This Privacy Policy explains how West One Care collects, uses, stores and shares personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all other applicable data protection legislation.
We take our obligations as a data controller particularly seriously given the sensitive nature of the services we provide — residential childcare for children and young people with complex needs.
Who We Are
West One Care operates an Ofsted-registered children's residential home in Hertfordshire. We provide care, support and accommodation for children and young people with Learning Disability (LD), Emotional and Behavioural Difficulties (EBD) and complex needs.
West One Care is the data controller for the personal information we process. This means we are responsible for deciding how and why personal data is used.
West One Care
Website: westone.care
Email: info@westone.care
Registered Address: Oakingham House, Frederick Place, High Wycombe, Buckinghamshire HP11 1JU
If you have any questions about how we use your personal data, or wish to exercise any of your rights, please contact us using the details above or see Section 15.
Scope of This Policy
This policy applies to personal data we collect and process in connection with:
- The care and support of children and young people placed with us
- Communication with families, carers and guardians
- Our recruitment and employment processes
- Visitors to our website at westone.care
- Enquiries, referrals and placement assessments
- Our relationships with Local Authorities, health professionals and other agencies
- Contractors, volunteers and third-party service providers
This policy does not cover third-party websites that may be linked to from our website. We are not responsible for the privacy practices of those sites.
Data We Collect
The type of personal data we collect depends on your relationship with us.
Children & Young People in Our Care
- Full name, date of birth, gender, ethnicity and nationality
- Contact details and emergency contact information
- Medical history, health conditions, prescribed medication and health care plans
- Mental health history, psychological assessments and therapeutic records
- Educational history, school attendance records and learning needs
- Social care history, placement history and looked-after child (LAC) records
- Risk assessments, behaviour management plans and incident reports
- Care plans, placement plans and review documentation
- Photographs and video where used for care or safeguarding purposes
- Records of daily activities, observations and progress
Families, Carers & Guardians
- Name, address, telephone number and email address
- Relationship to the young person and parental responsibility status
- Communication records and contact logs
- Court orders or legal documents affecting contact arrangements
Job Applicants & Employees
- Name, address, contact details and right to work documentation
- CV, employment history and professional qualifications
- References and interview notes
- DBS (Disclosure and Barring Service) check results and barred list status
- Payroll information, pension details and bank account details
- Absence records, sickness records and occupational health information
- Supervision records, appraisals and training records
- Disciplinary and grievance records where applicable
Website Visitors
- IP address, browser type and device information
- Pages visited, time spent on site and referral source (via cookies)
- Information submitted via contact or enquiry forms
Referrals & Professional Contacts
- Name, job title, organisation and contact details
- Referral documentation and placement enquiry information
- Records of correspondence and meetings
How We Use Your Data
Children & Young People
- To provide safe, high-quality residential care and support
- To develop, implement and review individual care plans
- To safeguard and promote the welfare of children in our care
- To comply with statutory obligations under the Children Act 1989, Children's Homes (England) Regulations 2015 and associated guidance
- To share information with Local Authorities, health professionals, schools and other agencies involved in a young person's care
- To report to Ofsted and comply with regulatory requirements
- To respond to safeguarding concerns and make referrals where required
Families & Carers
- To facilitate family contact and communication in line with placement plans
- To keep families informed of their child's welfare and progress
- To comply with court orders and legal obligations regarding contact
Employees & Applicants
- To manage the recruitment and pre-employment vetting process
- To fulfil our contractual obligations as an employer
- To process payroll, expenses and pension contributions
- To manage performance, training and professional development
- To comply with employment law and regulatory obligations
- To ensure staff are suitable to work with children (DBS checks)
Website & Enquiries
- To respond to enquiries, referrals and placement requests
- To maintain and improve our website
- To monitor website security and prevent fraud
Lawful Basis for Processing
Under UK GDPR, we must have a lawful basis for processing personal data. We rely on the following:
| Lawful Basis | When We Rely on It |
|---|---|
| Legal Obligation | Processing required to comply with children's social care legislation, Ofsted regulations, employment law and safeguarding duties |
| Legitimate Interests | Maintaining staff records, managing the home safely, website analytics, responding to professional enquiries |
| Contract | Processing employee and contractor data to fulfil employment and service contracts; processing placement data under Local Authority agreements |
| Vital Interests | Sharing health or safety information in emergency or safeguarding situations where life may be at risk |
| Public Task | Activities carried out in the public interest in relation to the care of looked-after children |
| Consent | Where no other lawful basis applies, for example certain marketing communications or non-essential cookies. Consent may be withdrawn at any time. |
Special Category Data
We process special category data on the following additional conditions:
- Substantial public interest — safeguarding children and young people, providing social care, and complying with regulatory obligations
- Health and social care purposes — providing appropriate medical and therapeutic care to the young people we support
- Employment law obligations — processing occupational health and absence data for staff
- Vital interests — where processing is necessary to protect someone's life in an emergency
- Explicit consent — where required and appropriate, with the right to withdraw at any time
We maintain a Record of Processing Activities (RoPA) documenting all special category data processing in detail, as required by UK GDPR Article 30.
Children's Data
We recognise that children require additional protections in relation to their personal data. The children and young people in our care are among the most vulnerable individuals in society, and we treat their data with the utmost sensitivity and respect.
- Data about children in our care is processed strictly for the purposes of their welfare, safety and the delivery of their placement plan
- Access to children's personal data is restricted on a strict need-to-know basis within our organisation
- We never use children's personal data for any commercial purpose
- We do not publish or share photographs or identifying information about children in our care without appropriate consent and legal authority
- Children's data is shared with statutory agencies only where legally required or where it is in the child's best interests
- Where a young person has capacity to consent, we respect their right to be involved in decisions about their own information
- Children's records are retained in line with statutory timescales set out in the Children's Homes (England) Regulations 2015 and associated guidance
Sharing Your Data
We do not sell personal data. We share personal data only where there is a lawful basis to do so, and only to the extent necessary. Recipients may include:
Statutory & Regulatory Bodies
- Ofsted — for regulatory inspections and notifiable event reporting
- Local Authorities — placing authorities and children's services teams
- Police and LADO (Local Authority Designated Officer) — for safeguarding investigations
- HMRC and the Pensions Regulator — for employment obligations
- The Disclosure and Barring Service (DBS) — for pre-employment vetting
Health & Care Professionals
- NHS and CAMHS (Child and Adolescent Mental Health Services)
- GPs, hospitals and specialist health professionals
- Independent therapeutic practitioners
Education
- Schools, colleges and alternative provision providers
- Educational psychologists and SEND specialists
Service Providers & Contractors
- IT systems providers and cloud storage services (under Data Processing Agreements)
- Payroll and HR software providers
- Legal advisors and professional consultants
- Facilities and maintenance contractors (limited access only)
All third parties with whom we share personal data are required to handle it securely and in accordance with UK GDPR. Where we use data processors, we have appropriate Data Processing Agreements in place.
International Transfers
We aim to keep all personal data within the UK. Where any of our service providers process data outside the UK or European Economic Area (EEA), we ensure that appropriate safeguards are in place, such as:
- Transfers to countries with a UK adequacy decision
- Standard Contractual Clauses (SCCs) approved by the ICO
- Binding Corporate Rules where applicable
If you would like more information about the safeguards we use for international transfers, please contact us at info@westone.care.
Retention of Data
We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. Key retention periods include:
| Data Type | Retention Period |
|---|---|
| Children's care records (LAC) | 75 years from date of birth, or 15 years after last entry (whichever is longer), in line with Children's Homes Regulations 2015 |
| Safeguarding records | As directed by the relevant Local Authority and statutory guidance; minimum 7 years |
| Employee records (current) | Duration of employment plus 6 years |
| DBS check records | Up to 6 months after recruitment decision; results retained on DBS Update Service |
| Unsuccessful job applications | 6 months from decision, then securely deleted |
| Payroll and financial records | 6 years (HMRC requirement) |
| Website enquiry forms | 12 months, or as long as required to respond to the enquiry |
| Website analytics / cookie data | Up to 13 months |
When data is no longer required, it is securely deleted or anonymised in line with our Data Retention and Disposal Policy.
Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What It Means |
|---|---|
| Right of Access | You may request a copy of the personal data we hold about you (Subject Access Request / SAR) |
| Right to Rectification | You may ask us to correct inaccurate or incomplete personal data |
| Right to Erasure | You may ask us to delete your personal data where there is no longer a lawful basis to retain it (subject to legal obligations) |
| Right to Restriction | You may ask us to restrict processing of your data while a complaint or accuracy dispute is being resolved |
| Right to Data Portability | Where processing is based on consent or contract, you may request your data in a structured, machine-readable format |
| Right to Object | You may object to processing based on legitimate interests or for direct marketing purposes |
| Rights related to automated decisions | You have the right not to be subject to solely automated decision-making that produces significant effects on you |
| Right to withdraw consent | Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing |
To exercise any of these rights, please submit a written request to info@westone.care. We will respond within one calendar month. We may need to verify your identity before processing a request. There is no charge for exercising your rights, except in cases of manifestly unfounded or excessive requests.
Cookies
Our website at westone.care uses cookies — small text files placed on your device — to help the site function correctly and to understand how visitors use it.
| Cookie Type | Purpose | Basis |
|---|---|---|
| Essential | Required for the website to function (e.g. security, session management) | No consent required |
| Analytics | Help us understand how visitors use the site (e.g. Google Analytics — anonymised) | Consent required |
| Functional | Remember preferences and settings to improve your experience | Consent required |
You can manage or withdraw cookie consent at any time using the cookie settings banner on our website, or by adjusting your browser settings. Please note that disabling certain cookies may affect the functionality of the site.
We do not use advertising or tracking cookies, and we do not share cookie data with third parties for marketing purposes.
Data Security
We take the security of personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction or disclosure. These include:
- Restricted access to personal data on a strict need-to-know basis
- Password protection and multi-factor authentication on systems holding personal data
- Encrypted storage and transmission of sensitive data
- Secure physical storage of paper records with restricted access
- Regular staff training on data protection and information security
- Data Processing Agreements with all third-party suppliers
- Regular review and testing of our security arrangements
- A documented procedure for identifying, reporting and managing data breaches
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and, where required, inform affected individuals without undue delay.
Changes to This Policy
We review this Privacy Policy at least annually, or whenever there is a significant change to our processing activities or applicable legislation. The most current version will always be available on our website at westone.care.
Where changes are material, we will take reasonable steps to notify affected individuals — for example, by email or by a prominent notice on our website. The version number and effective date at the top of this document will be updated with each revision.
Contact & Complaints
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your personal data, please contact us:
Data Protection Enquiries — West One Care
Email: info@westone.care
Website: westone.care
Registered Address: Oakingham House, Frederick Place, High Wycombe, Buckinghamshire HP11 1JU
We aim to resolve all data protection concerns promptly and fairly. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
You can complain to the ICO at any time; however, we would welcome the opportunity to address your concern directly before you do so.