a service user named contractors, duty officers and managers provided by any joint controller which has commissioned the Services on behalf of any service user(s);
- Profile Data includes unique equipment reference number assigned to the telecare equipment installed in a service user’s home, unique ‘RAISE’ Social Care database reference number allocated to a service user;
- Usage Data means satisfaction information and details of complaints from or relating to service users.
We may collect, use, store and transfer the following different kinds of special category personal data about you as follows:
- racial or ethnic origin;
- religious or philosophical beliefs;
- data concerning your physical or mental health or condition, medication or other treatment, welfare concerns, physical description or photograph; and
- sex or sexual orientation.
We may collect, use, store and transfer criminal offence data about you.
We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of service users making emergency calls. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this service privacy notice.
How is your personal data collected?
We use different methods to collect data from and about you including through:
- direct interactions. You may give us your identity and contact data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you register as a service user, give us feedback or contact us;
- automated technologies or interactions. As you interact with our Services we will automatically collect technical data about your equipment connected with our delivery of the Services. We collect this personal data by using server logs and other similar technologies;
- third parties. We will receive personal data about you from various third parties including any joint controllers who have commissioned the Services on your behalf, your emergency contacts, healthcare or domiciliary care providers or third parties engaged by us in the delivery of the Services.
How we will use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
- where we need to perform a contract for the delivery of the Services;
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
- where we need to comply with a legal obligation; or
- to protect someone’s life.
Generally, we do not rely on consent as a legal basis for processing your personal data.
What do we use personal data for?
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
Purpose / Activity | Type of data | Lawful basis for processing including basis of legitimate interest |
To register you as a service user |
(a) Identity (b) Contact |
Performance of a contract. Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users. |
To record you as a named emergency contact for a service user |
(a) Identity (b) Contact |
Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. |
To manage your relationship with us |
(a) Identity (b) Contact (c) Profile (d) Usage |
Performance of a contract. Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. |
To deliver the Services |
(a) Identity (b) Contact (c) Profile (d) Usage |
Performance of a contract. Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. |
To escalate an emergency call to a responded, contractor, emergency services and/or duty officer |
(a) Identity (b) Contact (c) Profile |
Performance of a contract. Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. Vital interests. |
To report on each emergency call to any joint data controller |
(a) Identity (b) Contact (c) Profile (d) Usage |
Performance of a contract. Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. |
For assessment of the quality of the Services |
(a) Identity (b) Contact (c) Profile |
Performance of a contract. Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. |
To ensure continuous improvement of the Services |
(a) Identity (b) Contact (c) Profile (d) Usage |
Performance of a contract Legitimate interests – to perform a contract entered into with commissioners to provide the Services to service users and to provide the Services to service users. |
In addition, the lawful basis for processing your special category personal data are:
- vital interests;
- health or social care (with a basis in law):
- the management of health care systems or services or social care systems or services.
We receive personal data for service users in the form of referrals from local authorities and other service commissioners (joint data controllers) along with such other information as we may reasonably require in order to provide the call monitoring service. This may include information about named emergency contacts for service users, or other persons living in the same property as a service user.
A data subject may supply additional data during an emergency response request or out of hours call which is relevant to determine the appropriate response and prioritisation of the emergency call.We make and keep voice recordings of all telephone calls made from and to our call monitoring centre in relation to the delivery of the Services.
We do not use your personal data for marketing purposes.
Who is your information shared with?
We may share your information in the delivery of the Services:
- any joint data controller in respect of your personal data;
- you or your authorised representative;
- your named contacts i.e. next of kin, friends, relatives or carers;
- your named domiciliary care agency;
- any named contractors provided by a joint controller in respect of your personal data;
- your health practitioners or the emergency services;
- local authority representatives who may need to be contacted based on any concern raised in relation to your wellbeing
- relevant third parties where required by law;
- service providers (acting as data processors) based in England and Wales who provide IT and software services in support of the Services;
- our professional advisers including lawyers, auditors and insurers based in England and Wales who provide professional services to us;
- regulators and other authorities based in the United Kingdom who require reporting of processing activities in certain circumstances; and
- Any third parties to whom we may choose to sell, transfer or merge parts of the Galw Gofal business or assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to the Galw Gofal business, then the new owners may use your personal data in the same way as set out in this service privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
International Transfers
We do not transfer your personal data outside the UK.
Data Security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long will we keep this information?
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
The retention period for personal data collected in the provision of the Service is usually three years. Further detail of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us using the contact details below.
Your rights under GDPR
Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights are to:
- request access to your personal data;
- request correction of your personal data;
- request erasure of your personal data;
- object to processing of your personal data;
- request restriction of processing your personal data;
- request transfer of your personal data; and
- withdraw consent.
Please see further detail about each of these rights at Appendix A. If you wish to exercise any of the rights set out above, please contact us using the contact details below.
You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
For further information about the personal data which CCBC holds and its use, or if you wish to exercise your rights under the UK GDPR, please use the contact details below:
Nick McCavish – Regional Strategic Manager
Tel: 01492 575240 / 07720 103551
E-mail: nick.mccavish@conwy.gov.uk
To contact the Information Commissioner’s Office, please see details below:
Information Commissioners Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone helpline: 029 2067 8400 (Wales helpline) or 0303 123 1113 (UK helpline)
Website: www.ico.org.uk