Introduction

This Privacy Statement relates to CareWatch.

 

CareWatch is a panel of individuals formed by the States of Guernsey Health and Social Care in 2017.

 

CareWatch has set out this privacy statement to show the public how CareWatch holds and handles their data when required to do so. In the ordinary course of business, CareWatch comes into possession of personal and / or
confidential information (“Data“) in respect of individuals (“Individuals”), such as:

Residents of Guernsey & Alderney,
Complainants, correspondents and enquirers, and
Relatives, Guardians and Associates of the Data Subject.

CareWatch will process personal data for the following purposes:
Processing and responding to complaints, enquiries and suggestions, and
Reporting key information & complaints to the Committee for Health & Social Care,
Personal data is defined in the relevant legislation, the data classes that CareWatch may process includes:

Personal details
Family, lifestyle and social circumstances
Financial details

Orion may also process special categories of data or sensitive data, including:

Physical or mental health or condition

In obtaining and using Personal Data in connection with shareholders or prospective investors,
Service Providers and others (as may be applicable), CareWatch will act as a data controller or a data
processor as appropriate.

The Data may be held electronically or held in general files.

This document sets out CareWatch’s internal procedures and guidelines with regards to the
obtaining, storing, processing, use, disclosure, transfer and safeguarding of Data as data controller.

​

For the avoidance of doubt and notwithstanding anything to the contrary in this privacy statement,
nothing in this privacy statement shall prevent CareWatch from complying with any legal or
regulatory obligation to disclose data in accordance with applicable law or regulation

Obtaining and Using Personal and Confidential Data

Personal Data may only be processed if the data subject has given his / her consent, or if the
processing is necessary for the performance of responding to a query or complaint to which the data
subject is party.

As a Data Controller, CareWatch is responsible for, and must be able to demonstrate, compliance
with the Data Protection Principles:

• Data must be processed fairly, lawfully and in a transparent manner
• Data must be collected for specified, explicit and legitimate purposes, and not further
processed in a manner which is incompatible with those purposes
• Data must be adequate, relevant and limited to what is necessary in relation to the purposes
for which it is collected
• Data must be accurate and, where necessary, kept up to date, and reasonable steps must be
taken to ensure that Personal Data that is inaccurate is erased or corrected without delay
Accordingly:
• the right to lodge a complaint with the Office of the Data Protection Authority (“ODPA”),
which can be contacted at enquiries@odpa.gg or by telephone on +44 (0) 1481 742074.
• CareWatch will not use Data other than for the purposes which have been brought to the
attention of the relevant Individual and, if consent is required, to which the relevant
Individual has consented.
• Unless written permission has been issued by the data subject, CareWatch shall not forward
any personal or confidential data to a third-party.

Retention Periods

CareWatch shall only hold personal or confidential data for as long as is necessary to process the
information and appropriately deal with the data subjects request, complaint or query.

Breach Notifications

In accordance with applicable data protection laws, CareWatch will be obliged to notify the ODPA of
any breach of security leading to the accidental or unlawful destruction, loss, alteration,
unauthorised disclosure of or access to personal data (each a “personal data breach”) within 72
hours of becoming aware of same, unless the personal data breach is unlikely to result in risks to
Individuals. Furthermore, CareWatch will need to notify any impacted Individuals without undue
delay where a personal data breach is likely to result in a high risk to those Individuals.

In the event of a personal data breach:

CareWatch shall consider the likely risks arising from the Personal Data breach, taking into account
the nature and scope of the personal data in question, the extent of the breach, the period of the

breach, and any security measures which may militate against risk, such as encryption. In doing so,
the potential consequences for the affected Individuals will be considered;
any incident in which Personal Data has been put at risk will be reported to the ODPA within 72
hours of CareWatch becoming aware of the incident. Where a report is made to the ODPA,
CareWatch will provide such information and detail as is required under applicable data protection
laws or as the ODPA may request, which shall include:

• a description of the nature of the personal data breach, including where possible, the
categories and approximate numbers of impacted Individuals, and the categories and
approximate number of personal data records concerned;
• a description of the likely impact of the personal data breach;
• a description of measures to mitigate possible adverse effects;
• reporting to the ODPA may be conducted in phases where the full extent of the personal
data breach is not known within 72 hours of Orion becoming aware of same. Any such
phased reporting will be conducted in consultation with the ODPA;
• any incidents which are likely to result in high risk to Individuals will be notified to the
impacted Individuals without undue delay unless this would involve disproportionate effort.
In this latter case, a public communication or similar equally effective notification measure
shall be implemented by Orion;

Where, having considered the matter, CareWatch comes to a determination that no notification
need or will be made to the ODPA and / or the affected data subjects, CareWatch shall in any event
keep a summary record of each incident which has given rise to the risk of unauthorised disclosure,
loss or alteration of personal data, which will include an explanation as to why Orion did not
consider it necessary to inform the ODPA.

Records of security incidents will be made available to the ODPA on request.

CareWatch shall ensure that the Service Providers notify Orion without delay of any security incident
and provide all reasonable assistance to Orion to enable it to comply with its obligations under data
protection law.

Subject Access Requests

Where an Individual makes a subject access request in writing, there is an obligation on the data
controller to provide certain information to the data subject.

Accordingly, on receipt of any data subject access request, CareWatch shall within 30 days:

• inform the Individual as to whether the data processed by or on behalf of Orion includes
Personal Data relating to the Individual, and where it does, to provide a description of:
• the categories of the Personal Data;
• the Personal Data constituting the data;
• the purposes for which they are being or are to be processed;
• the recipients or categories of recipients to whom they are or may be disclosed;
• information as to source, where not obtained directly from the Individual;
• where possible, the envisaged storage period, or alternatively the criteria used to determine
that period;
• the right to lodge a complaint to the Office of the Data Protection Authority;
• details of any automated decision making or profiling;
• the appropriate safeguards with regard to international data transfers.
• provide the Individual with a copy of the information Personal Data of the Individual;

• provide the relevant information to the Individual free of charge, in an easily visible,
intelligible and clearly legible manner within one month of a proper request from the data
subject, unless an exception applies under applicable data protection laws.

If CareWatch does not intend taking action at the request of the data subject, CareWatch shall
inform the Individual without delay and the reasons for not taking action, as well as the right of the
Individual to complain to the ODPA.

Other Data Subject Rights

Individuals have the following rights, in certain circumstances:

• the right to rectify Personal Data
• the right to restrict processing
• the right to object to processing
• the right to be forgotten
• the right to data portability.

Contacting CareWatch

CareWatch can be contacted by email on admin@carewarch.gg or panel@carewatch.gg
CareWatch’s chair is the individual responsible for data protection, who can be contacted at
chairperson@carewatch.gg

Updates to this Privacy Statement

Any changes CareWatch makes to its Data protection and Privacy Statement in the future will be
posted on its website, please check back frequently to see any updates or changes.

​

​