Data Protection Policy
We appreciate the trust you place in us when sharing personal data, whether it be the Care Provider’s or the Customer’s information. The security of that data is very important to us. In this document, we will explain how we collect, use and protect personal data entrusted to us.
Cura Advanced Technologies Ltd (Cura Systems) is not a Data Controller, as defined in the General Data Protection Regulations (GDPR) which came into force on 25th May 2018. However, as we hold data on behalf of Care Providers, we are a processor of such data. It is in this context that this data protection policy is framed.
At the outset, Cura Systems wish to make the following core and abiding principles:
- We will never share any information with anyone not appropriately authorised to have access to the data
- We will always undertake best industry practices to protect your data from unwarranted disclosure
- Data will be stored in the countries sanctioned by the laws of the country where we operate. At this time, all
This notice informs you about information we hold, what we do with it, how we will look after it and with whom we might share it.
"Personal data" in this context refers to the information we hold about you from which you can be identified.
Storage, Back-up & Retention of personal data
Cura Systems is a UK-domiciled organisation and our primary offices are in the UK.
Our websites and web applications are hosted in the UK or EU and are accessed only by our staff. Our operations in other countries have their own dedicated servers and not connected to our UK operations.
In all these instances, we have appropriate contractual and security measures in place to ensure that personal data is protected.
Our customer support management, marketing and accounting systems for all our businesses are either EU-based or, if elsewhere, are required to comply with our GDPR policies. Our payment processors and banking arrangements are based in the UK.
To ensure adequate protection of data in the event of a disaster, we retain a back-up copy of your database and application set-up in a separate server in the UK or EU for a rolling fourteen-day period. Our policies for protection of that data is also controlled by this policy.
What types of personal data do we handle about Customers?
The personal data we hold includes:
- Contact details such as names, occupation, email addresses, phone numbers & photos
- Personal data gathered by organisations that use Cura Systems applications about the people they serve
- Contracts which might include Care Provider personal data
What are the purposes for processing customer personal data?
Processing refers to doing anything with the data, such as accessing, disclosing, destroying or using the data in any way.
We will only process your personal data for the specific purposes notified to you in this privacy notice or for any other purpose specifically permitted by GDPR.
The specific purposes for which we process your personal data include;
- Contractual management
- To provide support services
- To marketing additional or new services for Care Providers as they become available
- To support a legal obligation, such as to document compliance with exercised rights under GDPR
What is the lawful basis for processing?
Cura Systems will only process personal data when it is legally justifiable to do so.
The lawful grounds for processing personal data can be found under Articles 6 and 9 of GDPR. The conditions that enable us to legally process your personal data as our customer include;
- The processing is necessary for the performance of a contract you have (or are enquiring to enter into) with us
- The processing is a legal obligation
- The processing taking place meets a legitimate interest of the company (including direct marketing)
Sharing your information
We only share your personal data with third parties when one of the lawful grounds (above) is met, and then only with the organisation to which the data refers. We do not share data from one Care Provider to another.
Cura Systems is part of an International organisation and the personal data processed for the above purposes may be transferred outside the EEA (European Economic Area) both internally on Cura Systems’ servers and externally with providers who assist Cura in conducting our business.
Whenever personal data is transferred outside the EEA, it is also processed in compliance with GDPR and under the safeguard of appropriate confidentiality clauses where that party agrees to comply with our data protection procedures and policies or has put in place similar adequate measures.
We believe in protecting your privacy and therefore do not under any circumstances provide your personal information to third parties for marketing purposes.
Security of your Information
Maintaining data security means guaranteeing the confidentiality, integrity and availability (for authorised purposes) of the personal data.
We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.
All of Cura Systems’ staff, including those who process personal data outside the EEA, are required to undergo annual data protection training approved by NHS Digital to further reassure our staff and customers that we are committed to ensuring GDPR compliance at an international level.
We will only retain information for as long as necessary for the specified purposes and in-line with legal obligations. Third party contracts and finance data is retained for 6 years.
Your rights under GDPR regarding the personal data we process?
Under GDPR, you have the following rights;
- The right to be informed (covered within this privacy notice)
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
What if the data we hold is incorrect?
It is important that the information we hold is kept up to date. If personal details change or if they are currently inaccurate then it is important that you let us know by contacting our Data Protection Officer.
How to get access to personal data?
GDPR gives duly authorised Care Provider personnel the right to access the personal data held by Cura Systems about you and the people your organisation serves through a system of passwords.
Cura Systems will use its best endeavours to assist Care Providers to meet their obligations under GDPR for a legitimate request for information and to meet their Data Controller’s responsibility to respond within “one month” of such requests.
If you are not satisfied with our response to your access request, you can appeal to the ICO (Information Commissioner’s Office).
What if you need to exercise any of your other rights regarding personal data?
If you’d like to exercise any of your other rights under GDPR apart from the right of rectification or access, please contact our Data Protection Officer (details at the end of this privacy notice) for more details.
What about the personal data we process on behalf of our customers?
Cura Systems is a data processor for the data it processes on behalf of its customers. Therefore, the purposes, lawful basis and retention periods in relation to the processing of our customers’ service user and staff personal information should be made available directly through them as they are the Data Controllers.
If you have any questions about the data we process on behalf of our customers, please get in touch with our Data Protection Officer (details at the end of this privacy notice) who will support you in getting in touch with the relevant customer contact.
Cura will only process customer data as directed and agreed by the Service Provider’s Data Controller. Cura Systems will not respond to individuals serviced by Care Providers.
Technical Information related to our Web Servers
In order to ensure that each visitor to our websites can use and navigate the site effectively, we collect the following:
- Technical information, including the Internet Protocol (IP) address used to connect your device to the Internet;
- Your login information, browser type and version, time zone setting, browser plug-in types and versions; Operating system and platform;
- Information about your visit, including the Uniform Resource Locators (URL) clickstream to, through and from our site.
- Our cookies do not collect personal information and are provided simply to improve user performance.
Contact our Data Protection Officer
If you would like a more detailed explanation on any of the aspects covered above or have any other queries, then please contact our Data Compliance and Security Officer who acts as the company’s Data Protection Officer.
The contact details for Cura Systems’ Data Protection Officer are:
Changes to this privacy notice