Ingeus UK are fully committed to ensuring that we are transparent about how we process your personal information. The ‘processing’ of your personal information includes the collection, recording, storing, changing, sharing, general use, or destruction of your information.
This Privacy Notice describes what data we collect, why we collect it, how we use it, how we keep it secure, and the conditions under which we share it. It also outlines you rights under the General Data Protection Regulation and the Data Protection Act 2018.
This Notice may be updated periodically, in line with changes to our processing or legislative updates. All changes will be published on our website.
What is the Central London Works Programme?
Central London Works Work and Health Programme (CLW) is an employment support programme, designed to support those with health conditions and other barriers, to find sustained, good quality and well-paid employment.
This programme has been commissioned by the Mayor and Commonalty and Citizens of the City of London (Lead Authority), and is part funded by the European Social Fund (ESF).
Who are we?
Ingeus UK Ltd is a company incorporated in England, registered at Companies House (04320853). In partnership with our Delivery Partners, (Get Set UK, Leonard Cheshire, Bromley by Bow Centre) we deliver the CLW Programme on behalf of the Mayor and Commonalty and Citizens of the City of London (Lead Authority)
We collect and use information obtained from Job Centre Plus (JCP), yourself, and other external referral organisations, in order to provide the services described above.
By collecting information from you, Ingeus UK and our Delivery Partners can better identify your individual needs and how best to support you on the programme.
- Ingeus UK Ltd and the Lead Authority are Joint Data Controller for the processing of your personal data in relation to the CLW services.
- Ingeus is the Data Controller for any Health data provided directly to our Health and Wellbeing Team.
What personal information do we process?
- Information such as your name, date of birth, contact details, gender, family circumstances
- National Insurance Number
- Health, wellbeing and lifestyle information
- Education history, employment status, skills and qualifications
- Data about criminal convictions or offences.
How we use your information
Ingeus UK Ltd process your information in order to provide you with the best possible support whilst on programme, as well as to meet the requirements of our contracts and other legal obligations. We cannot process your information without having a valid, lawful reason for doing so. Key reasons for processing your information are described below, further details about the organisations we share with and the legal basis for processing can be found here.
- To bring you on board the programme, we will receive information including name, address, date of birth, National Insurance number, and further information, which relates to any health and/or disability, and contact details, from JCP. This provides us with a way of contacting you to arrange a first appointment
- When you attend your first appointment and throughout the programme, you will be asked questions that allow our staff to assess the level of support you require. Your Case Worker will make some notes about how you are doing on the programme and what has been discussed during your appointments
- It may be that some of this information is shared with other organisations who can provide you with additional support. Your information will only be shared with those that need to know, with the minimum amount of information being shared, and always with your verbal or written consent
- Your information will be shared with employers for the purpose of making applications, supporting you into secure employment and to stay in your role
- We also have to pass on information to DWP (and the ESF) to confirm the progress you have made and your employment status.
Sharing your Personal Information
The aim of this programme is to assist you as best as possible during your progression on the programme. As such, we may work with other organisations to identify certain services that we think you could benefit from. In this way, you do not have to repeat yourself and provide the same information over again.
We routinely share your personal information with the following organisations to update them on your progress, including whether you have completed the programme, achieved any key milestones or left early, or for providing you with additional support.
- Commissioner – Ingeus UK will share information with the Lead Authority who have commissioned the CLW contract. The contract stipulates what information is to be shared, the manner in which it is to be shared and the information security requirements that must be adhered to
- Direct Delivery Partners – Your information may be shared with organisations that deliver services on our behalf. In order to share this information, we have legal contracts in place with those organisations, which state how your personal information is to be securely processed
- Ad- hoc support providers (e.g. Community Investment Fund Providers) - With your consent, we may provide your personal information to other support providers who offer specific services that we think you could benefit from. We have Data Sharing Agreements in place with these organisations and provide only the information necessary to support you. This information will be provided only with your consent (see below)
- Ingeus Health and Wellbeing Team – where you are receiving support from this team, Ingeus UK Ltd is the Data Controller of this data, and we take this role very seriously. The team is made up of qualified Health Professionals, for example, physiotherapists, who are registered with the appropriate Professional Body and supported by the Senior Health Practitioner in their role. Before any of your health data is shared, the Health Team will explain to you what information they are collecting and sharing, and why. In most instances, we will require your consent (see below) to share your health information.
Other Ad-Hoc Sharing
- Fraud detection and prevention - In certain circumstances we may be legally required to share personal information with other organisations, such as the HRMC or law enforcement agencies for the detection and prevention of crime and fraud
- Emergency Services- We may contact emergency services or your GP, to assist you, or provide emergency response management support in high-risk situations. Where possible this will be carried out with your consent (see below), however your consent may be overridden where we believe you are a danger to yourself or others
- Financial/Audit purposes- We are also required to share information with the European Social Fund for financial and audit purposes.
Ingeus UK cannot process your information without having a valid, lawful reason for doing so. For further details about the organisations we share with and the legal basis we have for sharing this data please click here.
Research and evaluation
Ingeus UK pride ourselves on continuously improving the services provided to you and others. We identify areas for improvement by conducting research and evaluation of existing services. One way in which we do this is to convert your personal data into statistical or aggregated data, which is then used to produce statistical research and reports. This information is sometimes shared with the contract commissioner and other research organisations; however, it cannot be used to identify you.
We sometimes commission other organisations to carry out research on our behalf. Where your personal data can be identified or we would like you to provide additional information, via focus groups or feedback forms, we will always ask your permission first.
Where we need your agreement to process your information, for example, by passing your contact details to a third party who is not a contracted Delivery Partner, we will ask you to provide your consent first. We will explain why your consent is needed and the information that we will share, this information with be provided verbally or via a consent form. Where verbal or written consent is provided, this will be recorded on our systems for tracking purposes.
Right to Withdraw Consent
Where you have consented for us to share your information with a specific organisation or individual, you have the right to withdraw your consent at any time. Should you wish to withdraw your consent, please speak to your Keyworker who will update our records.
Protecting your information
- UK is committed to protecting the confidentiality and security of your information. We ensure that your personal information is processed lawfully and respectfully, ensuring that we are always compliant with data protection laws and information security standards, for example, the General Data Protection Regulation (GDPR), Data Protection Act 2018 and ISO27001 (an information security standard). We have appropriate security measures in place to prevent personal information from being accidentally lost, or, used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
All Ingeus UK staff are required to complete mandatory data protection and information security training to ensure they understand their responsibilities in relation to processing your personal information. Internal and external audits are also undertaken to ensure that data protection laws are being complied with.
Keeping your information
Ingeus UK and our Delivery Partners are required to retain your information as part of our contractual and legal obligations. We will not retain your information for any longer than is necessary and where we are no longer required to keep your information, it will be safely and securely destroyed.
The following table provides you with information on how long we keep your information.
Your Individual Rights
The GDPR grants you certain rights in regards to your personal information, and the way in which it is processed. This gives you more control over what organisations are doing with your information. These rights are:
- To be informed
- To access personal data
- To correct/ erase personal data
- To restrict how we use personal data
- To object to how we use personal information
- To ask us to transfer personal data to another organisation
- To object to automated decision making including profiling
- To understand how we protect information transferred outside of the European Economic Area.
To find out more about how we use personal data we may ask you to prove your identity when making a request to exercise any of these rights. We do this to ensure we only disclose information where we know we are dealing with the right individual.
We aim to respond to all valid requests within one month. It may however take us longer if the request is particularly complicated or you have made several requests. We will always let you know if we think a response will take longer than one month.
We may not always be able to fully address your request, for example if it would impact the duty of confidentiality we owe to others, or if we are otherwise legally entitled to deal with the request in a different way.
The right to be informed
Ingeus UK Ltd is committed to ensuring that you are always aware of what we are doing with your information and are kept abreast of any changes to the processing of your information. We do so through this Privacy Notice, which is reviewed and updated as and when required.
The right of access
You have the right to ask for the personal information we hold about you. This is known as a Subject Access Request. However, while we will do our best to comply with your request, there may be circumstances where we are unable to fulfil your request, for example, where information we hold has been provided to us in confidence.
When requesting your personal information you will need to include the following information:
- your full name, address and contact telephone number
- any information used by the organisation to identify or distinguish you from others of the same name (account numbers, unique ID's etc)
- details of the specific information you require and any relevant dates.
The right to rectification
We endeavour to ensure that the information we hold about you is always accurate, however, there may be instances where the information we hold is no longer up to date. You can ask that we rectify any information about you that is incorrect. We would be happy to rectify such information but may need to verify the accuracy of the information first. Please speak to your Keyworker so that any inaccuracies can be investigated and corrected where necessary.
The right to erasure
You have the right to request that certain personal information be erased from our systems if you feel that there is an underlying legal issue to us processing your information, or, where you withdraw consent.
While you may request for your information to be erased, this does not mean that we will be able to comply with your request, as there may be a legal reason that we have to keep your information. As such, each request is considered on a case-by-case basis.
The right to restrict processing
You have the right to request us to ‘restrict’ the processing of your personal information, for example, if you are unsatisfied about the accuracy of the data and we undertake an investigation. We can continue to use your personal data following a request for restriction where we need to use it to establish, exercise or defend legal claims, or we need to use it to protect the rights of another individual or the company.
The right to data transfer to another organisation (portability)
You have the right to request us to provide you with a copy of the personal information that you have provided to us, and which we process electronically. The data must be in a machine-readable format that facilitates transmission from controller-to-controller. This allows you further use of the data and enables you to move between service providers without any loss of data.
While you may request data portability, this does not mean that we will be able to comply with your request, as there may be reasons that we are unable to comply your request. As such, each request is considered on a case-by-case basis.
The right to object to how we use personal information
You have the right to object to us processing your personal information for the following reasons:
- Direct marketing
- scientific/historical research and statistics
- Legitimate interests and processing in regards to the performance of a public interest or official authority task.
While you may object, this does not mean that we will be able to comply with your request, as there may be reasons that we are unable to comply, such as other legal obligations. Each request is considered on a case-by-case basis.
The right to object to automated decision making, including profiling
We do not carry out any automated decision making or profiling.
Transfers outside of the European Economic Area (EEA)
We do not transfer any of your data outside of the EEA.
Exercising your rights
If you wish to exercise any of the above rights please email or write to:
The Data Protection Officer, Ingeus UK Ltd, Second Floor, 66-68 East Smithfield, Royal Pharmaceutical Building, London, E1W 1AW
Ensure that you let us have enough information to identify you, e.g.name, address, date of birth, your case worker details, and let us know the information which you request relates to.
Please contact our Data Protection Officer if you have any questions about this privacy notice or the information we hold about you.
If you have any concerns about in the way that your information is being processed, or feel your information is not being used appropriately, please raise your concerns with the Data Protection Officer, explaining what your specific concerns are. The Data Protection Officer will then investigate your concerns you have raised.
If you remain unsatisfied after the investigation by the Data Protection Officer and their response to you, you may raise a concern with the Information Commissioner