Introduction
This privacy notice, created in line with the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018, explains how we collect, use, and protect personal information from trusts we collaborate with, patients, contractors, and other third parties.
It applies to personal information provided to us directly by individuals or through third parties. This notice complements the privacy notice for Prometheus Safe and Secure Ltd (PSS) and Prometheus Complex Care (PCC) employees, which are available from HR.
Data Controller
PSS and PCC are two separate legal entities under an intergroup data processing agreement, and both belong to the parent company RCI Group Limited. Each entity acts as an independent controller, but they may also process information for each other when appropriate and lawful. The companies share the same senior management team, ensuring consistency in their operations and oversight.
PSS is registered with the Information Commissioner Officer (ICO) under the following registration number: ZA049039
PCC is registered with the ICO under the following registration number: ZA884822.
Furthermore, both may process information on behalf of clients, such as patient information for the purpose of delivering their care services.
This privacy notice applies to both PSS and PCC, whether they process data independently or share information with each other. All data processing activities are conducted with a lawful basis and in line with relevant data protection laws.
Contact Details and Data Protection Officer
Our contact details are below:
Prometheus Safe and Secure Ltd
Unit 603
Fort Dunlop
Fort Parkway
Birmingham
B24 9FD
Tel: 0800 009 6668
And
Prometheus Complex Care Ltd
Unit 603
Fort Dunlop
Fort Parkway
Birmingham
B24 9FD
Tel: 0800 009 6668
For any queries or complaints in relation to how your data is being used, please contact us at compliance@psecure.co.uk.
Our Data Protection Officer is Lorain Morrison, and you can contact her at compliance@psecure.co.uk.
How we collect your personal information
When we collect personal information on behalf of our clients (for example, if a trust asks us to deliver a service for a patient), we act as a data processor. In this role, we don’t decide how the information is used; instead, we process it solely to provide the requested service. In these cases, the trust remains the data controller.
We are, however, a data controller for any information where we decide on the purposes and means of processing. There are also situations where we may need to act as a separate data controller for some information provided by the trust to meet legal or regulatory obligations.
This means we may act as both a data controller and a data processor for different aspects of the same information, depending on the circumstances.
We understand that UK GDPR can be complex, and we aim to be as clear as possible. If you have specific questions, we’re here to help. To make our roles as data processor and data controller easier to understand, we’ve created a separate framework. You can find a copy here.
How we will use your personal information
The personal information provided to us is predominantly used to provide our core services, including:
- Healthcare observation services
- Secure patient transport
Using your data in accordance with the Data Protection legislation
We are committed to fully applying and adhering to the data protection principles in relation to your personal data as required by the UK General Data Protection Regulation (GPDR) legislation and DPA (2018):
Lawfulness, Fairness and Transparency
We process personal data lawfully, fairly, and in a transparent manner.
We ensure that all individuals are informed about the purpose and legal basis for processing their data. Clear communication is provided through privacy notices and policies.
Purpose Limitation
We collect personal data only for specified, explicit, and legitimate purposes and do not process it further in a manner that is incompatible with those purposes.
Personal data is collected strictly for purposes related to your engagement with our organisation and any additional uses are clearly communicated to you.
Data Minimisation
We ensure that personal data is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
Only the minimum amount of personal data required for specific purposes is collected and processed.
Accuracy
We take reasonable steps to ensure personal data is accurate and, where necessary, kept up to date.
Regular reviews and updates are conducted to ensure the accuracy of the personal data we process. All individuals are encouraged to report any changes to their personal data.
Storage Limitation
We keep the personal data in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which the personal data has been processed, in accordance with our Data Retention Schedule. You can request a copy of our retention schedule by contacting us.
The data no longer required is securely deleted from our systems and from the systems of the third parties we share data with.
Integrity and Confidentiality
We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Robust security measures, including encryption and access controls, are implemented to protect personal data. Regular training is provided to all our employees on data protection and security.
Accountability
We are responsible for and able to demonstrate compliance with the above principles.
We maintain records of our data processing activities and regularly review our data protection practices ensuring compliance. Data protection impact assessments (DPIAs) are conducted where necessary.
Data Processing, Legal Basis and Retention
Please note, that where we act as a processor, we do so on behalf of the organisation that has appointed us to deliver a service. It is their responsibility to establish a lawful basis for the collection and processing of your personal data.
Types of data we process
We collect and process two types of data:
- Personal data: data about the individuals they could be identified with i.e., name, surname, telephone number, email address, postal address, date of birth etc. basically any personal data items that relates to you and can be used to identify you.
- Personal special category data: this type of data includes more sensitive information about the individuals, subject to higher level of protection and may include:
– Race
– Ethnic group
– Political opinions
– Religious and philosophical beliefs
– Trade union membership
– Genetic data
– Biometric data (where it is used for identification purposes)
– Health data
– Sex life
– Sexual orientation
When it comes to special category data, we generally only collect health data, however it may be that we receive additional, relevant information for specific purposes.
Legal Basis
Our Legal Basis for Collecting Personal Data
At Prometheus Safe and Secure and Prometheus Complex Care, we collect and process personal data based on several legal grounds, depending on the specific activity and purpose:
- Contractual Necessity – When we have a contract or formal agreement with you, processing your personal data is essential for fulfilling our obligations under that contract.
- Legal Obligation – In cases where we are legally required to collect and use your information, we do so to meet regulatory or statutory requirements.
- Vital Interests – In rare cases, such as a medical emergency, we may need to use or share your information to protect your life or well-being.
- Legitimate Interests – Sometimes, we process personal data based on a legitimate interest that benefits you, us, or both. This is done following a thorough Legitimate Interest Assessment (LIA) to ensure that these interests do not override your rights or freedoms.
Where we are acting as a processor, our clients and those instructing us, establish a legal basis for processing, which tends to be public tasks, as we generally work for healthcare providers in the public sector.
Data retention
In line with the data protection principles, we only keep your personal information for as long as needed, defined in the purpose for the collection. Once the purpose for processing the personal data is not justifiable any longer, the personal data will be securely deleted from our database and from the database of our processors. In order to decide on appropriate retention, we take into consideration, applicable laws, regulations or where appropriate industry best practices.
How we store your personal information
All personal data we process is stored with the highest levels of security. Physical documents are kept in locked cabinets with strictly controlled access, ensuring that only authorised personnel can access them. For digital data, we use a highly secure, access-restricted cloud storage system that complies with industry-leading standards for data protection and encryption.
As we move towards becoming a fully paperless organisation, we store only a minimal amount of information on paper, and only when it is absolutely necessary. This helps us reduce the risks associated with physical data handling and reinforces our commitment to safeguarding your personal information.
How we are protecting your personal information
Strictly adhering the GDPR and DPA (2018) we take all the reasonable steps to keep your personal data well protected from accidental loss or disclosure, destruction or misuse. We have implemented processes, developed policies and appropriate security measures both organisational and technical regularly monitored and updated. Our employees are trained on the data protection legislation, and we build culture and awareness about protecting the personal information. Furthermore, we have physical controls and CCTV in place on site.
When we share personal data with third parties, we provide written instructions and have necessary arrangements in place, we collect all the evidence of their assurances to ensure that your data is held securely in line with the UK GDPR requirements.
Third parties must implement appropriate technical and organisational measures to ensure the security of the personal information we share.
Access to your personal information is governed by stringent data processing rules with sharing agreements and information security checks in place.
We access all the personal data strictly based on the “least privilege” principles.
Sharing your personal information
Our intergroup data processing agreement ensures that we can lawfully share your data within our organisation and our parent organisation, but only where it is necessary and for specific purposes. Examples of such purposes include sharing the same systems, processes, or teams for key functions like finance and HR. We take great care to ensure that these data-sharing activities are limited to what is strictly needed to provide our services effectively.
We may also share your information with third parties where required to meet regulatory, contractual, or legal obligations. For example, we may share information with:
- The Care Quality Commission (CQC) for regulatory compliance purposes
- The Health and Safety Executive (HSE) for health and safety assessments
- Law enforcement authorities when legally required to do so
Please note that these are only examples, and the list is not exhaustive.
In addition, we use specific systems and software solutions to fulfil operational functions such as:
- Incident Reporting to ensure accountability and transparency
- Bookings for managing appointments and logistics efficiently
- Responding to Enquiries to provide prompt and effective customer service
We have implemented thorough checks to ensure compliance with data protection legislation, including the UK GDPR and Data Security and Protection Toolkit (DSPT) requirements where necessary. Our processes and systems are subject to continuous review to ensure your information is handled securely, lawfully, and with the utmost care. Furthermore, we conduct regular audits and staff training to maintain the highest standards of data protection and to prevent any misuse of your information.
To find out more details about our processes, please contact us.
Transfers of Personal Data
Sometimes, we need to use systems, software, or suppliers that are located outside the UK for processing the personal data. This means that your personal data might be transferred to other countries. We only do this when it’s necessary, and we make sure that your data is protected by similar safeguards as those in the UK.
Here’s a clearer breakdown:
Why transfer data?
We use software and services that might be based outside the UK, because they may be able to provide a product that is unavailable by a UK supplier. This ensures we have the best tools to do our jobs efficiently and securely.
Where does the data go?
Your data may be transferred to countries that either:
- Have been given an adequacy status by the UK. This means they have data protection laws
that are similar to those in the UK. - Have similar safeguards in place. These safeguards ensure that your data remains as
protected as it would be in the UK.
What does ‘adequacy’ mean?
- Adequacy status is granted to countries whose data protection laws are strong enough to
protect your data to a similar standard as the UK.
What are similar safeguards?
These could include:
- Contracts that oblige the recipient to protect your data.
- Privacy Shield frameworks or similar agreements that ensure data protection.
Is this common?
Yes, transferring data internationally is a standard practice in today’s digital world. Many companies do it to use the latest and most effective technologies available.
In essence, while your data might be sent to other countries, we always ensure it is handled with the highest level of security and care, just as it would be here in the UK.
If you would like more information about the systems or suppliers that we use, that may mean transferring your data out of the UK, please get in touch, we are happy to answer your questions.
Your rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Your right not to be subject to automated decision making, meaning decision made without any human involvement.
We, adhering to the UK GDPR, typically respond within one month of receiving a request. However, for complex or numerous requests, a two-month extension may apply.
Queries & Complaints
We would encourage you to contact us directly, should you have any questions or would like to raise a complaint.
You also have the right to complain to the ICO if you are unhappy with how we use your data:
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://ico.org.uk
Changes to the Privacy Notice
We review this Privacy Notice annually or whenever there are changes to our processing activities or updates in data protection legislation.
This Privacy Notice was last updated on 26 November 2024.