Privacy Statement

Who are we?

Sanctuary Supported Living is a brand name used by Sanctuary Home Care Limited and Sanctuary Housing Association, each a part of Sanctuary Group (“Sanctuary”). We are one of the UK's leading providers of housing, care and commercial services. Our address is Chamber Court, Castle Street, Worcester, Worcestershire, WR1 3ZQ.

Purpose of our privacy statement

Under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR), we are required to explain to you why we are asking for this information about you, how we intend to use the information you provide and whether we will share this with anyone else.

Our data protection officer

Our Data Protection Officer is responsible for overseeing what we do with your information and monitoring our compliance with data protection laws.

If you have any concerns or questions about our use of your personal data, you can contact our Data Protection Officer by writing to The Data Protection Officer, Sanctuary House, Chamber Court, Castle Street, Worcester, Worcestershire, WR1 3ZQ or emailing dataprotection@sanctuary.co.uk.

What we do (processing activities)

General Enquiries

Why are we collecting your information?

To enable customers, residents and the public to raise enquiries and/or seek information about our services.

If your enquiry relates to a service failure, the information that you provide will also be used for the purpose of improving our products and services.

What information are we collecting?

The information that we collect about you will include your name and contact details, and any other information which you provide to us via email, social media message, telephone, or by completing an enquiry form from our website.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(f) Our legitimate interests or that of a third party in enabling customers, residents and the public to engage with Sanctuary Supported Living on the services available, seek information and/or support.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to answer or resolve your query.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you, with our contractors and sub-contractors to resolve your enquiry or provide the information requested. Our contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

Data processors and Transfers

To facilitate enquires through our website and social media channels the following categories of data processors process information on Sanctuary’s behalf:

Website hosting partner
Social media management providers

One of our social media management providers, Hootsuite, uses sub-processors who may process and store information in the United States of America or other countries. Where this happens, Hootsuite has standard contractual clauses in place to ensure any information transferred has adequate protections in place and is compliant with data protection laws.

For further information about what international data transfers occur at Hootsuite please visit Privacy | Hootsuite.

Storing your information and deleting it

Following resolution of your enquiry, your information will be retained as outlined below:

Web forms submitted via our websites are retained for 30 days.
Social media private messages are retained for two weeks.
Emails are retained for a minimum of one year and are automatically deleted after three years.
Telephone recordings are retained for 30 days. Please note not all telephone calls are recorded.

Complaints

Why are we collecting your information?

Sanctuary aims to provide good quality homes and deliver high quality services. However, it is recognised that there may be times when something goes wrong, or customers are dissatisfied.

The information you provide will be used to process, investigate, and respond to your complaint.

It will also be used to identify service failure and improve our services more widely. Information may be passported to other parts of Sanctuary to address the specific service failure identified.

We may also receive personal information indirectly, from the Housing Ombudsman or your Member of Parliament if you have raised the matter with them, as well as our contractors as part of our investigation.

What information are we collecting?

We collect and process the following information:

Name
Contact details
Complaint details
Third party authority (if applicable)
Financial / bank details (if applicable for the payment of a good will gesture or compensation).

Depending on the nature of your complaint, some of the information which we collect may be special categories of personal data (also called sensitive personal data), including information relating to your health.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(f) Our legitimate interests or that of a third party, enabling customers to raise a complaint, identify and address failures in service.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(a) Explicit consent

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of a number of related companies. We will share your information with other members of Sanctuary Group where necessary to investigate and resolve your complaint.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may share your information with the Housing Ombudsmen if you have raised a complaint with them about Sanctuary to support this process.

Other Organisations

Where issues of service failure have been identified, it may be necessary to share information about you with our contractors and sub-contractors in order to address this, for example where a repair has not been completed or to your satisfaction. We will only share your information about you with contractors and sub-contractors where it is relevant and necessary to address your individual needs.

Data Transfers

We use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

This transfer is made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Information relating to complaints raised by tenants, will be retained for 6 years following the end of your tenancy.

Complaints raised by members of the public will be retained for 5 years following closure of the complaint.

Financial Information relating to payments of compensation and gestures of goodwill will be retained for 6 years from the end of the last financial year to which they relate.

Use of photos, videos, personal experiences

Why are we collecting your information?

Information you provide to us is voluntary and will be used to support our communication and marketing activities. This may include promotional materials, press releases, social media posts, case studies and corporate documents.

Our materials may be published internally within Sanctuary as well as externally to our residents, on our social media channels and our websites.

What information are we collecting?

We currently collect and process the following information:

Name
Age/Date of birth
Contact details including your email, phone number and your address; and
Photos, videos or audio recordings (if applicable)
Personal experiences (if applicable)

If you choose to provide it, some of the information which we collect may be special categories of personal data (also called sensitive personal data), which includes the following information:

Health-related information, including disability
Sexual orientation
Racial or ethnic origin; and
Religious beliefs

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(a) You have given your consent. You can remove your consent at any time by contacting communications@sanctuary-housing.co.uk.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(a) Explicit consent

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to facilitate our marketing and communication activities.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you with our contractor and sub-contractors, for example with an external design, website or digital agency, when creating our marketing materials. Our contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

Other organisations

With your consent we may from time to time share your images and information provided with our partners to support our communication and marketing activities.

Data processors and Transfers

To facilitate our communication and marketing activities, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

Photographers and videographers;
Website and digital agencies;
Marketing and PR agencies;
Media organisations;
Printing companies;
System providers (in circumstances of technical IT support)

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We will retain the information you provide for 5 years, unless you contact us to withdraw consent earlier than this date.

We may from time to time seek to ‘refresh’ your consent, at which point we would retain your information for a further 5 years from the date consent was refreshed.

Applicants and clients at agency managed services

Why are we collecting your information?

The majority of the information we collect is provided to us by the managing agent of our properties. This information is required by us to provide services which are tailored to our customers’ needs.

We will also use this information to assist in the management of your tenancy or license with us as well as to enable us to monitor the managing agent’s performance by:

maintaining our accounts of rents and other payments you make;
managing and approving any proceedings for possession or breach of your tenancy or license taken on our behalf;
being aware of major incidents and accidents that occur in our properties;
being aware of complaints and reports of anti-social behaviour;
retaining copies of your tenancy or license documents; and
being made aware of requests for aids and adaptations in our properties.

We will also collect a limited amount of information that you provide directly to us. For example, if you make a complaint to us, we will use this information to respond to your complaints, in-line with our complaints process.

Some of the information we collect will also be special categories of personal data (also known as ‘sensitive personal data’), which includes information about your health and wellbeing. This information is necessary for us to assess your particular housing needs, so that we can comply with our obligations under social protection law and as a registered social landlord.

We may also receive personal information indirectly, from the following sources for the purpose of supporting the needs of our customers:

Local authorities
Commissioners
Safeguarding authorities

What information are we collecting?

We will collect information from your managing agent for the purposes set out above, including:

your name, on copies of tenancy or license-related, adaptation-related and rent-related documents;
your contact details, date of birth, personal history and gender;
relevant details of your needs in relation to assessing aids and adaptations requests and occupational therapists’ letters sent to us by the managing agent;
financial records about payments relating to your tenancy, any outstanding amounts and associated recovery action;
information on any proceedings taken for possession, or for breach of your tenancy or license with us;
information provided to us in relation to complaints or anti-social behaviour that is relevant to your tenancy or license; and
information about any repairs and maintenance requirements you have during your tenancy or license with us.

We also collect health related information, which is a special category of data (also called sensitive personal data).

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(b) Performance of a contract – using your information in this way is necessary prior to entering into a tenancy or licence agreement with you, and to perform our contracts with you and with the managing agent once entered into.

(c) Compliance with a legal obligation – using your information is necessary for us to comply with a legal obligation to which we are subject, in accordance with the Care Act 2014 and the Housing Act 2004.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(h) Health or social care.

Our basis in Law is Section 2 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for health or social care purposes.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of a number of related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you with our contractors and sub-contractors in order to provide you with housing services in accordance with the tenancy or licence agreement in place between us. We will only share your information about you with contractors and sub-contractors where it is relevant and necessary to address your individual needs. Our contractors and sub-contractors shall be contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on our behalf.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

organisations with a function of auditing and/ or administering public funds for the purpose of detection and prevention of fraud;
the police for the purpose of detection and prevention of crime;
local authority teams where this is necessary in relation to our responsibilities to you as a landlord, such as environmental health; and
the NHS and Healthcare professionals for the purpose of providing appropriate care, support services and/or extended care.

Data processors and Transfers

To facilitate the delivery of services to you, we instruct agencies who manage services on our behalf, who act as a data processor, processing information on Sanctuary’s behalf.

We also use a third-party processor for technical IT support with our internal systems, who may transfer your data outside the UK to India.

This transfer is made in accordance Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Once you are no longer a resident of ours your information will be retained for six years following the end data of your tenancy.

Supported housing and care (applicants and clients)

Why are we collecting your information?

At application stage, we will use your personal information in order to assess the suitability of our services for you and to understand your care and/or support requirements. This will also allow us to ensure that our services are fair and accessible to all.

Should you become a client of ours, we will use your information to understand your personal circumstances and individual needs so that we can provide a tailored service that meets your care and/or support needs, including but not limited to management of your tenancy or license, risk management, cultural, financial, learning, mental or physical needs.

We will also use your information to improve the services we provide, and you receive from us.

We may also receive personal information indirectly, from the following sources in the certain circumstances:

Other health and care organisations
Local authorities
Partner agencies

What information are we collecting?

In order to progress your application for our services, we will collect the following information:

your name, date of birth and personal contact details;
your national insurance number;
your language preferences and communication needs;
the gender you identify as;
whether anyone acts on your behalf and you whether you have capacity;
your income and financial health;
your housing history, including any arrears or debts you may owe;
relevant family details including your marital status, whether you have any children or whether you are pregnant; and
relevant information about your personal life and any care or support requirements you may have.

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

the ethnicity you describe yourself as belonging to;
your religious beliefs;
any cautions or unspent criminal convictions you may have; and
details in relation to your health.

Should you become a client of ours and receive services from us, we will use the information provided during your application to provide you with our services. We will also collect the following information to support you in managing your tenancy or license, provide you with our care, support, and action planning services:

the contact details of your next of kin, relatives and other named contacts;
images of you to assist us in co-ordinating and personalising your care and support;
details in relation to your care and/or support requirements, including your progress against your personalised outcomes;
details of your contact and interactions with us in person, by telephone and in electronic and written communications;
information provided by third parties in relation to complaints or anti-social behaviour that is relevant to your care and support, risk management or tenancy support;
financial records about payments relating to the housing and services you receive from us, any outstanding amounts and associated recovery action; and
information about any repairs and maintenance requirements you have during your tenancy with us.

When you become a tenant, we will also collect additional special category information about your well-being, physical and mental health.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(b) Performance of a contract – using your information in this way is necessary for us to take steps at your request prior to entering into a care services contract with you, and to perform the care services contract between us once it has been entered into.

(c) Compliance with a legal obligation – using your information is necessary for us to comply with a legal obligation to which we are subject, in accordance with the Care Act 2014, the Housing Act 2004 and the Social Housing (Regulation) Act 2023.

In accordance with Article 9 (UK GDPR) the conditions we rely on for processing special categories of personal data are:

(a) Explicit consent; and

(h) Health or social care.

Our basis in Law is Section 2 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for health or social care purposes.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you with our contractors and sub-contractors to provide you with care and support services. We will only share your information with contractors and sub-contractors where it is relevant and necessary to address your individual needs. Our contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

utility companies so they can provide services to you and contact you in respect of utility charges, if you are a resident of a Sanctuary property;
the police for the purpose of detection and prevention of crime;
the NHS and Healthcare professionals for the purpose of providing appropriate care and support services.
other medical professionals – we may be required to share any care or health information with third parties who may need to have such information to deliver extended care to a patient, such as emergency care or hospitals to which you as a patient may need to be admitted to.
organisations with a function of auditing and/or administering public funds for the purpose of detection and prevention of fraud;
local authority teams such as social services, environmental health, council tax departments and benefit agencies; and
we will share your first and last name, email address and telephone number with E-vouchers for the purpose of providing you with vouchers that you can redeem towards your energy bill or for cash (if applicable).

Data processors and Transfers

To facilitate the delivery of services to you, if applicable, information may be shared with translators where you require translation or interpreting services who will act as a data processor on Sanctuary’s behalf.

We also use a third-party processor for technical IT support with our internal systems, who may transfer your data outside the UK to India.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

At application stage, if you decide not to take your application any further, we will hold your personal information for 6 months after your last contact with us or your application is closed.

After becoming a client, we will keep your support and service user records for seven years after our relationship ends.

Data subject rights requests

Why are we collecting your information?

Data protection laws aim to empower individuals and give them greater control over their personal data through several rights including:

Right of access – referred to by Sanctuary as a DSAR (Data Subject Access Request), gives individuals the right to obtain a copy of their personal data from us, as well as other supplementary information.
Right to rectification – to have inaccurate personal data rectified, or completed if it is incomplete. This right is not absolute and in certain circumstances we can refuse a rectification request.
Right to erasure – the right to have their personal data erased. This right is not absolute and in certain circumstances we can refuse an erasure request.
Right to restrict processing – to restrict the processing of their personal data. For example, Sanctuary could continue to store personal data but not use it. This right is not absolute and in certain circumstances we can refuse a request.
Right to data portability – to obtain and reuse their personal data for their own purposes across different services. The right only applies to information an individual has provided to Sanctuary and where the lawful basis for processing is consent or performance of a contract. Paper records are excluded from this right.
Right to object – the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. The right effectively allows individuals to stop or prevent organisations from processing their personal data, though is not absolute and in certain circumstances we do not have to comply.
Rights related to automated decision making and profiling – restricts organisations from making solely automated decisions, by enabling individuals to request human intervention or challenge a decision that has been made.

Sanctuary is committed to protecting the rights of data subjects and ensuring compliance with all applicable data protection laws in the UK. The information we collect, and process will be used to administer your data subject rights request.

What information are we collecting?

To facilitate your request, we will collect and process the following information:

Name
Contact details, such as address, email address and telephone number
Identification documentation
Details of the scope of request
Third party authority data (where applicable)

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(c) Compliance with a legal obligation – using your information is necessary for us to comply with a legal obligation to which we are subject in accordance with UK data protection law.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to facilitate your request.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to this information by law and with other organisations where we have a legal obligation to share the information with them, for example if you raise a complaint with the Information Commissioners Office about the handling of your request.

Other organisations

We may share your information with other organisations where relevant in order to comply with your request of erasure, restriction, objection or rectification where we had previously shared that information with our partner organisations.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Following completion of your request or any subsequent complaint to the Information Commissioners Office, the case file will be retained for one year before deletion.

Video surveillance (CCTV)

Why are we collecting your information?

Sanctuary Supported Living uses Video Surveillance Management Systems (commonly known as CCTV) to support safeguarding and promote child welfare as well as help reduce the fear or threat of crime, to protect customers, staff, our premises, fixtures, fittings, and property.

Video surveillance images will be used to:

assist in the prevention and detection of crime
facilitate the identification, apprehension and prosecution of offenders in relation to crime;
ensure the security of the Group’s customers, employees, visitors and property;
facilitate appropriate door and site access;
reduce incidences of vandalism and criminal damage; and
enhance the feeling of security provided to customers, staff, and visitors.

What information are we collecting?

We collect and process video surveillance images. These images may reveal or enable the inference of special categories of data (also called sensitive personal data), such as any disability or health conditions, racial or ethnic origin as well as religious beliefs.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(f) Our legitimate interests or that of a third party – for the purposes of safeguarding, promotion of child welfare as well as the prevention and detection of crime.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(g) Reasons of substantial public interest.

Our basis in Law is Section 10 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of the prevention or detection of an unlawful act.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

We may also be required to share your information with our regulators who are permitted access to information by law and with other organisations where we have a legal obligation to share the information with them.

Other organisations

We may from time to time share your information with other organisations, such as:

insurance companies or solicitors, in connection with any claims where evidence of video surveillance footage is required.

Data processors and transfers

To facilitate this process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

security companies that are responsible for on-site security (where applicable)

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We retain video surveillance footage for 28 days at which point the information is automatically deleted.

Site visitors

Why are we collecting your information?

When visiting our premises we collect and process your information for site security, safety and fire evacuation purposes, as well as to ensure you are identifiable.

What information are we collecting?

Most of the personal information we process is provided to us directly by you when completing our signing-in and signing-out sheet.

We collect and process the following information:

Name
Contact details (if applicable)
Vehicle registration number (if applicable)
Site location

In relation to visitors to our Worcester head office site, we also take a photograph of you which is printed as part of your visitor pass which is required to be worn while on site for security purposes to ensure you are identifiable.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(c) Compliance with a legal obligation - using your information is necessary for us to comply with a legal obligation to which we are subject in accordance with the Health and Safety Act 1974.

(f) Our legitimate interests or that of a third party – for the purposes of security.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best facilitate this process.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Data processors and Transfers

To facilitate this process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

System providers for technical IT support (to enable the creation of ID badges and provide fob access – if applicable).
security companies that are responsible for on-site security (where applicable).

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Information captured via our Visitor Management System at our Worcester Head Office, is retained for one week from the date of visiting the premises.

We will keep the information that is provided to us in our signing in and out sheets for 9 months from the date of visiting the premises.

Floating support and care (applicants and clients)

Why are we collecting your information?

We will also use your information to improve the services we provide, and you receive from us.

We may also receive personal information indirectly, from the following sources in the certain circumstances:

Other health and care organisations;
Local authorities;
Probation services; and
Emergency services.

What information are we collecting?

In order to progress your application for our services, we will collect the following information:

your name, date of birth and personal contact details;
the contact details of your next of kin, relatives and named contacts;
the gender that you identify as;
relevant information about your personal life, and any care or support needs you may have;
your instructions for accessing your home;
how your care and support will be funded; and
outline care plan, provided by your local authority, including information about the number of care and support hours you need from them.

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

details of your health, including any medication you take; and
relevant details of your religious and cultural beliefs.

Should you become a client of ours and receive services from us, we will use the information provided during your application to provide you with our services. We will also collect the following information to provide you with our care, support, and action planning services:

images of you to assist us in co-ordinating and personalising your care and support;
relevant family details, such as your marital status;
whether anyone acts on your behalf and whether you have capacity;
the contact details of named contacts you provide to us;
your information and communication needs;
your preferred access arrangements to your home;
details in relation to your care and/or support requirements, including progress against your personalised outcomes;
details of your contact and interactions with us in person, by telephone and in electronic and written communications;
information provided by third parties in relation to complaints or anti-social behaviour that is relevant to your care and support, risk management or tenancy support;
financial records about payments relating to the services you receive from us, any outstanding amounts and associated recovery action; and
details of any additional risks not identified above.

Additionally, when you become a client, we will collect the following special categories of personal data (also called sensitive personal data), including:

the ethnicity you describe yourself as belonging to; and
details in relation to your well-being, physical, and mental health.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

In accordance with Article 9 (UK GDPR) the conditions we rely on for processing special categories of personal data are:

(a) Explicit consent; and

(h) Health or social care.

Our basis in Law is Section 2 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for health or social care purposes.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

the police for the purpose of detection and prevention of crime;
organisations with a function of auditing and/or administering public funds for the purpose of detection and prevention of fraud;
local authority teams such as social services, environmental health, council tax departments and benefit agencies;
the NHS and other health and social care services for the purpose of providing appropriate care and support services;
translators for the purpose of providing translation and interpreting services whenever it is required; and
the Courts and other relevant public bodies whenever we have a legal obligation to share information with them.

Data processors and Transfers

To facilitate the delivery of services to you, information may be shared with our system providers for the purpose of technical IT support and trouble shooting.

We also use a third-party processor for technical IT support with our internal systems, who may transfer your data outside the UK to India.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

At application stage, if you decide not to take your application any further, we will hold your personal information for 6 months after your last contact with us or your application is closed.

After becoming a client, we will keep your support and service user records for seven years after our relationship ends.

Technology Enabled Living – application and service delivery

Why are we collecting your information?

At application stage, we will use your personal information to assess the suitability of our services for you and to understand your care and/or support requirements. This will also allow us to ensure that our services are fair and accessible to all.

Should you become a customer of ours, we will use your information to understand your personal circumstances and individual needs so that we can provide a tailored service that meets any cultural, financial, learning, mental or physical needs that you may have and enable us to deliver telecare support and escalation services to meet your desired outcomes.

We will also use your information to improve the services we provide, and you receive from us.

Your information will also be used to enable us to contact you in the most appropriate way, for example, we can provide literature in large print if you have difficulty reading smaller print or provide documents in an alternative language if English is not your preferred language.

For information about your gender, race, religion or other protected characteristics, we collect this as it is necessary in order to identify or keep under review equality of opportunity or treatment of particular groups of people (e.g. equality in relation to gender, race, religion etcetera).

We may also receive personal information indirectly, from the following sources in certain circumstances:

other health and care organisations;
police and other emergency services.

What information are we collecting?

During your application and personalised assessment for our services, we will collect the following information:

your name, date of birth and personal contact details;
your language preferences and communication needs;
the gender you identify as;
whether anyone acts on your behalf and whether you have capacity;
details of your family, including your marital status, whether you have anybody living with you;
personal contact details for next of kin or named responders for alarm call escalation purposes;
your reasons for using telecare and your desired outcomes; and
relevant information about your personal life and any care or support requirements you may have.

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

the ethnicity you describe yourself as belonging to;
your religion; and
details in relation to your health and wellbeing.

Should you become a customer of ours and receive services from us we will use the information provided during your application and personalised assessment to provide you with our services. We will also collect the following information to support you with telecare, support and action services:

the contact details of next of kin, relatives and other named contacts;
your image to assist us in co-ordinating and personalising your care and support;
details in relation to your telecare support requirements, including progress against your personalised outcomes;
details of your contact and interactions with us in person, by telecare, by telephone and in electronic and written communications;
information provided by third parties in relation to your care and support and risk management; and
financial records about payments relating to the services you receive from us, any outstanding amounts and associated recovery action.

When you become a customer, we will also collect additional special category information about any home care provision you receive, including visit times, frequency as well as details about your well-being, physical and mental health.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(b) Performance of a contract – using your information in this way it is necessary for us to take steps at your request prior to entering into a telecare support contract with you, and to perform the contract between us once it has been entered into.

In accordance with Article 9 (UK GDPR) the conditions we rely on for processing special categories of personal data are:

(a) Explicit consent; and

(h) Health or social care.

Our basis in Law is Section 2 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for health or social care purposes.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Contractors and sub-contractors

It may be necessary to share information about you with our contractors and sub-contractors in order to provide you with telecare support and escalation services. We will only share your information with contractors and sub-contractors where it is relevant and necessary to address your individual needs. Our contractors and sub-contractors are contractually required to ensure that they adhere to the security requirements imposed by the Data Protection Act 2018 and the UK GDPR.

Our contractors and sub-contractors will not share your information with any other parties and will only be able to use the information when completing work on behalf of us.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

the emergency services, care providers and mobile responding services to protect your vital interests and for the purpose of providing a response to you following an activation from your telecare technology or telephone contact;
the police for the purpose of detection and prevention of crime;
if you have provided consent for signposting to relevant support organisations; and
organisations with a function of auditing and/or administering public funds for the purpose of detection and prevention of fraud.

Data processors and Transfers

To facilitate the delivery of services to you, information may be shared with system providers for technical IT support and trouble shooting.

We also use a separate third-party processor for technical IT support with our internal systems, who may transfer your data outside the UK to India.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

At application stage, if you decide not to take your application any further, we will hold your personal information for 6 months after your last contact with us or your application is closed.

After entering a contract with us we will keep your information for 12 months from the date you end your tenancy.

Video surveillance (CCTV) to support high need care

Why are we collecting your information?

We use Video Surveillance Management Systems (commonly known as CCTV) to monitor you for health purposes as a result of a Best Interest decision or Deprivation of Liberty (DoL) created by your local authority. Video Surveillance will be located in your residential accommodation to meet your health and wellbeing needs.

Video surveillance images will be used to:

enhance and maintain the best care on regular night checks;
monitor your health and wellbeing; and
ensure that any safeguarding incidents can be responded to quickly and to enable us to alert the relevant authorities where needed.

What information are we collecting?

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(d) to protect the vital interests of the data subject.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

We may when appropriate share your information with local safeguarding teams as a part of a safeguarding review or investigation.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We retain video surveillance footage for 28 days at which point the information is automatically deleted.

Work experience

Why are we collecting your information?

Completing a work experience placement with Sanctuary Supported Living is very rewarding and will help boost your confidence whilst you gain important life skills. It is an unpaid opportunity which will give you the chance to get an overview of working in supported living.

A work experience placement is usually completed during the holidays or as part of an educational course. For example, Health and Social Care students are required to attend a placement in a real work environment to support their learning (usually between 100 and 200 hours in total). Importantly, work experience gives people who are undecided about a career choice an opportunity to experience what that job could be like, helping them to make an informed decision.

The information that you provide to us will be used to process your application and to provide you with a work experience placement.

We may also receive personal information indirectly, from the Disclosure and Barring Service (DBS), Disclosure Scotland as well as charities and other organisations that help people into work, if applicable.

What information are we collecting?

To process your application and provide you with a work experience placement we collect and process the following information:

Name
Address
Contact details, such as telephone number and email address
Date of birth
Gender
Course, level of study and academic institute (if applicable)
The work experience opportunities you are interested in
The times you are able to attend your placement, how far you are willing to travel as well as the specific dates and times
You are also able to provide any other information that you feel may be useful in relation to your placement (this is not mandatory, and any information provided is discretional)
Feedback of your placement experience

Where applicable, we collect work eligibility data to ensure compliance with legal and regulatory requirements. This information allows us to verify individuals’ suitability for specific roles, maintain a safe working environment, and meet industry standards. This includes the following information:

Supporting documentation and information for DBS checks
Role-specific qualifications and registrations

We also collect information relating to your health which is a special category of personal data (also called sensitive personal data). You need to be aware that we will use this information to ensure we deliver services in an appropriate manner. By providing us with this information, you consent to our use of this information for this purpose.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(a) you have given your consent. You can remove your consent at any time. You can do this by contacting sslworkexperience@sanctuary.co.uk

(f) Our legitimate interests of that of a third party - to enable Sanctuary to offer, and individuals to undertake, appropriate work experience placements.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(g) Explicit consent. You can remove your consent at any time. You can do this by contacting sslworkexperience@sanctuary.co.uk.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

Where applicable we will share information with the Disclosure and Barring Service and/or Disclosure Scotland to facilitate appropriate checks and suitability for placements.

Data processors and Transfers

To facilitate the delivery of services to you, information is shared with the following categories of data processors who process information on Sanctuary's behalf:

DBS check facilitation service

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We keep the information relating to your application and work experience placement for six years following completion of your placement.

For unsuccessful applications, we retain this information for up to 12 months.

Volunteers

Why are we collecting your information?

Completing a volunteer placement with Sanctuary Supported Living is very rewarding and will help boost your confidence whilst you gain important life skills. It is an unpaid opportunity which will give you the chance to get an overview of working in a care home.

Volunteering is usually undertaken over a longer period and gives you the opportunity to share your skills and hobbies with our care home residents. For example, you may be a keen crafter and be able to lend your skills to a regular workshop or activity session for our residents. Giving your time freely in this way is very special and our volunteers tell us how empowered they feel making a real difference to our residents' lives.

The information that you provide to us will be used to process your application and to provide you with opportunities to volunteer aligned to your interests, skills and availability.

We may also receive personal information indirectly, from the Disclosure and Barring Service (DBS), Disclosure Scotland, reference providers, as well as charities and other organisations that help people into work, if applicable.

What information are we collecting?

To process your application and provide you with volunteering opportunities we collect and process the following information:

Name
Address
Contact details, such as telephone number and email address
Date of birth
Gender
Nationality
The volunteering opportunities you are interested in
The times you are able to volunteer, how far you are willing to travel as well as the specific dates and times you do volunteer
You are also able to provide any other information that you feel may be useful in relation to you volunteering (this is not mandatory, and any information provided is discretional)

Supporting documentation and information for DBS checks
Role-specific qualifications and registrations

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(a) you have given your consent. You can remove your consent at any time. You can do this by contacting sslvolunteer@sanctuary.co.uk

(f) Our legitimate interests of that of a third party - to enable Sanctuary to offer, and individuals to undertake, appropriate volunteering opportunities.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(g) Explicit consent. You can remove your consent at any time. You can do this by contacting sslvolunteer@sanctuary.co.uk.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

Where applicable we will share information with the Disclosure and Barring Service and/or Disclosure Scotland to facilitate appropriate checks and suitability for placements.

Data processors and Transfers

To facilitate the delivery of services to you, information is shared with the following categories of data processors who process information on Sanctuary's behalf:

DBS check facilitation service
Online referencing service

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We keep the information relating to your application and volunteering placement for six years following completion of your placement.

For unsuccessful applications, we retain this information for up to 12 months.

Marketing

Why are we collecting your information?

The information that you provide to us when signing up to our mailing list is required to send you news and information emails about new opportunities with Sanctuary for either:

for business-to-business marketing
for marketing in relation to becoming a prospective resident at a Sanctuary Supported Living scheme.

It is completely voluntary, and you can unsubscribe from our emails at any time.

We use information related to your engagement and activity on our services to improve customer experience and journey, and to enable us to tailor our marketing.

What information are we collecting?

Business-to-business marketing

To enable us to provide you with business-to-business marketing emails, we will collect your:

Name
Organisation name
Email address
Cookies (when engaging via webforms on our website). For further information on our use of cookies, please see our cookie policy.
IP address

Prospective Supported Living resident marketing

To enable us to provide you with marketing emails in relation to Supported Living opportunities, we will collect your:

Name
Email address and/or postal address
Contact number
Relationship status (if enquiry is received on behalf of prospective resident, i.e. from a relative)
Cookies (when engaging via webforms on our website). For further information on our use of cookies, please see our cookie policy.
IP address

For both business to business and prospective customers, we will also collect information about how you interact with those emails; whether you open them or not, at what time, if you mark them as spam, whether you click on a link and whether you unsubscribe.

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(a) you have given your consent. You can remove your consent at any time by unsubscribing or by contacting ssl.marketing@sanctuary.co.uk

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Data processors

To facilitate our marketing activities, information may be shared with our marketing platform provider for the purpose of technical IT support and troubleshooting.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We will store your personal data for as long as our products or services match the interest you expressed and for as long as you continue to provide consent.

If we have not sent you marketing information for 3 years, your information will be deleted.

Apprenticeships

Why are we collecting your information?

Sanctuary's award-winning apprenticeship programme offers apprentices and staff the chance to study for a practical qualification while contributing to the success of a fast-paced, constantly evolving organisation.

An apprenticeship is a programme of learning that takes place in the work environment and depending on the programme, at college, where a learner will gain experience and skills in their chosen sector.

The information that is provided to us during the course of the apprenticeship recruitment process is required by Sanctuary in order for us to determine if you are eligible to undertake an apprenticeship programme. Without this information, we will not be able to offer and enter into an apprenticeship contract with you.

We may also receive personal information indirectly, from the following sources in certain circumstances:

Learning providers - to provide updates on progress of qualifications and to support the sign-up process

What information are we collecting?

During the apprenticeship recruitment process we will collect and process the following information:

Name and contact details
Date of birth
Nationality
Gender
Unique learner number
Qualifications

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

Ethnicity

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful basis we rely on for processing this information is:

(b) Performance of a contract

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(g) Employment, social security and social protection

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

Learning provider to identify learner and support the sign-up process
Digital Apprenticeship Service to receive learner details of new apprentices

Data processors and Transfers

We use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We keep the information outlined above for six years following the end of your apprenticeship.

HR Recruitment

Why are we collecting your information?

The information that you provide to us via our online recruitment portal, on your application form, curriculum vitae and covering letter and any other communications between us in connection with your application, is required by Sanctuary for us to process your application appropriately and in line with current legislation. Without this information, we will not be able to consider your application.

We would also like to contact you in relation to other career opportunities we think you may be interested in after creating your Sanctuary profile. This is voluntary, but if you consent, when creating a profile or submitting an application we will use contact details provided by you for this purpose. If you do not want to be informed of any career opportunities, please leave the ‘Opt-In if you would like to receive Marketing e-mails about future job opportunities’ box unticked.

We would also like to inform you about new job posting notifications through the job alert function. This is voluntary, but if you consent, you can create job alerts based on key words and locations of your choosing when creating your profile or at any point afterwards. If you do not want to be informed of any job alerts, please leave the ‘Opt-In if you would like a Job Alert automatically created’ box unticked.

You can manage and update your marketing preferences at any time via your profile.

We may also collect information that is relevant to your application via a third party you have provided information to, such as:

Recruitment agencies
Apprenticeship organisations
Online recruitment services, such as Indeed.com
Social media sites, such as LinkedIn

What information are we collecting?

The table below sets out what data we require during the recruitment process depending on the terms of your employment and whether you are already employed at Sanctuary or not.

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), such as information about any disability you may have. You need to be aware that we will use this information to ensure we deliver services to you in an appropriate manner. An understanding of your personal situation and individual needs will allow us to provide a tailored service that meets any physical or cultural needs that you may have.

Application Stage

Category of data	Existing employee being recruited into a new role	Prospective employees
Name and contact details	✓	✓
Employee ID	✓
Right to work – screening question about whether you have the right to work in the UK	✓ (“Yes/No” question. Documents not provided at this stage)	✓ (“Yes/No” question. Documents not provided at this stage)
Criminal conviction results – screening question about whether you have any cations or convictions	✓	✓
Health conditions including disability – screening question in relation to fitness for work		✓
Adjustments needed: Sanctuary Group is committed to ensuring that our recruitment processes are barrier-free and as inclusive as possible to everyone. This includes making adjustments for people who have a disability or long-term condition. If you would like us to do anything differently during the application process, please provide details	✓ (if applicable)	✓ (if applicable)
Employment history	✓	✓
Education and training history	✓	✓
CV/Resume	✓	✓
Hepatis B status (if applicable) If your job requires that you carry out tasks that involve using needles/sharps, and you have not already been vaccinated against Hepatitis B (including boosters as required) and/or do not have an immunity to Hepatitis B, you should speak to your manager as soon as possible about obtaining this vaccination from your GP.	✓ (if applicable)	✓ (if applicable)
Driving Licence – screening question about whether you hold a valid license	✓

Offer Stage

Category of data	Existing employee being recruited into a new role	Prospective employees
Name and contact details		✓
Employee ID	✓
Job title	✓
Date of birth		✓
Gender and gender identity		✓
Identification documentation		✓
National Insurance number		✓
Nationality		✓
Country of birth		✓
Right to work documentation		✓
Right to work share code		✓
Immigration/right to work status		✓
Bank details		✓
Relationship status		✓
Criminal conviction results	✓	✓
Health conditions including disability – screening question in relation to fitness for work		✓
NMC (Nursing & Midwifery Council) Pin Number and details	✓	✓
Facial biometric data (British and Irish citizens only)		✓
Racial or ethnic origin		✓
Religious or philosophical beliefs		✓
Sexual orientation		✓
Title		✓
Disability Group		✓
Evacuation Plan		✓
Emergency Contact		✓
Referee details		✓
Full employment history	✓	✓
Immunisation History		✓
CQC/Care Inspectorate		✓
Gender Pronouns		✓

Offer Stage (if criminal records check required)

Category of data	Existing employee being recruited into a new role	Prospective employees
Mother’s maiden name		✓
Town of birth		✓
Driving licence details	✓	✓
5-year address history	✓	✓
Previous names	✓	✓
DBS Supporting Documentation	✓	✓

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(a) You have given your consent - for us to contact you about other opportunities and provide job alerts to you via your communication preferences in your profile. You can amend your settings in your profile to remove your consent at any time.

When logged into your candidate profile, there is a field 'Opt-In if you would like to receive marketing e-mails about future job opportunities' where the tick box can be amended (ticked/unticked).
For job alerts, you can also go into the job alerts section and delete/dustbin any job alerts that have been set up.
You can also e-mail dataprotection@sanctuary.co.uk to revoke your consent.

(b) Performance of a contract - using your information in this way is necessary for us to consider entering a contract of employment with you, subject to the recruitment process.

(c) Compliance with a legal obligation - using your information is necessary for us to comply with a legal obligation to which we are subject, in accordance with UK employment laws as an employer and as a provider of care and support services.

In accordance with Article 9 (UK GDPR) the conditions we rely on for processing special categories of personal data are:

(a) Explicit Consent - facial biometric data

(b) Employment, social security and social protection

Our basis in Law is Section 1(a) of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection. Collecting this information is necessary to use that information for carrying out our obligations and rights relating to your prospective employment with us.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

Disclosure and Barring Service and/or Disclosure Scotland
Digital right to work check provider - to process digital right to work checks (British and Irish citizens only)

Data processors and Transfers

To facilitate the delivery of services to you, information is shared with the following categories of data processors who process information on Sanctuary's behalf:

DBS check facilitation service - to process checks for criminal convictions to ensure suitability for roles.
References processor - to process reference checks for new starters.

We also use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

We use a third-party processor, for integration from applications sent via Indeed, who transfer your data to us via the United States of America.

These transfers are made in accordance with Article 46 of the UK GDPR as we have ensured a similar degree of protection is afforded to it through our processor implementing an International Data Transfer Agreement.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Any personal data held in connection with your application will be stored while the application is active, and for a maximum of 12 months after an application has been closed, after which point it will be anonymised. Thereafter application information may be retained on Sanctuary’s systems anonymously in accordance with UK legal and regulatory requirements.

Any personal data held on your candidate profile will be stored while your profile is active, and automatically deleted after 12 months of inactivity.

If you are interviewed but are not successful with your application, your interview data will be deleted after 6 months from the date of your interview.

You can delete your candidate profile at any time by logging into your account, going to ‘Options > Settings’ and clicking the ‘Delete Profile’ button.

Appointment

Why are we collecting your information?

The information that is provided to us during your appointment (including that obtained as part of the recruitment process), or whilst you are engaged by us as an employee, contractor or worker is required by Sanctuary for us to enter and perform a contract of employment or services with you. Without this information, we will not be able to offer and enter a contract with you.

The information you provide to us will be used for the following purposes:

managing your appointment and employment with us, including the performance of our obligations and exercise our rights under your contract of employment or service with us;
it will allow us to provide services and facilities which are tailored to your needs;
monitoring and compliance purposes in line with our legal obligations (including our legal obligations as an employer);
monitor your business and personal use of our information and communication systems to ensure compliance with our Acceptable Usage Policy and Procedure. This includes login and logoff times and any emails or other communications you send or receive in the course of your duties;
it will allow us to ensure information and network security, including preventing unauthorised access to our computer and electronic communication systems and preventing malicious software distribution;
collect health information as part of the new starter process and when required to ensure the health and safety of all our staff and residents. For example,
- we may ask you about any disabilities you have, so that we can make reasonable adjustments to assist you in your role
- during or after a period of illness we may ask for information as part of a return-to-work assessment
- we may ask for information about vaccinations and immunisations you have received where this is relevant to your role;
- make decisions and offer support in the event of illness or a health issue, including determining your fitness for the role and making adjustments to support you at work;
understanding of your personal situation and individual needs to enable us to provide a tailored service that meets any physical or cultural needs that you may have;
improve our overall employee experience, by improving our HR policies, procedures and our operating model. This includes collecting data from any online surveys you choose to complete (e.g. communications, engagement, leavers) – please refer to our separate Privacy Statement on Staff Surveys for further information;
to contact you for the purpose of communicating emergency information in a critical incident (e.g. cyber-attack, total network loss or pandemic);
so we can send you information about your employment (e.g. benefit schemes, pension, electronic payslips, staff surveys, ID badges);
occasionally, where technical information is being delivered or where there is a legitimate business need, we will record meetings and presentations that use MS Teams, Zoom or similar technologies (we will notify you in advance if a meeting will be recorded and will offer options for those attendees who would rather not participate in a recorded session);
for HR systems training purposes;
to maintain the security, health and safety of all our staff and service users by:
- collecting photographs for use on staff ID cards
- collecting data from door access systems;
collecting equalities data is part of Sanctuary’s Equality Strategy: Inclusion for All and is therefore a core element of governance and making sure that we listen and respond to your needs, promote your interests and enhance trust within our community. Before or during your employment Sanctuary may invite you to share data on your diversity characteristics. These can be provided on a voluntary basis, and you can update or remove them via MySanctuary at any time;
to allow us to communicate with you in the most appropriate way. For example, we can provide documents in large print if needed.

The table below sets out what further data we require to manage your appointment by various role types. We will:

	Staff in Sanctuary Care homes	Lone- workers, peripatetic workers, and maintenance operatives	Company car users and/or expense claimants
collect fingerprint data for entry and work management systems	✓
track your location using GPS technology, to ensure efficient use of vehicles and the safety of lone workers		✓
monitor the movement of company mobile phones and/or mobile devices to ensure lone worker safety		✓
collect recordings ACD (Automated Call Distribution) user telephone calls (both internal and external) for training and monitoring purposes	✓
collect information to verify driver eligibility before using a company vehicle or making an expense claim for mileage. For example, Driver’s license details including: License categories License restrictions Driving offences that are civil offence data Health-related information Driving offences that are criminal offence data			✓

We may also receive personal information indirectly, from the following sources in certain circumstances:

Recruitment agency
Referee
Disclosure & Barring Service (DBS)
Disclosure Scotland
Nursing & Midwifery Council (NMC)

What information are we collecting?

To facilitate the purposes detailed above we collect the following information:

Name and contact details
Date of birth
National Insurance Number
Nationality
Country of birth
Bank details
Relationship status
Emergency contact details
Next of kin details
Training records
Staff survey responses
Photograph
Door access information
Communication preferences
Information and communication systems usage
Employment performance information
NMC (Nursing & Midwifery Council) pin number and details (if applicable)
SSSC (Scottish Social Services Council) membership details (if applicable)

Where applicable we collect work eligibility data to ensure compliance with legal and regulatory requirements. This information allows us to verify employee’s suitability for specific roles, maintain a safe working environment, and meet industry standards. This includes the following information:

ID documents for visa checks (British and Irish citizens only)
Right to work status, documentation and share code
Supporting documentation and information for DBS checks (including 3-year DBS re-check)
Criminal conviction check results
Role-specific qualifications and registrations

Some of the information which we collect will be special categories of personal data (also called sensitive personal data), which includes the following information:

Health conditions, including disability, immunisation history and Hepatis B status (if applicable)
Trade union membership
Gender and gender identity data
Racial or ethnic origin
Religious or philosophical beliefs
Sexual orientation

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(b) Performance of a contract - using your information in this way is necessary for us to perform the employment or services contract in place between us and in order to take steps at the request of you prior to entering into the contract.

(c) Compliance with a legal obligation - using your information is necessary for us to comply with legal obligations to which we are subject, in accordance with the UK employment laws as an employer and as a provider of care and support services.

(f) Legitimate interests - using your information is necessary for the purposes of our legitimate interests for communicating emergency information in a critical incident and for collecting data from any online surveys you choose to complete.

In accordance with Article 9 (UK GDPR) the conditions we rely on for processing special categories of personal data are:

(a) Explicit consent to process your equality and diversity data. You can manage this information via MySanctuary and remove at any time. You are also able to remove your consent at any time by contacting HRDO@sanctuary.co.uk

(b) Employment, social security and social protection

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

pension companies, for the purpose of managing retirement savings schemes related to your appointment;
benefit companies, for the purpose of managing employee benefit schemes related to your appointment;
occupational health and insurance companies/brokers, for the purpose of managing health related issues and policies relating to your appointment;
it may be necessary to provide our occupational health provider with your contact details in order for a health questionnaire to be sent to you following your appointment;
we may need to provide insurance companies with information about your health, to comply with employment related insurance policy terms;
training companies, colleges and funding/awarding bodies, for the purpose of providing learning and development during the course of your employment;
future employers, for the purpose of providing factual references;
recruitment companies, for the purpose of managing your appointment;
debt collection agencies, for the purpose of obtaining outstanding monies in relation to your appointment;
fleet management companies, for the purpose of managing, maintaining and servicing company provided vehicles;
solicitors, advocates and trade union representatives, for the purpose of dealing with legal issues in relation to your appointment;
safeguarding organisations and emergency services for the purpose of protecting our staff and residents;
the police for the purpose of detection and prevention of crime;
organisations with a function of auditing and/or administering public funds for the purpose of detection and prevention of fraud;
Home Office, to check a prospective employee/employees immigration or right to work status;
DBS (Disclosure & Barring Service), to carry out a DBS checks;
the Driver and Vehicle Licensing Agency (DVLA) for checking employee eligibility to drive;
Nursing & Midwifery Council (NMC) – to check Nurses PIN numbers to ensure that both new candidates and existing employees are compliant to start in their role;
SSSC (Scottish Social Services Council) – to validate employee’s SSSC membership to ensure compliance in their role;
Vehicle and Operator Services Agency (VOSA) for the safe and legal operation of the Group’s vehicles.

Data processors and Transfers

To facilitate the delivery of services to you, information is shared with the following categories of data processors who process information on Sanctuary's behalf:

DBS check facilitation service - to process checks for criminal convictions to ensure suitability for roles.
References processor - to process reference checks for new starters.
Driving license check facilitation service – for the purpose of collecting the driving licence information from the DVLA.
digital right to work check provider – to process digital right to work checks (British and Irish citizens only).
vehicle suppliers for the delivery and collection of vehicles.
companies producing benchmarking information to enable Sanctuary to obtain market data to make decisions in relation to your appointment.
mail fulfilment companies, for the purpose of printing and dispatching communications and ID or service badges related to your appointment.
engagement companies, for the purpose of undertaking staff surveys and seeking feedback on the organisation.

Whenever we transfer your personal data out of the UK in this way, we ensure a similar degree of protection is afforded to it by ensuring that we rely on an adequacy decision, and/or use specific contract clauses which give personal data the same protection it has under UK law.

We also use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Once you are no longer working for us, we will review the information which we hold concerning you and determine whether there are any reasons why we need to continue holding that information. For example, it may be necessary to retain information about you to manage income tax and national insurance queries or provide earnings details to pension schemes. Once the identified purpose comes to an end, unless there is another identifiable purpose for which it is necessary to hold on to your information, we will delete your information.

Recordings of ACD users’ calls will be kept for a period of 30 days for the purpose of staff training and development and will be deleted after this time.

From the employment end date, your employee file will be kept for 6 years.

From the employment end date, information contained in your employee file that relates to employer’s liability (i.e. training records, absence records, medical records relating to work related illness/accident) will be kept for 40 years.

From the employment end date, information related to driver’s licenses, expense claims and benefits will be retained for 6 years following the purpose it was used for.

Agency workers

Why are we collecting your information?

The information provided to us by your agency during your assignment (including that obtained during the recruitment process) is necessary for us to facilitate your assignment as a worker. This information is required for us to manage and perform the services you provide. Without this information, we will not be able to facilitate your assignment with us.

We collect personal data about agency workers during recruitment and assignment to manage our business operations effectively, comply with legal and regulatory obligations, and maintain a safe work environment. Specifically, we need this information to:

Verify identity and right to work
Facilitate recruitment and payroll processes
Meet legal and regulatory compliance requirements
Ensure workplace health and safety, and security

We may also collect information that is relevant to your application via a third party you have provided information to, such as:

Recruitment agencies

What information are we collecting?

The information that we are collecting about you is information which is provided to us during your assignment, including that obtained as part of the recruitment process and information provided by you whilst you are engaged by us as an agency worker. The list below sets out what data we require:

Name
Contact details
Gender
Job title
Date of birth
Right to work information including status, share code, visa type, expiry data and a copy of the right to work document
Training history
Qualification certificates
References
Photograph for identification purposes
Criminal conviction details including date of last DBS/PVG check and DBS/PVG number
Health conditions screening question in relation to fitness for work
Hepatitis B status (if applicable)
- If your job requires that you carry out tasks that involve using needles/sharps, and you have not already been vaccinated against Hepatitis B (including boosters as required) and/or do not have an immunity to Hepatitis B, you should speak to your agency and/or manager as soon as possible about obtaining this vaccination from your GP.
Scottish Social Services Council Registration Number and details (if applicable)
Nursing & Midwifery Council Pin Number and details (if applicable)
Car insurance (if applicable)
Driving licence (if applicable)
Student term time dates (if applicable)

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(f) Legitimate interests - using your information is necessary for the purposes of our legitimate interests during your assignment (including that obtained during the recruitment process) for us to facilitate your assignment as a worker. This processing is essential for managing and performing the services you provide. Without this information, we would be unable to facilitate your assignment with us.

In accordance with Article 9 (UK GDPR) the condition we rely on for processing special categories of personal data is:

(b) Employment, social security and social protection

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Data processors and Transfers

To facilitate your assignment, information may be shared with our HR platform provider for the purpose of technical system support.

We also use a third-party processor, for technical IT support with our internal systems, who may transfer your data outside the UK to India.

For further information on the safeguards implemented, or to access a copy please email dataprotection@sanctuary.co.uk.

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

Any personal data held in connection with your agency work will be retained for up to 6 years after end of assignment.

Video Surveillance (CCTV)

Why are we collecting your information?

Video surveillance images will be used to:

assist in the prevention and detection of crime
facilitate the identification, apprehension and prosecution of offenders in relation to crime;
ensure the security of the Group’s customers, employees, visitors and property;
facilitate appropriate door and site access;
reduce incidences of vandalism and criminal damage; and
enhance the feeling of security provided to customers, staff, and visitors.

In relation to our Ofsted registered services, surveillance of communal areas is only used to support safeguarding and promote child welfare.

What information are we collecting?

What is our lawful basis for using your information?

Under Article 6 of the UK GDPR, the lawful bases we rely on for processing this information are:

(a) Consent - for Ofsted registered services.

(f) Our legitimate interests or that of a third party – for the purposes of safeguarding, promotion of child welfare as well as the prevention and detection of crime.

In accordance with Article 9 (UK GDPR) the conditions we rely on for processing special categories of personal data are:

(a) Explicit consent - for Ofsted registered services.

(g) Reasons of substantial public interest.

Our basis in Law is Section 10 of Schedule 1, of the Data Protection Act 2018 as the processing is necessary for the purposes of the prevention or detection of an unlawful act.

Sharing your information

Members of Sanctuary Group

Sanctuary Group is made up of several related companies. We will share your information with other members of Sanctuary Group where necessary to best provide the services to you.

For more information on which companies make up Sanctuary Group, please go to About Sanctuary.

Regulators and other legal obligations

Other organisations

We may from time to time share your information with other organisations, such as:

insurance companies or solicitors, in connection with any claims where evidence of video surveillance footage is required.

Data processors and transfers

To facilitate this process, information is shared with the following categories of data processors who process information on Sanctuary’s behalf:

security companies that are responsible for on-site security (where applicable).

Storing your information and deleting it

We will not keep your personal data for longer than we need it or are required to by law.

We retain video surveillance footage for 28 days at which point the information is automatically deleted.

Can we use your information for any other purpose?

In limited circumstances, we may use your information for a purpose other than those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose.

Security and your rights

Security of your information

The information that you provide will be stored securely. Our technological and organisational security measures and procedures reflect the seriousness which we attach to the confidentiality, integrity and availability of your information.

Only relevant members of staff will access the information you provide to us.

Your rights

In relation to the information which we hold about you, you are entitled to:

Ask us for access to the information;
Ask us to rectify the information where it is inaccurate or is incomplete;
Ask us to erase the information and take steps to ask others who we have shared your information with to also erase it;
Ask us to limit and restrict what we do with your information;
Object to our use of your information and ask us to stop that use;
Ask us to provide the data you have provided us in a structured, commonly used, and machine-readable format (for example, a CSV file) in order transmit the data to another data controller;
Where we are using your information because you have provided your consent to that use, you are entitled to withdraw your consent at any time. The lawfulness of our use of your information before consent was withdrawn is not affected;
Challenge the decision of any automated decision-making and/or profiling that is applied to your personal data as part of the processing.

Our obligations to comply with the above rights are subject to certain exemptions.

To exercise any of the rights referred to above, you should contact our Data Protection Officer by writing to The Data Protection Officer, Sanctuary House, Chamber Court, Castle Street, Worcester, Worcestershire, WR1 3ZQ or emailing dataprotection@sanctuary.co.uk.

How to complain

If you have any concerns about our use of your personal information, you can contact our Data Protection Team on dataprotection@sanctuary.co.uk.

You also have the right to complain to the Information Commissioner's Office (the ‘ICO’) if you are not satisfied with the way we use your information. You can contact the ICO by writing to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Privacy Statement

On this page

Who are we?

Purpose of our privacy statement

Our data protection officer

What we do (processing activities)

General Enquiries

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Contractors and sub-contractors

Regulators and other legal obligations

Data processors and Transfers

Storing your information and deleting it

Complaints

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Regulators and other legal obligations

Other Organisations

Data Transfers

Storing your information and deleting it

Use of photos, videos, personal experiences

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Contractors and sub-contractors

Regulators and other legal obligations

Other organisations

Data processors and Transfers

Storing your information and deleting it

Applicants and clients at agency managed services

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Contractors and sub-contractors

Regulators and other legal obligations

Other organisations

Data processors and Transfers

Storing your information and deleting it

Supported housing and care (applicants and clients)

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Contractors and sub-contractors

Regulators and other legal obligations

Other organisations

Data processors and Transfers

Storing your information and deleting it

Data subject rights requests

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Regulators and other legal obligations

Other organisations

Storing your information and deleting it

Video surveillance (CCTV)

Why are we collecting your information?

What information are we collecting?

What is our lawful basis for using your information?

Sharing your information

Members of Sanctuary Group

Regulators and other legal obligations

Other organisations

Data processors and transfers

Storing your information and deleting it

Site visitors

Why are we collecting your information?