Privacy Policy

Privacy Policy 

Gray Healthcare Ltd 

Privacy Notice 

This privacy notice sets out how we use the personal and sensitive data we collect and store relating to people we support and our workforce (this includes people we employ directly and contract to work with us). Our Data Protection Team, which includes our Senior Information Risk Owner, Caldicott Guardian and Compliance Officer, inform, advise and monitor our compliance with General Data Protection Regulations and the Data Protection Act (1998). You can contact our Data Protection Team by emailing

What is Personal & Sensitive Data? 

Personal data is any information which identifies an individual person. This data may identify someone on its own (such as someone’s name) or may be used to identify someone when combined with other information (such as an someone’s initials and their date of birth). 

Sensitive data is information that relates to someone’s characteristics or personal circumstances. In GDPR this is referred to Special Categories. This may include a someone’s health information, salary, political views, philosophical views, sexuality or home address (this is not an exhaustive list). 

The categories of information that we process include: 

The data we collect may fall into a number of different categories. We do not collect data on all these categories, for example, we will collect different data for people we support compared with people we employ. The categories of information we process include: 

  • personal information (name, initials, date of birth, marital status etc) 

  • sensitive information (such as home address, vehicle information, criminal and legal information etc) 

  • professional information (NMC PIN, HCPC number etc) 

  • characteristics information (such as gender, age, ethnic group, disability information etc) 

  • contract information (such as start date, FTE, role) 

  • work absence information (such as number of days missed due to sickness absence) 

  • qualification level 

  • payroll information (such as salary, bank details, benefits, taxes etc) 

This list is not exhaustive, to access the current list of categories of information we process (data asset register) please contact   

Why we collect and use information 

The information we collect and store helps identify how well we are performing and how we can improve the services we provide. We use data to: 

  1. monitor performance 

  1. monitor health and support outcomes 

  1. monitor and manage risks 

  1. enable the development of a comprehensive picture of the workforce and how it is deployed 

  1. improve the management of resources throughout the organisation 

  1. inform the development of recruitment and retention policies 

  1. enable individuals to be paid 

  1. enable monitoring of selected protected characteristics 

  1. meet regulatory requirements (i.e. CQC regulations) 

Under the General Data Protection Regulation (GDPR), the legal bases we rely on for processing personal and sensitive information for general purposes are: 

  • Consent – This applies when you give us clear consent to process your personal data for a specific purpose 

  • Contract – This applies to processing information about people we support to meet our contracted obligations with people who fund us. This also applies to people we employ to work with us. 

  • Legal obligations – This applies to processing information about people we support and people who with us to meet our legal obligations, this largely relates to CQC regulations and HMRC regulations. 

  • Vital interests – There may be occasions where we may process information to protect someone’s life, this may include situations where we identify that someone is in danger or at risk of harm, or where they may be at risk of harming someone else. 

  • Legitimate interest – This applies to processing information to help monitor our performance and outcomes, so we can evidence the support we offer and identify ways in which we can improve it. 

Collecting information 

We collect personal and sensitive information via written communication (emails, forms, applications, referrals etc) and discussions and meetings (assessments, observations etc). 

Whilst the majority of personal information you provide to us is mandatory, some of it is requested on a voluntary basis. In order to comply with GDPR, we will inform you at the point of collection, whether you are required to provide certain information to us or if you have a choice in this. 


Storing and retaining information 

We hold data securely for the set amount of time shown in our data retention schedule. For more information on our data retention schedule and how we keep your data safe, please email 

Who we share information with and why we share it 

We will only share information with organisations as part of our lawful basis as set out above and only done so when it is relevant and necessary. We will anonymise data where we need to ensure we do not directly or indirectly share information that is not relevant or necessary. Some examples of organisation we routinely share information with is: 

  • Care Quality Commission 

  • Clinical Commissioning Groups 

  • Local Authorities 

  • Health and Social Care professionals 

  • Housing Associations / Agencies 

  • Her Majesties Revenue & Customs 

Requesting access to your personal data 

Under data protection legislation, you have the right to request access to information about you that we hold. To make a request for your personal information please email the Data Protection Team at   

You also have the right to: 

  • to ask us for access to information about you that we hold 

  • to have your personal data rectified, if it is inaccurate or incomplete 

  • to request the deletion or removal of personal data where there is no compelling reason for its continued processing 

  • to restrict our processing of your personal data (i.e. permitting its storage but no further processing) 

  • to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics 

  • not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you 

If you have a concern about the way we are collecting or using your personal data, we ask that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at 

Withdrawal of consent and the right to lodge a complaint 

Where we are processing your personal data with your consent, you have the right to withdraw that consent. If you change your mind, or you are unhappy with our use of your personal data, please let us know by contacting the Data Protection Team at   

Last updated 

We review our Privacy Notice on an annual basis, unless we need to do this sooner. This version was last updated on 15th April 2019. 


If you would like to discuss anything in this privacy notice, please contact: 

Data Protection Team                  or        
Gray Healthcare Limited 
2000 Vortex Court 
Enterprise Way 
L13 1FB