Skip to main content

Direct Payments Privacy Notice

Privacy notice relating to the processing of personal data by Rhondda Cynon Taf County Borough Council for the purpose of Direct Payments. 

Introduction

This privacy notice is intended to provide information about how Rhondda Cynon Taf County Borough Council (referred to as ‘RCTCBC’, ‘Council’, ‘Local Authority’, ‘we’) will use (or ‘process’) personal data about individuals for the purpose of Direct Payments.

This notice should be read in conjunction with;

The Data Controller

The Council is the data controller for the personal data processed for the purposes of Direct Payments.

The Council is registered with the Information Commissioner’s Office (ICO) as a controller under reference Z4870100.

Queries relating to this privacy notice

If you have any questions or queries relating to this privacy notice please contact

By email : socialservices@rctcbc.gov.uk

By telephone : 01443 425003 

In writing : Social Services, Ty Elai, Dinas Isaf Industrial Estate, Tonypandy, CF40 1NY

Who we are what we do 

Direct payments are monetary amounts made available by RCT Social Services to individuals or their representative, to help meet their needs as identified within their care and support plan.

Direct Payments can be used to purchase a range of services independently or pay a care agency to provide the required support.  They can also be used to purchase a variety of services, equipment or activities. 

Our community care connect platform helps our service users in receipt of direct payments find and arrange support.

Whose personal data we process

We may process personal data relating to the following when processing Direct Payments;

  • Service Users
  • Care Providers

The categories of personal data we process

We may process the following categories of personal data in relation to Direct Payments

  • Contact details such as name, address, email address or telephone number
  • Personal identifiers such as date of birth, WCCIS number
  • Your Image (if used on our community care connect platform)
  • Health Information
  • Financial Information
  • ID Documentation such as passport, driving licence, birth certificate

If you are employed by a direct payment recipient or advertise your services for employment on our Community Care Connect platform we may also process the following:

  • Your Image (if used on our community care connect platform)
  • DBS certificate number
  • Any criminal data which may be identified as part of the DBS checks
  • Skills, qualifications and training
  • Insurance Information

Why we process the personal data 

The processing may include but is not limited to the following activities.

  • To process direct payments in line with care and support plans, which includes completing financial assessments, issuing payments, providing pre-paid mastercards
  • Carry out monitoring checks of all direct payments to financially safeguard the Council and the recipient.
  • Assist service users in creating an account on our community care connect platform.
  • Assist service users in linking with and interviewing suitable care providers. 
  • Assist service users with making payments to care providers.
  • Advertise our community care connect platform to encourage care providers to register and offer their services.
  • Complete suitability checks on care providers prior to them working with our service users, which includes (Identity and Address, Right to Work, DBS, Insurance, Safeguarding checks etc)
  • Authorise care providers to advertise on the platform once all the necessary suitability checks have been completed.
  • To improve the services we offer, we will either consult with you directly (if you have agreed to do so), or by sending a questionnaire/survey. 

Our lawful basis for processing the personal data

Under the General Data Protection Regulation (GDPR), our lawful basis for processing the personal data is;

  • Legal Obligation – Article 6(c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Public Task - Article 6(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Health or Social Care – Article 9(2)(h) - Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
  • Article 10 GDPR, Schedule 1, Part 1(18) – Safeguarding of children and of individuals at risk.

The primary legislation, regulations and guidance that supports this includes, but is not limited to;

The Care and Support (Direct Payments) (Wales) Regulations 2015.

Code of Practice ( Part 4 – Meeting Needs) of the Social Services and Wellbeing (Wales) Act 2014

Section 50, 51, 52 & 53 Social Services and Well-being (Wales) Act 2014

Who or where we get the personal data from

We may receive the personal data from the following categories of individuals or organisations;

  • The service user applying for Direct payments or registering on our care connect platform etc.
  • Care providers when advertising their services.
  • Social workers involved in the service users care. 

Who we share personal data with

We may share the personal data with the following key organisations in relation to Direct Payments;

When sharing the personal data, we only share the minimum amount necessary in relation to the purpose. 

Who

Purpose

RCT Finance

To provide the direct payments

RCT Human Resources

To assist with DBS checks

Community Catalysts

To complete suitability checks on care providers

Bronze Labs Ltd

To provide the community care connect platform

Allpay Ltd

To provide pre-paid Mastercards

Data Processors

A data processor is a company or organisation that processes personal data on our behalf. Our data processors act only upon our instruction. They cannot do anything with the personal data unless we instruct them to do so. They will not share the personal data with any organisation apart from us or use it for their own purposes. They will hold it securely and retain it for the period we instruct.

The categories of data processors we use for the purpose is/are;

  • IT Suppliers 

How long we retain the personal data 

We retain the personal data contained within Direct Payment records for: 

Length of time

Reason

We hold direct payments data for current year plus 7 years

Statutory requirement

Identification documents required for pre-paid Mastercards - will be held until 5 years after the end of the relationship with the cardholder (i.e. from the point of card closure or expiry)

Held in line with internal policy

In keeping with the General Data Protection Regulation storage limitation principle, records are periodically reviewed. Not all personal data is retained. Only personal data that is relevant to the record is retained for the entire retention period. Information that has no long term or evidential value is routinely destroyed in the normal course of business.  

Your data protection rights

The General Data Protection Regulation (GDPR) gives individuals important rights, including the right of access to the personal data that the Council holds about you. 

Click here for further information on your information rights and how to exercise them.  

Your right to make a data protection complaint to the Council

You have the right to complain to the Council if you believe we have not handled your personal data responsibly and in line with good practice.

You can do this by contacting us directly via one of the following communication methods. Most concerns can be resolved relatively quickly through a simple phone call or email;

If you have any questions or queries relating to this privacy notice please contact

By email : socialservices@rctcbc.gov.uk 

By telephone : 01443 425003 

In writing : Social Services, Ty Elai, Dinas Isaf Industrial Estate, Tonypandy, CF40 1NY 

Alternatively, you can raise a formal complaint via the Council’s Customer Feedback Scheme using the following link (Make a comment, compliment or complaint online) or you can contact the Council’s Data Protection Officer at Information.management@rctcbc.gov.uk. 

Your right to make a data protection complaint to the ICO

You also have the right to complain to the ICO if you are unhappy with how we have used your data. However, we encourage you to contact us first and provide us with an opportunity to look into your concern and put things right.

The ICO can be contacted:           

  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline number: 0303 123 1113
  • Website: https://www.ico.org.uk