Encompass LATC LTD is committed to protecting and respecting your privacy. Through this privacy notice we have sought to be as transparent as possible to fully explain how your personal information is held and processed. This notice explains how we collect, use and share your information and how we keep it and how we keep it secure.
This privacy notice also explains when and why we collect personal information about people who engage or come into contact with us, whether via applying or receiving the services we provide on behalf of the London Borough of Sutton, receiving services that we provide independently of the London Borough of Sutton or visiting our websites.
Upon visiting our websites we will use third party service providers to collect technical information from your device, including standard internet log information such as the Internet Protocol (IP) address, your browser type and version, and certain page interaction information. In addition to this privacy notice some services have their own dedicated privacy notice to tell people in more detail how they use your information and the legal basis for using the information.
Information collected about you
Encompass may collect various types of personal data about individuals depending on the services your receive and your contact with us. We only collect personal data that is absolutely necessary and any information we collect about you will be in accordance with data protection laws and other statutory obligations we are bound to follow.
The various types of personal data we collect include:
- contact details; including name, address, billing address, email address, telephone number, etc.
- date of birth
- proof of identity
- financial Data: including payment card details.
- national identifiers such as; NHS number and NI numbers
- information about your family
- IP address and information regarding what pages are accessed and when
- lifestyle, social and personal circumstances
- the services you receive
- financial details for purposes of receiving or making payments
- employment details (when you apply for jobs)
- transaction data: including the details of the products and services purchased and the date, time and location of sale and your purchasing activity
- housing information relating your council tenancy
- technical data: including information we collect through your use of our websites and mobile apps, where you came to our website from and where you went when you left our website, how often you visit and use our websites and mobile apps, technical information about the devices you use to access our websites and mobile apps (including your device's unique identifying codes (e.g. its "MAC" address), relevant IP address, operating system and version, web browser and version, and geographic location)
- marketing and communications data: including your preferences in receiving marketing from us, your communication preferences and information on what you view, click on and access in and through our marketing emails, text messages and push notifications
We may also collect sensitive personal data that may include:
- physical or mental health details
- racial or ethnic origin
- gender and sexual orientation
- trade union membership
- political affiliation and opinions
- offences (including alleged offences)
- religious or other beliefs of a similar nature
- criminal proceedings, outcomes and sentences
From May 2018, genetic data and biometric data is treated as sensitive personal data. We may also record and monitor telephone calls to our contact centre for quality and training purposes.
Why we need your information
We need your personal data in order to provide you with services that you apply for or receive from us and also where we are required to use information in order to meet our statutory obligations. We will only collect personal data that is absolutely necessary and any information we collect about you will be strictly in accordance with the data protection law and other statutory obligations which we are bound by.
We process your information for the following services:
- housing needs and homelessness services
- adults social care services
- encompass living services
- encompass innovate services
We may also use your information for our wider functions which are:
- the prevention and detection of fraud and any other crime
- to protect public funds in investigating misuse of public money
In addition to providing the services above, you personal information is also processed for these additional purposes:
- to assist the council to provide efficient and effective services
- debt collection
- prevent and detect fraud and corruption in the use of public funds
You will be advised of any further additional purposes or uses at the time the information is collected or used.
Lawful basis to process your information
Encompass must have a lawful basis for processing your information. In most cases the information will be collected and used where we have statutory obligations to collect use or share your information; in those instances we have a public interest basis for processing your information. In some instances the services we provide are optional which means that Encompass will only provide the service if the customer has requested the service or the customer consents to the service. In that instance, consenting to the service does not necessarily mean that the lawful basis for processing your information is consent; Encompass may rely on the public interest basis where it has specific powers to provide the service.
Where your consent is required to process your information we will seek your consent. However, where your consent is not required to process your information, for example where Encompass has a lawful basis for processing your information, your consent will not be sought. Where we need to disclose sensitive or confidential information such as medical details to other partners we will do so only with your prior explicit consent unless we are legally entitled to share the data.
Encompass may also process your information where processing is necessary for the performance of a contract and where processing is necessary to protect your vital interest or the vital interest of another person. Encompass may also process your information where we are obliged to process your information to comply with the law.
Where we have statutory authority to collect and process your personal information for the provision of our services, your consent is not required to process your information. Where the service is optional, we will not process your information until you have consented to receive the service. Once we have your consent for the service, your information will be processed under our statutory authority to provide the service.
Upon visiting our website, cookies are used to collect information about website usage.
Cookies are also set when you:
- click on social networking buttons in our pages such as facebook and twitter
- watch videos
- register for services
- take part in online surveys
Marketing and E-Newsletters
Encompass always acts upon your choices around what type of communications you want to receive and how you want to receive them. Where you have signed up for one of our newsletters, we use email newsletters to inform you of what we're doing, news and events.
Tools may be used to help us improve the effectiveness of our communications with you, including tracking whether the emails we send are opened and which links are clicked within a message. This helps us to improve and refine future email marketing around our campaigns and make sure all our emails are relevant and useful as possible.
You have a choice about whether or not you wish to receive information from us. If though you no longer want to receive our e-newsletters, then you can do this by clicking the unsubscribe link on marketing emails we send.
Who your information may be shared with
Encompass LATC LTD has statutory obligations to collect, process and share personal information without consent, with our partners such as the NHS, housing associations, schools, central government, such as DWP, HMRC, Home Office, Dept. Of Education, Dept. of Health, other councils and law enforcement agencies such as the Police and the Crown prosecution service, for the following purposes:
- health and wellbeing and public health
- safeguarding of vulnerable adults and children
- the prevention and detection of crime
- the assessment of any tax or duty
- collection of debt
- if we are required to do so by any court or law
- prevention of fraud
- the national fraud initiative
- protect you or other individuals from serious harm
- protect public funds
- public safety and law enforcement
- criminal or civil prosecution of offenders
- national security
To ensure that Encompass LATC provides you with an efficient and effective service we will sometimes need to share your information between teams within the council. We may also share your information with our partners to deliver national government programmes and initiatives such as the Troubled Families programme, or improving services we deliver, or provide the services you agreed to receive.
We may share with:
- NHS (GP's, Hospital, Mental Health, CCG's etc.)
- voluntary sectors
- central government
- other councils
- housing associations
In most cases this will be done where there is a lawful basis under the conditions set out in data protect laws. We may also share your information with third party service providers working on our behalf for the purposes of completing tasks and providing services to you on our behalf (for example; domiciliary care providers). However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure, as required by the Data Protection Act 1998 and General Data Protection Regulation 2016 (GDPR), and not to use it for any other purposes.
We will never use or share your personal information to third parties for marketing purposes without your permission.
If you are receiving a service from us that we provide on behalf of the London Borough of Sutton, we may share some of your information, for example your name and address, internally with other departments in the Council if this:
- helps you to access services more easily
- promotes the more efficient and cost effective delivery of council services
- helps recover monies owed to the council
How long we keep your information
We review our retention periods of the information we hold about you on a regular basis. We are legally required to hold some types of information to fulfil our statutory obligations. We will hold your personal information on our systems for as long as it is necessary for the relevant activity or service that we provide to you, or as required by law.
We will retain your information for the period in which your information is being used for service provision or for our wider functions including debt collection. Where we have statutory authority to process your information; your right to be forgotten does not apply to our functions and services
Details of transfers to third country and safeguards
Encompass uses Google Cloud Platform in the provision of its services and wider functions. This means that your personal and sensitive data is stored and processed on servers outside of the European Economic Area (EEA). Google has certification under the EU-U.S. and Swiss-U.S Privacy Shield Frameworks; this means that there is an adequate level of security for data processing and therefore your data is being processed lawfully.
Improving customer records
We are working on how to improve how we provides services and how to make our record keeping more relevant and efficient.
We are implementing systems which record details of name, address, date of birth, gender, contact details (telephone/e-mail) and information which can be used to confirm your identity.
These systems may be used to act as an index to other Encompass and Council systems where appropriate and be able to feed information into them, including changes to your address and/or contact details as and when you inform us.
Children and young people
As an entity wholly owned by and working on behalf of The London Borough of Sutton we, along with other agencies such as schools and early years settings, process information about children and young people in order to administer service provision. In doing so we must comply with the Data Protection Act (1998). This means (amongst other things) that the data held about children must only be used for specific purposes allowed by law.
How we handle your personal information
Personal data identifies a living person and/or includes any expression of opinion about that person.
'Sensitive personal data' might include:
- racial or ethnic origin
- religious or other beliefs of a similar nature
- physical or mental health or condition
- sexual life
- offences (including alleged offences)
All personal data is processed in accordance with your rights under the Data Protection Act 1998. It lays down eight principles of good information handling which state that personal information should be:
- Processed fairly and lawfully
- Obtained only for specified and lawful purposes
- Adequate relevant and not excessive for the purpose
- Accurate and up to date
- Kept no longer than necessary
- Processed in accordance with the rights of the data subject
- Protected against unauthorised or unlawful processing, and against accidental loss or destruction
- Not transferred outside of the European economic area unless adequate level of protection ensured
How information is stored
We use electronic case management systems to store information about you. We may also have historical information on paper case files. We have security measures in place to safeguard the confidentiality of your records and prevent any unlawful access
to your personal data.
- restricted access to Encompass LATC and council buildings means that only authorised staff members are able to gain entry to areas where records are kept
- passwords on computer records mean that only case-workers with a need to know have access to your information
- locked systems are in place for paper records
- archived material is held in secure purpose built premises or held on secure electronic systems
- we will make arrangements to confidentially dispose of customer information once a case is closed to us and has fallen outside of our retention period, after which it is no longer necessary to be kept by the company
Why personal records are kept
The information we hold helps us to decide the best way to help people. We need to keep this information to help plan and provide the correct services for you.
Where we do not directly provide the service, we may need to pass your personal data onto the people who provide the service. These providers are obliged to keep your details safe and secure, and use them only for social care or housing services.
After you have finished receiving services from us, we may keep the information we hold about you if it seems likely that you might need our services again, or we are requested by law to do so. We will not keep your records for longer than is necessary.
The sort of information that is kept
When you ask for help or advice from us, we collect information about your personal and family circumstances. Other people - for example members of your family, medical professionals or support agencies - might also give information. We keep notes of meetings and conversations with you and with other people. We hold electronic records of your assessments, housing register and applications or homelessness, care and support plans, reviews and any investigations that take place.
We will ensure that your personal data is treated as confidential where appropriate, is relevant, accurate and kept up to date.
Who can see the information held about me?
Only those staff involved in providing the relevant service to you can see the information - this may include social workers, care managers, occupational therapists, mental health workers, administrative staff and some colleagues from other council services.
All our staff are required to abide by a strict code of conduct on confidentiality and information sharing. We emphasise the importance of sharing information at an early stage to ensure you get the service you require.
We may also share some information with other staff who do not work for us but are involved in providing support to you. This may include, for example, your GP or care provider.
n circumstances where the disclosure of personal data is necessary, our staff understand when, why and how to share information.
- asking for your consent at the outset, and recognising when consent may not be required
- only sharing information with those who need to know in order to provide you with good quality care or housing services
- sharing the minimum necessary to ensure good quality care
- sharing information for legal or contractual reasons or if in the public interest or to reduce risk of significant harm
Your rightsYou have the following rights:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights in relation to automated decision making and profiling
- the right to lodge a complaint with the Information Commissioner’s Office (ICO)
Under the Data Protection Act, you, as a 'data subjects', are entitled to have access within 40 days following a request to information we hold regarding your personal details.
Under the Act you are also entitled to:
- a description of the data being processed
- the purposes for which it is being processed
- a description of the recipients
- the source of the data
- where any decision is taken based solely on an automated process.
These are called subject access requests and must be made in writing to us. There are some exemptions to disclosure of information to data subjects under the terms of the Act. The Data Protection Act does not give third parties rights of access to personal information about individuals still living.
To request a copy of this information you must make a subject access request in writing, either via email or a letter to:
Encompass LATC LTD
St Nicholas Way
To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what service you were involved with.
Encompass LATC must respond within a month, which may be extended by a further two months if the request is complex and the service is free.
The Right Of Rectification
We must correct inaccurate or incomplete information. The right of erasure otherwise known as the fight to be forgotten came into effect in May 2018. You will have the right to have your information erased and to prevent processing unless we have a legal obligation to process your information.
The Right To Restrict Processing
From May you have the right to restrict the processing of your data in the limited circumstances provided in law. For example, where the accuracy of the data is contested or the processing is unlawful (and you have requested data restriction) or where the council no longer needs the data. Where those circumstances are present, we will quarantine your information so that it is only used for a more limited range of purposes permitted within the law, such as handling legal claims.
The Right To Object
You can object to your information being used and Encompass LATC LTD will stop processing your information unless it can demonstrate that it has compelling grounds for continuing the processing, or that the processing is necessary in connection with its legal rights.
From May 2018 you have had the right to get personal data in a machine readable format where you have provided your personal data directly to the company and where the company is relying on consent or performance of a contract as the lawful basis for processing data.
Business IntelligenceWe may analyse your personal information to improve services and for the following purposes:
- undertake statutory functions efficiently and effectively
- service planning by understanding your needs to provide the services that you request
- understanding what we can do for you and inform you of other relevant services and benefits
- help us to build up a picture of how we are performing at delivering services to you and what services the people of the borough need
- analysis of costs and spend of services we provide so that we can to ensure better and efficient use of public funds
- evaluating, monitoring health of the borough population and protecting and improving public health
In order to do this we collect, use and share Aggregated Data such as statistical or demographic data Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.
Profiling and Automated Decision Making
You have rights in relation to automated decision making and profiling including the right to be told if your data is subject to automated decision making and profiling.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a person, to analyse or predict aspects concerning that person's economic and health situation, reliability, personal preferences and interests etc. Automated decision making means any processing that is carried out by automated means without any human review element in the decision-making. For example; carrying out credit checks searches to detect and reduce fraud.
We may use your information from the different services that you engage with to create a single view and profile of you, which will help us to better understand your specific needs and ensure we are providing the right and efficient services to you in accordance with your needs as well as ensure that we hold one accurate record of your basic personal data across all our council services; such as your name, DoB, address, email address, change in circumstances etc. Profiling will be carried out only when it is necessary in order to provide you with the service you have agreed to receive or where the council has a statutory obligation or where to the law allows. However, we will notify you where we would do this and where required we will seek your consent.
Protecting your information
Any information held by Encompass LATC LTD about individuals is held securely and in compliance with the Data Protection Act 1998 and GDPR. Encompass is committed to protecting its service user's and customers personal data. We have put measures in place to ensure that our staff, service providers, partners and suppliers all look after your information in line with good practice and the law. These follow the rules and practices known as Information Governance (IG).
The information security measures we've put in place include:
- following good Information Governance practice and the law when it comes to collecting, handling and giving access to information
- training staff in their data protection responsibilities
- putting processes in place to ensure good Information Governance practices for information we collect, hold or handle in both manual and electronic forms
- access to your information is only given to those who need to know and where it is necessary
- information will not be held for longer than required and will be disposed of securely
- we encrypt all our electronic devices and sensitive information that is transmitted is encrypted
Information security breach
If you suspect that there has been, or there is a risk of there being, a breach of the Data Protection Act in the way in which we or our partners or subcontractors handle personal information, then please contact us and ask for the Data Protection Officer. Encompass LATC LTD is however committed to using pseudonymised or anonymised information as much as is practical, and in many cases this will be the default position. Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. Anonymisation is the process of removing identifying particulars or details from (something, especially medical test results) for statistical or other purposes.
We will periodically review our privacy statement to reflect changes in our services and feedback from service users, as well as to comply with changes in the law.If you would like to know more information, then please contact us.
The Services we provide
As a local authority trading company we provide many of our services on behalf of the London Borough of Sutton. However we also provide services independently. The way in which we use and share your information differs depending on which of ours services you are accessing. If you are accessing a service that we provide independently of the council we will not share your information with them without seeking your explicit consent.