This policy will support with the collection and processing of personal data collected via an organisation’s website. If an organisation collects personal data via its website, it should review, adapt and upload this privacy policy to its website. The template cookie policy explains to website users what cookies will be set. The Organisation should pay particular attention to the guidance in this area. The policy has been reviewed with a definition of GDPR updated and a new definition of UK GDPR incorporated. “Underpinning Knowledge / Reference” links have all been checked and remain current.

Relevant legislation:

• The Privacy and Electronic Communications (EC Directive) Regulations 2003 • General Data Protection Regulation 2016
• Data Protection Act 2018

Underpinning knowledge – What have we used to ensure that the policy is current:

• Author: Information Commissioner’s Office, (2018), Guide to the General Data Protection Regulation (GDPR). [Online] Available from: https://ico.org.uk/for- organisations/guide-to-the-general-data-protection-regulation-gdpr/ [Accessed: 11/3/2021]

• Author: Information Commissioner’s Office, (2018), Cookies. [Online] Available from: https://ico.org.uk/for-the-public/online/cookies/ [Accessed: 11/3/2021]

Suggested action:

• Notify relevant staff of changes to the policy • Encourage sharing the policy through the use of the QCS App • Establish process to confirm the understanding of relevant staff

Equality Impact Assessment:

QCS have undertaken an equality analysis during the review of this policy. This statement is a written record that demonstrates that we have shown due regard to the need to eliminate unlawful discrimination, advance equality of opportunity and foster good relations with respect to the characteristics protected by equality law.

1. Purpose
1.1 To provide a template Privacy Policy that MOUNT HILL CARE LIMITED can adapt to use on its website. The Privacy Policy will apply to all users of the website of MOUNT HILL CARE LIMITED. Following recent guidance from the Information Commissioner’s Office (ICO), the template Cookie Policy has been updated to include further detail on the cookies that MOUNT HILL CARE LIMITED is required to give to users of its website. This policy is a standalone document and is intended to form part of a layered Privacy Policy.

1.2 By using the template Privacy Policy provided, MOUNT HILL CARE LIMITED will ensure that the policy on its website is GDPR compliant.

1.3 To support MOUNT HILL CARE LIMITED in meeting the following Key Lines of Enquiry:

Key Question	Key Lines of Enquiry
WELL-LED	W2: Does the governance framework ensure that responsibilities are clear and that quality performance, risks and regulatory requirements are understood and managed?

1.4 To meet the legal requirements of the regulated activities that {MOUNT HILL CARE LIMITED} is registered to provide:
• The Privacy and Electronic Communications (EC Directive) Regulations 2003
• General Data Protection Regulation 2016
• Data Protection Act 2018

2. Scope

2.1 The following roles may be affected by this policy:
• All staff
2.2 The following Service Users may be affected by this policy:
• Service Users
2.3 The following stakeholders may be affected by this policy:
• Family
• Advocates
• Representatives
• Commissioners
• External health professionals
• Local Authority
• NHS

3. Objectives

3.1 To provide assurance that MOUNT HILL CARE LIMITED has a Privacy Policy in place for users of its website that is GDPR compliant.

3.2 This policy will assist with establishing ways of working in terms of the use, storage, retention and security of personal data and will ensure that all Data Subjects, including Service Users, understand the ways in which personal data, collected by MOUNT HILL CARE LIMITED via its website, is processed.

4. Policy

4.1 MOUNT HILL CARE LIMITED understands that if it operates a website, it may need to update its Privacy Policy to ensure that it is compliant with GDPR. MOUNT HILL CARE LIMITED will use this Privacy Policy as a template for its updated version. MOUNT HILL CARE LIMITED understands that this Privacy Policy only needs to be uploaded by MOUNT HILL CARE LIMITED to its website if it collects personal data via its website. MOUNT HILL CARE LIMITED will use the template Fair Processing Notice to inform all other Data Subjects, including Service Users, about how MOUNT HILL CARE LIMITED processes personal data other than personal data collected via the website.

4.2 MOUNT HILL CARE LIMITED understands that the form found within the forms section of the GDPR suite of policies in the QCS management system constitutes the template Privacy Policy. MOUNT HILL CARE LIMITED understands that terms in square brackets are optional (depending on whether they apply to MOUNT HILL CARE LIMITED or not) or require completion by MOUNT HILL CARE LIMITED. MOUNT HILL CARE LIMITED will review the Privacy Policy in its entirety to determine which elements are applicable to its website, and which are not relevant. For example:

• If the template Privacy Policy refers to personal data that is not collected by MOUNT HILL CARE LIMITED via its website, MOUNT HILL CARE LIMITED will delete references to such personal data

• If the website of MOUNT HILL CARE LIMITED does not use cookies, MOUNT HILL CARE LIMITED will delete references to cookies and the Cookie Policy at MOUNT HILL CARE LIMITED

• If MOUNT HILL CARE LIMITED does not transfer personal data outside of the EEA, MOUNT HILL CARE LIMITED will delete the section entitled “Where we store your personal data”

• If MOUNT HILL CARE LIMITED is not required to appoint a Data Protection Officer, MOUNT HILL CARE LIMITED will delete references to the Data Protection Officer or will consider replacing references to the Data Protection Officer with references to the Privacy Officer at MOUNT HILL CARE LIMITED or other person nominated to have day-to-day responsibility for data protection and GDPR If MOUNT HILL CARE LIMITED uses personal data collected via its website in a way that is not described in the Privacy Policy, it will consider incorporating additional sections.

This Privacy Policy directs users to a webpage with a contact form or contact details if they wish to contact MOUNT HILL CARE LIMITED. MOUNT HILL CARE LIMITED will consider whether to provide an alternative contact method instead, such as an email address and/or phone number. If MOUNT HILL CARE LIMITED has any concerns or queries in respect of the template Privacy Policy, it will seek legal advice.

4.3 GDPR has changed the way cookies should be incorporated into websites which means that MOUNT HILL CARE LIMITED must explain what cookies will be set and what the cookies will do to the users of its website. MOUNT HILL CARE LIMITED must obtain consent from individuals to store certain cookies on devices. Cookies that are not strictly necessary need consent which is GDPR compliant which means that MOUNT HILL CARE LIMITED can no longer rely on implied consent. MOUNT HILL CARE LIMITED will ensure that it uses a cookie banner on its website to obtain consent to the use of cookies in line with this policy and that if no consent is obtained, no cookies will be set.

4.4 MOUNT HILL CARE LIMITED must, therefore, update its processes for collecting consent for cookies. In practice, this means:
• Users must take a clear and positive action to consent to non-essential cookies  The websites and apps of MOUNT HILL CARE LIMITED must tell users clearly what cookies will be set and what they do, including any third-party cookies

• Pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, cannot be used for non- essential cookies

• The users at MOUNT HILL CARE LIMITED must have control over any non-essential cookies

• Non-essential cookies must not be set on landing pages before you gain the user’s consent Consent is not required for cookies that are defined as “strictly necessary” or that fall within the communication exemption. “Strictly necessary” cookies are those that are essential to providing the service requested by the user. Such cookies must be essential to fulfil their request. Those that are simply helpful or convenient, but not essential, or that are essential for the purposes of MOUNT HILL CARE LIMITED, will still require consent. The communication exemption is about the transmission of a communication over an electronic communications network. For the exemption to apply, the transmission of the communication must be impossible without the use of the cookie. Simply using a cookie to assist the communication is insufficient for the exemption to apply.

MOUNT HILL CARE LIMITED must note, in particular, that cookies used for analytical purposes or those used for marketing and advertising will always need consent as they are considered to be non-essential. This guidance may change as the latest draft legislation is subject to some challenges on this point. MOUNT HILL CARE LIMITED must read the ICO’s cookie guidance available at: https://ico.org.uk/for- organisations/guide-to-pecr/cookies-and-similar-technologies/ for further information on the types of cookie that require consent.

5. Procedure

5.1 MOUNT HILL CARE LIMITED will consider whether or not it collects personal data via its website (for example, via enquiry forms, requests to be sent newsletters, requests for provision of services) and whether it needs a Privacy Policy. MOUNT HILL CARE LIMITED acknowledges that the use of cookies constitutes processing of personal data via the website.

5.2 MOUNT HILL CARE LIMITED will review the template Privacy Policy. MOUNT HILL CARE LIMITED will adapt the Privacy Policy before uploading it to its website to ensure that all aspects of the Privacy Policy are relevant and reflect the ways in which MOUNT HILL CARE LIMITED processes personal data collected via its website. Where MOUNT HILL CARE LIMITED has any concerns or queries in relation to its own Privacy Statement, MOUNT HILL CARE LIMITED will seek legal advice.

5.3 MOUNT HILL CARE LIMITED will use the template Fair Processing Notice to inform all other Data Subjects, including Service Users, about how MOUNT HILL CARE LIMITED processes personal data other than personal data collected via the website.

6. Definitions

6.1 Data Subject
• The individual whom MOUNT HILL CARE LIMITED has collected personal data

6.2 Data Protection Act 2018
• The Data Protection Act 2018 is a United Kingdom Act of Parliament that updates data protection laws in the UK. It sits alongside the General Data Protection Regulation and implements the EU’s Law Enforcement Directive

6.3 GDPR
• General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It was adopted on 14 April 2016 and, after a two-year transition period, became enforceable on 25 May 2018. References to GDPR include references to the UK GDPR

6.4 Personal Data
• Any information about a living person including but not limited to names, email addresses, postal addresses, job roles, photographs, CCTV and special categories of data, as defined below

6.5 Process or Processing
• Doing anything with personal data, including but not limited to collecting, storing, holding, using, amending or transferring it. MOUNT HILL CARE LIMITED does not need to be doing anything actively with personal data – at the point MOUNT HILL CARE LIMITED collects it, it is processing it

6.6 Special Categories of Data
• Has an equivalent meaning to “Sensitive Personal Data” under the Data Protection Act 2018. Special categories of data include but are not limited to medical and health records (including information collected as a result of providing health care services), Care Plans and information about a person’s religious beliefs, ethnic origin and race, sexual orientation and political views

6.7 Cookies
• Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website and can be accessed either by the web server or the client’s computer

6.8 The Information Commissioner’s Office (ICO)
• The ICO is the UK’s independent body set up to uphold information rights 6.9 UK GDPR  The UK GDPR is the retained EU law version of GDPR that forms part of English law

Key Facts – Professionals

Professionals providing this service should be aware of the following:
• The Privacy Policy applies to personal data collected via the website of MOUNT HILL CARE LIMITED

Key Facts – People affected by the service

People affected by this service should be aware of the following:
• Personal data provided to MOUNT HILL CARE LIMITED via its website will be processed in accordance with the Privacy Policy at MOUNT HILL CARE LIMITED

Further Reading

As well as the information in the ‘underpinning knowledge’ section of the review sheet we recommend that you add to your understanding in this policy area by considering the following materials:

Please find the form below in the Forms section of the GDPR suite of policies within the QCS Management system:

Website Privacy Statement

BBC – What are cookies?

http://www.bbc.co.uk/webwise/guides/about-cookies

ICO cookie guidance:

https://ico.org.uk/for-organisations/guide-to-pecr/cookies-and-similar-technologies/

It is important for MOUNT HILL CARE LIMITED to note that the ePrivacy Regulation which is currently in the draft stage may change the way that consent is required for certain cookies, including analytic cookies. At the time of updating this policy, the draft suggests that using analytic cookies as a simple first-party data analytics tool to learn about website audiences in a non-intrusive way may not require explicit consent. The proposal suggests that cookie consent can be exempted when the data tracked is purely for analytical purposes and the data collected cannot identify an individual.

However, it is yet unclear whether external services, such as Google Analytics, will benefit from this exemption. If MOUNT HILL CARE LIMITED only uses analytical cookies for the purpose of learning about website audiences and its website is low risk, we suggest that MOUNT HILL CARE LIMITED may want to wait until the final draft of the ePrivacy Regulation is adopted, further guidance is issued, and website developers have the tools required before updating its cookie banner to seek explicit consent for analytic cookies.

Outstanding Practice

To be ‘ outstanding ’ in this policy area you could provide evidence that:
• MOUNT HILL CARE LIMITED has modified the template privacy policy to ensure that it includes all information relevant to the collection of personal data via its website and has uploaded a copy to its website

• MOUNT HILL CARE LIMITED ensures that clear links are available to the privacy policy on its website and that, if a person inputs personal data into the website, they are directed to the policy and required to accept its terms

• The wide understanding of the policy is enabled by proactive use of the QCS App

Forms

The following forms are included as part of this policy:

Title of form	When would the form be used	Created by
Cookies Example Policy Statement – GDPR08	When MOUNT HILL CARE LIMITED has no information on the use of cookies on its website (a Cookie Policy). It can be used with the Website Privacy Statement.	QCS

COOKIES WEBSITE STATEMENT

Cookies are small text files which a website may put on your computer or mobile device when you first visit the website. The cookies will help the website recognise your device the next time you visit. Web beacons or other similar files can also do the same thing. We use the term “cookies” in this policy to refer to all files that collect information in this way.
We use cookies to distinguish you from other users of the website. This helps us to provide you with a good experience when you use the website and also allows us to improve the services we provide to you. On revisiting the website, we will be able to obtain information about your previous visits and about your computer including where available, your IP address, operating system and browser type, for system administration [and to report aggregate information to our advertisers] [insert an explanation about the information your cookies collect if it is necessary to expand on this]. [If you do not report aggregate information to advertisers, you can delete the foregoing policy entry]. This is statistical data about your browsing actions and patterns and does not identify you. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your computer.
We use the following cookies:

• Strictly necessary cookies. These are cookies that are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Disabling them may mean you are not able to access parts of our website.

• [Analytical or performance cookies. We use these cookies to collect information about how visitors use the website, for instance which pages visitors go to most. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. Some of these cookies are known as analytic cookies which allow us to monitor website traffic using industry accepted third parties.] [If you do not use analytical or performance cookies, you can delete this policy entry.]

• Functionality cookies. These cookies are used to recognise you when you return to our website and to remember changes you have made to things such as text size, fonts and other parts of the website you can change so we can personalise our content for you.

• [Targeting cookies. We use these cookies to record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may share this information with third parties for this purpose.] [If you do not use targeting cookies, you can delete this policy entry].

For more details on the specific cookies we use, why we use them and when they will expire, please see Part 1 of Appendix 1 of this Cookie Policy. [Please note that third parties (such as advertising networks and providers of external services) may also use cookies on the website, over which we have no control. These cookies are likely to be analytical cookies, performance cookies or targeting cookies. Part 2 of Appendix 1 of this Cookie Policy provides a list of the third parties who may use these cookies and the reasons for which they use them.] [If you do not use third parties for these services, you can delete this policy entry]. Most browsers accept cookies automatically, but you can change your cookie preferences by adjusting your browser settings to refuse the setting of all or some cookies if you prefer. You can usually do this by visiting the “options” or “preferences” menu on your browser. Please note, however, that if you do this and choose to block all cookies (including essential cookies) we cannot guarantee that your experience will be as fulfilling as it would otherwise be, and you may not be able to access all or parts of our website.

Where we collect personal data as part of our use of cookies on the website, we will do so in accordance with our Privacy Policy [insert hyperlink to Privacy Policy].

Appendix 1
Part 1 – Cookies used

Cookie Title Cookie Name	Purpose	More Information	Expiry
[Cookie Title] [Cookie Name]	[Insert description of the purpose for which the cookie is used]	[Insert link to external information where appropriate]	[Insert length of time cookie is available for, e.g. his cookie will expire after 2 years] Third

Part 2 – Third-party cookies [If you do not use third parties, you can delete this policy entry]

Third-Party Name	Purpose
[Insert third party name, e.g. Google Analytics]	[Insert description of what the third party does with the information. This information will usually be found in the contractual documentation entered into with the third party (if any)]