CareOS
Sign inBook Demo

Privacy Notice

Last updated: February 2026

1. Data Controller

SBSC Care Services is the data controller for personal data processed through this platform. We are registered with the Information Commissioner's Office (ICO).

Contact our Data Protection Officer: dpo@sbsc.local

2. Categories of Personal Data

Staff Data

  • Name, email, phone number, employment details
  • Training records and competency assessments
  • Rota and attendance information
  • Authentication credentials (encrypted)

Client / Service User Data

  • Name, date of birth, address, contact details
  • NHS number and medical identifiers
  • Care plans, daily care logs, and clinical assessments
  • Body maps, risk assessments, and incident records
  • Medication profiles and administration records
  • Consent records and capacity assessments
  • Emergency contact information

3. Lawful Bases for Processing

  • Contract (Article 6(1)(b)) — Processing staff employment data
  • Legal obligation (Article 6(1)(c)) — CQC regulatory requirements, safeguarding duties
  • Vital interests (Article 6(1)(d)) — Emergency clinical decisions
  • Legitimate interests (Article 6(1)(f)) — Platform security, audit logging

Special Category Data (Article 9)

  • Health data — Processed under Article 9(2)(h): provision of health or social care
  • Explicit consent — Where capacity exists, for optional data sharing

4. Data Retention

We follow the NHS Records Management Code of Practice 2021:

  • Adult care records: 8 years after last contact, or 3 years after death
  • Clinical/health records: 8 years (adult), 25 years or age 26 (children)
  • Safeguarding records: Retained permanently where significant harm
  • Staff employment records: 6 years after employment ends
  • Financial/billing records: 6 years (HMRC requirement)
  • Audit logs: Minimum 2 years, up to 8 years for clinical events

Records are anonymised rather than deleted to maintain CQC-compliant audit trails.

5. Data Sharing

We may share personal data with:

  • NHS and healthcare providers (for continuity of care)
  • Local authority safeguarding teams (where required by law)
  • CQC inspectors (regulatory obligation)
  • Emergency services (vital interests)

We do not sell personal data or share it with third parties for marketing purposes.

6. Your Rights

Under UK GDPR, you have the right to:

  • Access — Request a copy of your personal data (Subject Access Request)
  • Rectification — Correct inaccurate data
  • Erasure — Request deletion (subject to retention obligations)
  • Restriction — Limit processing in certain circumstances
  • Portability — Receive your data in a machine-readable format
  • Object — Object to processing based on legitimate interests

To exercise any right, contact dpo@sbsc.local. We will respond within one calendar month.

If you are unsatisfied with our response, you may complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint

7. Cookies

This platform uses essential cookies only for authentication and session management. No analytics or tracking cookies are used. No cookie consent is required for strictly necessary cookies under the Privacy and Electronic Communications Regulations (PECR), but we inform you as a matter of transparency.

8. Security

We implement appropriate technical and organisational measures including encryption at rest and in transit, role-based access control, multi-factor authentication, and comprehensive audit logging. Clinical data is encrypted with per-record keys.

← Back to login