Privacy Policy

1. Introduction

Care Pathway Pro Ltd is committed to protecting the privacy and security of personal information. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our adult social care management platform. 

We take our responsibilities under data protection law seriously and are committed to handling personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

 

2. Who We Are

Data Controller and Processor 

Care Pathway Pro Ltd
124 City Road
London
EC1V 2NX
United Kingdom 

Company Registration Number: 16787553
ICO Registration Number: ZC014555 

Data Protection Officer:
Kieron Bygraves
Email: dpo@carepathwaypro.co.uk 

General Enquiries:
Email: privacy@carepathwaypro.co.uk
Website: www.carepathwaypro.co.uk 

Our Role in Data Processing 

Care Pathway Pro Ltd operates primarily as a data processor, processing personal data on behalf of adult social care providers (our clients) who are the data controllers. For our own business operations (such as billing, customer support, and platform analytics), we act as a data controller. 

 

3. Scope of This Privacy Policy

This Privacy Policy applies to: 

• Adult social care providers who subscribe to our platform (our clients) 

• Staff members of care provider organisations who use our platform 

• Service users whose care information is managed using our platform 

• Visitors to our website 

This policy should be read in conjunction with: 

• Our Data Processing Agreement (for client organisations) 

• Our Terms of Service 

• Our Cookie Policy 

• Our Information Security Policy 

 

4. The Personal Data We Process

4.1 Service User Data (Special Category Data) 

When care providers use our platform to manage care for their service users, we process the following types of personal data as a data processor: 

Identifying Information: 

• Full name 

• Date of birth 

• Gender 

• NHS Number 

• Address and contact details 

• Photographs (where used for identification) 

Next of Kin and Emergency Contacts: 

• Names and relationships 

• Contact details 

• Power of Attorney or legal representative information 

Health and Care Information: 

• Health conditions and medical history 

• Disabilities and functional assessments 

• Mental capacity assessments 

• Care needs assessments and care plans 

• Risk assessments (falls, pressure sores, nutrition, etc.) 

• Safeguarding records and incident reports 

• Medication records and administration logs (MAR charts) 

• Fluid intake and nutrition charts 

• Daily care notes and observations 

• Healthcare professional visits and interventions 

• Hospital admissions and discharge information 

Financial Information (where relevant): 

• Information relating to care funding 

• Local authority financial assessments 

• Details relevant to care billing 

Other Special Category Data: 

• Ethnic origin (for equality monitoring and culturally appropriate care) 

• Religious or philosophical beliefs (for person-centred care) 

• Information about sexual orientation (where relevant to care provision) 

4.2 Client Organisation Data 

For our client organisations (care providers), we process: 

Account and User Information: 

• Organisation name and registered address 

• CQC registration details (where applicable) 

• Primary contact details 

• User accounts and login credentials (encrypted) 

• Staff names and email addresses 

• Job roles and access permissions 

Usage and Technical Data: 

• Platform usage logs and analytics 

• IP addresses and device information 

• Browser type and operating system 

• System access logs and audit trails 

• Support ticket information and correspondence 

Billing and Subscription Data: 

• Billing address and contact information 

• Payment method details (processed via secure third-party payment processors) 

• Subscription plan and usage metrics 

• Invoice history 

4.3 Website Visitor Data 

When you visit our website, we may collect: 

• IP address 

• Browser type and version 

• Pages visited and time spent 

• Referring website 

• Cookie data (see our Cookie Policy) 

 

5. Legal Basis for Processing Personal Data

We only process personal data when we have a valid legal basis to do so under UK GDPR. 

5.1 For Service User Data (Special Category Data) 

Article 6 Lawful Basis: 

• Article 6(1)(e) - Public Task: Processing is necessary for the performance of a task carried out in the public interest, specifically the provision of adult social care services under the Care Act 2014. 

• Article 6(1)(b) - Contract Performance: Processing is necessary for the performance of our contract with care provider clients to deliver our care management platform. 

• Article 6(1)(f) - Legitimate Interests: For system security, fraud prevention, and platform improvement, where it does not override the rights and interests of individuals. 

Article 9 Special Category Basis: 

Special category data (health and care information) requires an additional legal basis under Article 9 of UK GDPR: 

• Article 9(2)(h) - Health and Social Care: "Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services." 

• UK Data Protection Act 2018, Schedule 1, Part 1: 

• Paragraph 1: Health or social care purposes 

• Paragraph 2: Health or social care purposes (with specific safeguards) 

• Paragraph 3: Public health 

• UK Data Protection Act 2018, Schedule 1, Part 2 (Substantial Public Interest): 

• Paragraph 6: Statutory and government purposes 

• Paragraph 8: Equality of opportunity or treatment 

• Paragraph 17: Safeguarding of children and individuals at risk 

• Paragraph 18: Safeguarding of economic well-being of certain individuals 

• Paragraph 19: Insurance 

Important Note on Consent: 

In accordance with Information Commissioner's Office (ICO) guidance, we do not rely on consent as the primary lawful basis for processing care data. This is because consent cannot be considered freely given if access to care services is dependent upon it. The lawful bases listed above provide appropriate legal grounds for processing necessary for care provision. 

5.2 For Client Organisation Data 

• Article 6(1)(b) - Contract: To fulfil our contractual obligations to provide the platform service 

• Article 6(1)(f) - Legitimate Interests: For business administration, service improvement, and fraud prevention 

5.3 For Website Visitor Data 

• Article 6(1)(a) - Consent: For non-essential cookies (via our cookie banner) 

• Article 6(1)(f) - Legitimate Interests: For essential website functionality and security 

 

6. How We Use Personal Data

6.1 Primary Purposes 

We process personal data for the following purposes: 

Care Management and Service Delivery: 

• To enable care providers to record, manage, and deliver care services to service users 

• To maintain accurate care records and care plans 

• To support medication management and administration 

• To facilitate safeguarding procedures and incident management 

• To enable monitoring of fluid intake, nutrition, and vital signs 

• To support multi-disciplinary care coordination 

Platform Operation and Security: 

• To provide, maintain, and improve our care management platform 

• To authenticate users and manage access controls 

• To monitor system performance and usage 

• To detect and prevent fraud, abuse, and security incidents 

• To provide technical support and troubleshooting 

• To conduct system backups and disaster recovery 

Legal and Regulatory Compliance: 

• To comply with Care Quality Commission (CQC) requirements 

• To support regulatory inspections and audits 

• To respond to legal obligations and lawful requests from authorities 

• To comply with safeguarding duties under the Care Act 2014 

• To maintain records for statutory retention periods 

Business Administration: 

• To manage client subscriptions and billing 

• To communicate with clients about their accounts and services 

• To provide customer support 

• To conduct internal audits and quality assurance 

Service Improvement: 

• To analyse platform usage patterns (in anonymised/aggregated form) 

• To develop new features and improvements 

• To conduct research and analytics (using de-identified data only) 

6.2 Automated Decision-Making 

We do not use personal data for automated decision-making or profiling that produces legal effects or similarly significantly affects individuals. 

 

7. Data Sharing and Recipients

7.1 Who We Share Data With 

We only share personal data when necessary and with appropriate safeguards in place. 

Sub-Processors (Third-Party Service Providers): 

As a data processor, we engage carefully vetted sub-processors to help us deliver our services. All sub-processors are bound by Data Processing Agreements and are required to implement appropriate technical and organisational security measures. 

Our current sub-processors include: 

• Cloud Hosting Provider: AWS UK/Azure UK/Google Cloud UK - for secure data storage and platform hosting (UK-based servers only) 

• Database Services: cPanel - for secure database management (UK-based) 

• Backup and Disaster Recovery: cPanel - for secure data backup (UK-based) 

• Email Communications: Thunderbolt - for system notifications and alerts 

• Payment Processing: Stripe - for subscription payment processing (PCI-DSS compliant) 

• Customer Support Platform: Care Pathway Pro - for managing support tickets 

• Security and Monitoring: Care Pathway Pro Ltd Security - for security monitoring and threat detection 

A complete, up-to-date list of sub-processors is maintained and available to our clients upon request. We notify clients of any changes to our sub-processors in accordance with our Data Processing Agreements. 

Client-Controlled Sharing: 

The care provider organisations (our clients) who use our platform may share service user data with: 

• NHS services, GPs, and healthcare professionals involved in care 

• Other care providers and agencies supporting the service user 

• Local authorities (for commissioning, funding assessments, and safeguarding) 

• Care Quality Commission (CQC) during inspections and regulatory oversight 

• Family members, advocates, or legal representatives (with appropriate consent or legal basis) 

• Multi-Agency Safeguarding Hubs (MASH) and safeguarding teams 

• Emergency services in urgent situations 

Important: Care providers (as data controllers) are responsible for determining who they share service user data with. We provide the technical capability for controlled data sharing, but the decision to share remains with the care provider. 

Legal and Regulatory Requirements: 

We may share personal data when required by law: 

• To comply with legal obligations, court orders, or lawful requests from regulatory authorities 

• To protect against legal liability 

• To respond to safeguarding concerns (in accordance with the Care Act 2014) 

• In connection with the prevention or detection of crime 

• To protect the vital interests of individuals 

Business Transfers: 

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy. 

7.2 National Data Opt-Out 

The National Data Opt-Out is a service that allows patients to opt out of their confidential patient information being used for research and planning purposes. 

While our platform is used for direct care provision (which is not affected by the opt-out), we support our clients in respecting service users opt-out preferences for any secondary uses of data beyond direct care. 

Service users can register their opt-out preference at: www.nhs.uk/your-nhs-data-matters 

Care providers using our platform are responsible for checking and respecting National Data Opt-Out preferences in accordance with NHS guidance. 

 

8. International Data Transfers

Data Storage Location: 

All service user data is stored exclusively on secure servers located within the United Kingdom. We do not transfer personal data outside the UK as part of our standard operations. 

Sub-Processor Locations: 

All our sub-processors that handle personal data operate within the UK or European Economic Area (EEA). The UK government recognises the EEA as providing adequate data protection. 

Exceptional Circumstances: 

In exceptional circumstances where data may need to be accessed from outside the UK (for example, by our support team during travel), we ensure: 

• Access is via encrypted, secure connections only 

• Strict access controls and audit logging are in place 

• Data is never stored on devices outside the UK 

• All access complies with UK GDPR requirements 

Legal Safeguards: 

If we ever need to transfer data outside the UK, we will: 

• Only transfer to countries recognised by the UK government as providing adequate protection, or 

• Use Standard Contractual Clauses (SCCs) or the UK International Data Transfer Agreement (IDTA) 

• Conduct a Transfer Risk Assessment 

• Notify affected parties in advance 

 

9. Data Security

9.1 Technical Security Measures 

We implement robust technical security measures to protect personal data from unauthorised access, loss, or destruction: 

Encryption: 

• All data is encrypted in transit using TLS 1.3 (or higher) 

• All data is encrypted at rest using AES-256 encryption 

• Database encryption with hardware security modules (HSM) 

• Encrypted backups 

Access Controls: 

• Multi-factor authentication (MFA) for all platform users 

• Role-based access controls (RBAC) limiting access to necessary data only 

• Individual user accounts (no shared credentials) 

• Regular access reviews and automatic account deactivation 

• Session timeouts and automatic logout 

Network Security: 

• Firewall protection and intrusion detection systems (IDS) 

• Network segmentation and isolated environments 

• Regular vulnerability scanning and penetration testing 

• DDoS protection 

• Security Information and Event Management (SIEM) monitoring 

Infrastructure Security: 

• Secure, UK-based data centres with physical security controls 

• Redundant systems and infrastructure 

• Regular security patching and updates 

• Automated threat detection and response 

• Compliance with ISO 27001 standards 

Data Integrity: 

• Comprehensive audit logging of all data access and changes 

• Data backup and recovery procedures 

• Regular integrity checks and validation 

• Version control and change tracking 

9.2 Organisational Security Measures 

Staff Training and Awareness: 

• Mandatory data protection training for all staff 

• Regular security awareness updates 

• Role-specific training for staff handling sensitive data 

• Annual refresher training 

Policies and Procedures: 

• Information Security Policy 

• Data Breach Response Plan 

• Access Control Policy 

• Acceptable Use Policy 

• Incident Management Procedure 

• Business Continuity and Disaster Recovery Plan 

Vetting and Confidentiality: 

• Background checks for all staff with access to personal data 

• Confidentiality agreements signed by all staff and contractors 

• Clear disciplinary procedures for security breaches 

• Limited access principle (least privilege) 

Third-Party Management: 

• Due diligence assessments for all sub-processors 

• Data Processing Agreements with strict security requirements 

• Regular security audits of sub-processors 

• Right to audit sub-processor security measures 

Compliance and Certification: 

• Cyber Essentials Plus certification 

• Regular compliance audits 

• Annual ISMS (Information Security Management System) reviews 

• Independent security assessments 

9.3 Data Breach Procedures 

Despite our strong security measures, we recognise that data breaches can occur. We have comprehensive procedures in place to detect, respond to, and manage data breaches: 

Detection and Response: 

• 24/7 security monitoring 

• Automated breach detection systems 

• Clear escalation procedures 

• Dedicated incident response team 

Notification: 

• As a data processor, we notify affected client organisations (data controllers) immediately upon becoming aware of a breach 

• We provide full details to enable the controller to assess the risk and fulfil their notification obligations 

• Data controllers must notify the ICO within 72 hours if the breach poses a risk to individuals 

• Affected individuals must be notified without undue delay if there is a high risk to their rights and freedoms 

Investigation and Remediation: 

• Immediate investigation to determine scope and cause 

• Containment and mitigation measures 

• Root cause analysis 

• Implementation of corrective actions to prevent recurrence 

• Full documentation and reporting 

If you believe you have identified a security vulnerability or data breach, please report it immediately to: security@carepathwaypro.co.uk 

 

10. Data Retention and Deletion

10.1 Retention Periods 

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. 

Service User Care Records: 

• Retained in accordance with NHS Records Management Code of Practice 

• Standard retention period: 7-10 years after last service involvement 

• Safeguarding records: May be retained longer in accordance with local safeguarding procedures 

• Records relating to children: Retained until 25th birthday or 10 years after death 

Financial Records: 

• Retained for 6 years from the end of the financial year (HMRC requirement) 

System Logs and Audit Trails: 

• Security logs: 12-24 months 

• Access logs: 12 months 

• Audit trails for compliance: 7 years 

Client Account Data: 

• Retained for duration of active subscription 

• After account termination: 3 months (to allow for data export and reactivation) 

• Billing records: 6 years post-termination 

Website Analytics: 

• Anonymised analytics: 26 months 

• Cookie data: As specified in our Cookie Policy (typically 12 months) 

10.2 Deletion Procedures 

During Active Service: 

Client organisations (as data controllers) can delete service user records through the platform interface when appropriate retention periods have expired. Deleted records are: 

• Immediately removed from production systems 

• Retained in secure, encrypted backups for 30 days (to allow recovery from accidental deletion) 

• Permanently and irreversibly deleted from all backups after 30 days 

Upon Contract Termination: 

When a client organisation terminates their subscription, they can choose to: 

1. Export all data - We provide a complete data export in a common, machine-readable format (CSV/JSON) 

1. Request data deletion - We securely delete all data in accordance with the Data Processing Agreement 

1. Extended retention (if there is a legal or regulatory requirement to retain records longer) 

Our standard data deletion procedure upon termination: 

• Data export period: 30 days 

• Secure deletion from production systems: Within 7 days of termination or export completion 

• Secure deletion from all backups: Within 90 days of termination 

• Certificate of deletion provided upon request 

Secure Deletion Methods: 

• Data overwriting using secure deletion tools 

• Cryptographic erasure (destruction of encryption keys) 

• Physical destruction of media (where applicable) 

• Third-party certification of deletion (upon request) 

10.3 Legal Hold 

In exceptional circumstances, we may need to retain data beyond normal retention periods: 

• Court orders or legal proceedings 

• Active investigations (safeguarding, criminal, regulatory) 

• Unresolved complaints or disputes 

Affected parties will be notified when data is subject to legal hold. 

 

11. Your Rights Under UK GDPR

Individuals whose personal data we process have important rights under UK GDPR. The specific rights and how they can be exercised depend on whether we are acting as a data controller or data processor. 

11.1 The Eight Data Subject Rights 

1. Right to be Informed

You have the right to clear, transparent information about how we use your personal data. This Privacy Policy fulfils that right. 

2. Right of Access (Subject Access Request)

You have the right to request: 

• Confirmation that we are processing your personal data 

• Access to your personal data 

• Information about how we process your data 

3. Right to Rectification

You have the right to have inaccurate or incomplete personal data corrected. 

4. Right to Erasure ("Right to be Forgotten")

In certain circumstances, you have the right to request deletion of your personal data, including: 

• The data is no longer necessary for the purpose it was collected 

• You withdraw consent (where consent was the lawful basis) 

• You object to processing and there are no overriding legitimate grounds 

• The data was unlawfully processed 

• Legal obligation requires erasure 

Important limitation: This right does not apply where retention is necessary for: 

• Compliance with legal obligations (e.g., Care Act retention requirements) 

• Establishment, exercise, or defence of legal claims 

• Public interest or official authority purposes 

5. Right to Restrict Processing

You have the right to request that we restrict (but not delete) your personal data in certain circumstances: 

• You contest the accuracy of the data (during verification) 

• Processing is unlawful but you don't want erasure 

• We no longer need the data, but you need it for legal claims 

• You have objected to processing (pending verification of our legitimate grounds) 

6. Right to Data Portability

Where processing is based on consent or contract and carried out by automated means, you have the right to: 

• Receive your personal data in a structured, commonly used, machine-readable format 

• Request transmission of your data directly to another organisation (where technically feasible) 

7. Right to Object

You have the right to object to processing based on: 

• Legitimate interests (including profiling) 

• Direct marketing (absolute right) 

• Scientific/historical research or statistical purposes 

8. Rights Related to Automated Decision-Making and Profiling

You have the right not to be subject to decisions based solely on automated processing that produces legal effects or significantly affects you. 

Our position: We do not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on individuals. 

11.2 How to Exercise Your Rights 

For Service Users: 

If you are a service user receiving care from an organisation that uses our platform: 

• Your care provider is the data controller and is responsible for responding to your rights requests 

• Contact your care provider directly to exercise your rights 

• Your care provider will use our platform tools to fulfil your request 

• If you have concerns about how your care provider has responded, you can contact the ICO 

For Client Organisation Staff: 

If you are a staff member of a care provider organisation: 

• Your employer (the care provider) is the data controller for employment-related data 

• Care Pathway Pro Ltd is the data controller for your platform user account 

• Contact dpo@carepathwaypro.co.uk for rights requests related to your platform account 

• Contact your employer's HR department for rights requests related to employment 

For Website Visitors: 

• Care Pathway Pro Ltd is the data controller 

• Contact dpo@carepathwaypro.co.uk to exercise your rights 

11.3 How We Respond to Rights Requests 

Timeframe: 

• We will respond to valid requests within 1 month of receipt 

• This may be extended by up to 2 additional months for complex requests (we will inform you of any extension) 

Free of Charge: 

• We do not charge a fee for valid rights requests 

• We may charge a reasonable fee for manifestly unfounded, excessive, or repetitive requests 

• We may refuse requests that are manifestly unfounded or excessive 

Identity Verification: 

• We may request additional information to verify your identity before responding to rights requests 

• This protects against fraudulent requests and unauthorised access 

Format: 

• We will provide information in a concise, transparent, intelligible, and easily accessible form 

• We will use clear and plain language 

Response Content: 

• We will inform you of action taken on your request 

• If we refuse a request, we will explain why and inform you of your right to complain to the ICO 

 

12. Children's Privacy

Our platform is designed for adult social care services and is not intended for use by children under the age of 18. 

Service Users: 

Where our platform is used to manage care for young people (16-17 year olds receiving adult social care services), the care provider is responsible for: 

• Obtaining appropriate consent or having another lawful basis for processing 

• Respecting the young person's developing capacity and autonomy 

• Following Gillick competence principles where applicable 

Platform Users: 

We do not knowingly allow individuals under 18 to create user accounts on our platform. All platform users must be employed or contracted by the care provider organisation. 

If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete that information promptly. 

 

13. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. We use different types of cookies for different purposes. 

Essential Cookies: These cookies are necessary for the website and platform to function and cannot be switched off. They include: 

• Authentication cookies (to keep you logged in) 

• Security cookies (to prevent fraud and enhance security) 

• Session cookies (to remember your preferences during a session) 

Analytics Cookies: We use analytics cookies to understand how visitors use our website, which helps us improve the user experience. These cookies collect anonymised information such as: 

• Number of visitors 

• Pages visited 

• Time spent on pages 

• Traffic sources 

We use Care Pathway Pro Analytics for this purpose. Analytics cookies are only set with your consent. 

Marketing Cookies: We may use marketing cookies to show you relevant advertisements on other websites. These cookies are only set with your consent. 

Your Cookie Choices: 

• You can control cookie preferences through our cookie banner when you first visit our website 

• You can change your cookie preferences at any time by visiting our Cookie Policy 

• You can also control cookies through your browser settings 

For more detailed information about the cookies we use and your choices, please see our Cookie Policy. 

 

14. Links to Other Websites

Our website and platform may contain links to third-party websites, services, or resources that are not operated by Care Pathway Pro Ltd. 

Important: 

• We are not responsible for the privacy practices of third-party websites 

• We do not endorse or make any representations about third-party websites 

• Third-party websites have their own privacy policies 

We encourage you to review the privacy policy of any third-party website before providing personal information. 

 

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect: 

• Changes in data protection law 

• Changes to our services or business practices 

• Feedback from regulators or service users 

• Best practice developments 

How We Notify You: 

• We will update the "Last Updated" date at the top of this policy 

• For material changes, we will notify our clients via email and in-platform notifications 

• We may post a notice on our website for significant changes 

• We maintain a version history of this policy 

Your Continued Use: 

Your continued use of our platform after changes to this Privacy Policy constitutes acceptance of the updated policy. 

Review Schedule: 

We review this Privacy Policy at least annually to ensure it remains accurate and up-to-date. 

 

16. Legal Basis: Supplementary Information

This section provides additional detail about our legal basis for processing, which may be particularly relevant for care providers, regulators, and legal professionals. 

16.1 Statutory Framework 

Our processing of special category data for adult social care purposes is grounded in: 

Care Act 2014: 

• Sections 9-10: Assessment of adult's needs for care and support 

• Section 42: Safeguarding adults at risk 

• Section 78: Duty to keep information about services available 

Health and Social Care Act 2008: 

• Regulation 17: Good governance (CQC Fundamental Standards) 

• Requirements for accurate, complete, and secure records 

Mental Capacity Act 2005: 

• Best interests’ decision-making and record-keeping 

Common Law Duty of Confidentiality: 

• Professional duty to protect confidential information 

• Exceptions for safeguarding, legal requirements, and consent 

16.2 Proportionality and Necessity 

All processing is: 

• Necessary for the provision of health or social care 

• Proportionate to the care needs being addressed 

• Limited to what is required for safe, effective care delivery 

• Subject to appropriate safeguards through access controls, encryption, and audit trails 

 

17. Complaints and Concerns

We are committed to resolving any concerns about how we handle personal data. 

17.1 Internal Complaints 

If you have concerns about how we process personal data: 

Step 1: Contact Us 

Email: dpo@carepathwaypro.co.uk
Address: Data Protection Officer, Care Pathway Pro Ltd, 124 City Road, London, EC1V 2NX 

Step 2: We Investigate 

• We will acknowledge your complaint within 3 working days 

• We will investigate and provide a full response within 1 month 

• Complex complaints may take up to 3 months (we will keep you informed) 

Step 3: Resolution 

• We will explain our findings and any actions taken 

• If you remain unsatisfied, you can escalate to the ICO (see below) 

17.2 Information Commissioner's Office (ICO) 

You have the right to lodge a complaint with the UK's data protection supervisory authority: 

Information Commissioner's Office (ICO) 

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF 

Telephone: 0303 123 1113 

Website: www.ico.org.uk 

Email: casework@ico.org.uk 

ICO Live Chat: Available on the ICO website 

When to Contact the ICO: 

• You believe we have breached UK GDPR or data protection laws 

• You are unsatisfied with how we have responded to your complaint 

• You want independent advice about your data protection rights 

We would appreciate the opportunity to address your concerns directly before you approach the ICO, but this is your right and will not affect you negatively. 

 

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices: 

Data Protection Officer:
Kieron Bygraves
Email: dpo@carepathwaypro.co.uk 

General Privacy Enquiries:
Email: privacy@carepathwaypro.co.uk 

Security Concerns:
Email: security@carepathwaypro.co.uk 

Postal Address:
Care Pathway Pro Ltd
Data Protection Enquiries
124 City Road
London
EC1V 2NX
United Kingdom 

Office Hours:
Monday to Friday, 9:00 AM - 5:00 PM GMT (excluding UK bank holidays) 

We aim to respond to all enquiries within 3 working days. 

 

19. Glossary of Terms

Data Controller: The organisation that determines the purposes and means of processing personal data. In most cases, the care provider organisation is the data controller. 

Data Processor: An organisation that processes personal data on behalf of the data controller. Care Pathway Pro Ltd acts as a data processor for care providers. 

Data Subject: An individual whose personal data is being processed. This includes service users, staff members, and website visitors. 

Personal Data: Any information relating to an identified or identifiable individual, such as name, address, email, NHS number, or care records. 

Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life, or sexual orientation. Health and social care information is special category data. 

Processing: Any operation performed on personal data, including collection, recording, organisation, storage, retrieval, use, disclosure, or deletion. 

UK GDPR: The UK General Data Protection Regulation, which is the retained EU GDPR as incorporated into UK law. 

DPA 2018: The Data Protection Act 2018, which supplements the UK GDPR and includes provisions specific to the UK. 

ICO: The Information Commissioner's Office, the UK's independent data protection regulator. 

Sub-Processor: A third-party organisation engaged by Care Pathway Pro Ltd to process personal data on behalf of our clients.