Skip to content
Get in touch

Privacy Policy

Glassmoon Services Limited Privacy Policy – External

This policy applies to individuals who are not employed by us or directly receiving our care services (people we support). This includes, for example: family members, advocates, legal representatives, health and social care professionals (such as NHS or local authority staff involved in the care we provide), members of the public (such as neighbours or visitors), and anyone who may raise a complaint or enquiry with us.

When Glassmoon Services Limited processes your personal data, we comply with the Data Protection Act 2018 (DPA) and the UK General Data Protection Regulation (UK GDPR) (together, the “Data Protection Legislation”).

Your personal data includes any information we hold that identifies you or relates to you – for example, your name, contact details (address, email, telephone number), and any opinions or notes about you that we may record. It can also include special categories of personal data (sensitive information such as health or other protected characteristics) if you share such information with us or it arises in the context of our work (for instance, during a safeguarding concern).

Everything we do with your personal data counts as “processing” – including collecting, storing, using, sharing or deleting it. We are committed to ensuring that your information is properly protected and used appropriately in compliance with the law.

This Privacy Policy explains what personal data we process about you, why we process it, how we process it, and other important information about your rights and our responsibilities.

Our responsibilities

Glassmoon Services Limited is the Data Controller for the personal data described in this policy. We have appointed Kevin Preece as our Data Protection Officer (DPO). The DPO has day-to-day responsibility for ensuring we comply with data protection requirements, and for dealing with any requests or queries from individuals about their data protection rights. (If this role changes, we will update the policy accordingly.)

What personal data do we process about you?

We process limited personal data about external individuals when it is necessary for us to deliver our services, communicate effectively, and meet our legal obligations. We may process your personal data, for example, to communicate with you regarding our services or someone we support, to respond to your enquiries or complaints, or to manage and investigate incidents or safeguarding concerns in which you are involved.

(If you do not provide certain information when we request it, we may not be able to fulfill your request, respond to you, or meet certain obligations.)

Personal data we may process about you (depending on the context and what you provide to us) includes:

  • Identity and Contact Details: Your name, address, telephone number, email address, and (if relevant) your job title or the organisation you represent. We may also record your relationship to an individual we support (for example, if you are their family member, legal representative or carer).
  • Communication Records: The content and details of communications between you and us, such as emails, letters, forms or messages you send us, and any responses we provide. We may also keep notes of telephone conversations or meetings with you as needed.
  • Incident, Safeguarding and Complaints Information: If you are involved in or raise a complaint, incident, accident or safeguarding concern, we will process information about that matter. This may include your account of events, statements you provide, and any relevant details concerning the issue (which might occasionally contain sensitive information if it is pertinent to the incident or concern). It may also include basic information about other individuals involved or mentioned in the context of the issue (for example, if you are a witness, a person affected by an incident, or someone making a complaint or enquiry).
  • Other Data You Provide: Any additional personal data you choose to give us or that we record as necessary to manage our interactions. For instance, if you inform us of particular communication preferences or special requirements, we may note this to better assist you.

We do not generally collect certain types of information from external contacts, such as financial details (e.g. bank or payment details) or unique identification numbers (e.g. National Insurance or passport numbers), unless there is a specific need and lawful basis to do so. We also do not collect more information than is necessary, and we aim to be transparent whenever we ask you for personal data.

Why do we process your personal data and on what legal basis?

We will only process your personal data when we have a valid legal basis under Data Protection Legislation. The main reasons we process external contacts’ personal data are:

  • To communicate with you and manage our relationship: We process your contact information and communications for our legitimate interests in running our organisation and keeping in touch with those who interact with us. For example, we may need to contact you to respond to an enquiry or complaint, to provide you with information you have requested, or to keep you updated about mattersaffecting you or an individual you represent (such as a family member in our care).
  • To comply with legal or regulatory obligations: We process personal data where it is necessary for compliance with laws and regulations that apply to our services. For example, we have legal obligations to cooperate with safeguarding investigations, regulatory inspections by bodies like the CQC, or to maintain certain records of incidents, complaints or health and safety matters. In these cases we may process information about external people (such as family members or witnesses) as part of fulfilling our duties under the law.
  • To protect vital interests: In emergencies or critical situations relating to the life, health or safety of you or others, we may process personal data because it is necessary to protect someone’s vital interests. This is a rare basis and would apply, for instance, if we needed to share your information with emergency services to prevent serious harm.
  • To perform tasks in the public interest in social care: As a registered adult social care provider, some personal data processing is carried out as part of our role in providing social care and safeguarding individuals in our care. This can include processing certain sensitive information under the relevant legal conditions (for example: “necessary for the provision of social care services or the management of social care systems” or “necessary for reasons of substantial public interest on the basis of law, for the safeguarding of vulnerable individuals”). We use these special legal bases only when applicable, such as handling safeguarding data or health-related information that may be relevant to a complaint or incident.

If none of the above bases apply and we still wish to process your personal data (which is unlikely for external contacts), we will ask for your consent. Should we ever rely on your consent, you have the right to withdraw that consent at any time. If you do withdraw consent, we will stop the related processing unless another lawful basis applies. (Withdrawing consent will not affect the lawfulness of any processing we carried out before you withdrew consent.)

Who will receive or have access to your personal data?

We treat your personal data confidentially and will only share it when necessary. Recipients of your information may include:

  • Health and Social Care Partners: We may need to share relevant information with professionals involved in the care of an individual we support, such as health professionals, support providers, social workers, local NHS or Local Authority teams, safeguarding teams, or multi-disciplinary teams (MDTs), but only as it relates to ensuring proper care or protecting individuals from harm. For example, if you are a family member or advocate of someone we support, we may discuss certain information about that person’s care with you (with appropriate consent or best interest considerations). Conversely, if you are a professional collaborating with us, we may hold and share your contact details and relevant communications to coordinate care or services.
  • Regulatory and Legal Requirements: We may share personal data with regulators or authorities when required – for instance, with the Care Quality Commission (CQC) during an inspection, or with local safeguarding boards, police, or other law enforcement agencies if an incident or legal obligation compels us to do so. We will also share information if needed to protect individuals from harm or in response to lawful requests (such as court orders)
  • Service Providers (“Data Processors”): We use reputable third-party systems to help us run our organisation. These may include cloud-based IT services (such as Microsoft 365 for email/forms/documents, Log My Care for care records, or Radar Healthcare for incident management). These providers might process your data on our behalf (for example, storing an email or form you submitted) but are contractually bound to keep your data secure and only use it as we instruct. We remain responsible for ensuring they meet data protection standards.
  • Family Members or Other Individuals: In some cases, we may need to share your information with other individuals. For example, if you are a neighbour raising a complaint, we might need to inform a relevant family member or carer about the issue. We will do this only when it is necessary and with due respect for your privacy, balancing it with the needs and rights of those involved.

Please be assured that we will not share your information with any third parties for marketing or advertising purposes, nor do we sell your personal data. We only disclose what is necessary for the purposes described in this notice or as required by law.

International transfers

Glassmoon Services Limited stores and processes most personal data within the United Kingdom (or, where applicable, countries that the UK has deemed to have adequate data protection laws). We do not routinely transfer personal data outside of the UK. If in the future we need to transfer your information to an organisation in a country outside the UK, we will ensure that appropriate safeguards are in place (such as UK international data transfer agreements or reliance on UK adequacy regulations) to protect your personal data, as required by law.

How long will we keep your personal data?

We only keep your personal data for as long as necessary to fulfil the purposes for which it was collected, and to comply with legal and regulatory requirements.

Different categories of data may be kept for different periods. For example:

  • Communications and general enquiries – kept for as long as needed to resolve your query or manage our relationship, and then securely deleted when no longer required.
  • Complaint records – typically retained for a period such as 3 years following resolution of the complaint (or longer if required for ongoing obligations or legal considerations).
  • Incident and safeguarding records – retained in line with statutory guidance and our policies (which may require keeping serious incident records for an extended duration, e.g. up to 20 years or more in certain cases, particularly where they involve serious safeguarding issues).

We have a detailed Data Security and Data Retention Policy which sets out specific retention periods for different types of records, consistent with the NHS Records Management Code of Practice and other relevant guidance. We will not keep your data for longer than necessary. When the applicable retention period expires, we will safely and securely delete or destroy your personal data.

What are your rights?

Under the Data Protection Legislation, you have the following rights regarding your personal data:

  • Right to be informed: You have the right to be given clear, transparent information about how your personal data is used. This Privacy Policy forms part of our commitment to inform you.
  • Right of access: You can request confirmation of whether we are processing your personal data and obtain a copy of your data, along with supplementary information (much of which is provided in this policy). This is commonly known as a Subject Access Request.
  • Right to rectification: If any personal data we hold about you is inaccurate or incomplete, you can require us to correct it.
  • Right to erasure: You can ask us to delete or remove your personal data in some circumstances. This is often called the “right to be forgotten.” For example, this right applies if we no longer need your data for its original purpose, if you withdraw consent (where we relied on consent), or if we have processed your data unlawfully. (This right is not absolute and does not apply if we still have a lawful reason to retain your data.)
  • Right to restrict processing: You can ask us to stop using your data in certain situations – for instance, if you are verifying its accuracy or you have objected to our use of it. We will continue to store your data (so we know not to use it) but will not use it until the issue is resolved, unless we are required to do so for legal reasons.
  • Right to data portability: In some cases, you have the right to obtain your personal data in a commonly used, machine-readable format and to transfer it to another organisation, where the processing is carried out by automated means and based on your consent or on a contract with you.
  • Right to object: You can object to certain types of processing, particularly if we are processing your data based on legitimate interests (unless we have a compelling reason to continue, such as a legal requirement), or if we were to use your data for direct marketing or for research/statistical purposes. Note: Glassmoon Services Limited does not use your personal data for direct marketing purposes, nor for any automated profiling that affects you.

To exercise any of your rights, please contact us (using the details in the “Any questions?” section below). We will respond to all legitimate requests and, if we cannot comply with your request, we will explain the reasons.

Your right to complain or raise concerns

We hope we can resolve any query or concern you raise about our use of your information. If you have a concern about the way we are handling your personal data, or you believe we have not complied with our legal obligations, you have the right to complain. You can contact us (see “Any questions?” below) to raise your complaint.

We take such matters seriously. We will acknowledge your complaint within one month (30 days) and then investigate and respond without undue delay (usually within a further month). We will inform you of the outcome of our investigation. If your complaint is particularly complex or involves multiple issues, we may need more time (up to an additional 2 months), but we will keep you informed of any necessary extension and the reasons.

If you are not satisfied with our response, or if you prefer, you have the right to lodge a complaint directly with the Information Commissioner’s Office (ICO), which is the UK’s independent data protection authority. The ICO’s contact details are:

  • Website: https://ico.org.uk/concerns (online complaint portal)
  • Telephone: 0303 123 1113
  • Postal Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

The ICO can provide further information about your rights and how to make a formal complaint if necessary.

Any questions?

If you have any questions about this Privacy Policy or about how we handle personal data, please contact our Data Protection Officer:

  • Email: dpo@glassmoonservices.co.uk
  • Post: Data Protection Officer, Glassmoon Services Limited, Q Store Business Centre, Suite 12 – Eden House, Forge Lane, Saltash, PL12 6LX

We will be happy to assist and provide any further information required.