WEBSITE PRIVACY POLICY (GDPR)
Mutima Care
Document Ref: MC-PRIV-01 Version: 1.0
Date: March 2026 Review Date: February 2027
Regulation: Reg 17 (Good Governance – Records) Scope: Service Users, Staff, & Public

Integration with ISO 9001 & CQC Regulations
In line with ISO 9001:2015 Clause 7.5 (Documented Information) and CQC Regulation 17 (Good Governance), Mutima Care ensures that all documented information (personal data) is adequately protected against loss of confidentiality, improper use, or loss of integrity. We also strictly adhere to the Eight Caldicott Principles for handling patient data and complete the NHS Data Security and Protection Toolkit (DSPT) annually.

  1. Introduction
    HeartReach Group Ltd, trading as Mutima Care (“we”, “us”, or “our”), is committed to protecting the privacy and security of your personal information. This Privacy Notice explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
    We are the “Data Controller” for the information you provide to us. This means we are responsible for deciding how we hold and use personal information about you. We have appointed a Caldicott Guardian / Data Protection Lead to oversee compliance with this policy and ensure that service user confidentiality is always prioritised. We are formally registered with the Information Commissioner’s Office (ICO), and our registration number is .
  2. The Data We Collect About You
    To provide safe and effective care, handle referrals, and process job applications, we collect different types of data, including:
    • Personal Identifiers: Name, address, telephone number, and email address, along with details of your Next of Kin, emergency contacts, and any designated Lasting Power of Attorney (LPA).
    • Special Category (Sensitive) Data: Medical history, care needs, physical or mental health details, and hospital discharge summaries. This also includes records of medication administered, daily care logs, and safeguarding information.
    • Professional & Employment Data: Job titles, referring organisations (e.g., NHS Trusts, Local Authorities), and employee application details, including Enhanced DBS certificates, right-to-work checks, and occupational health records.
    • Digital & Environmental Data: IP addresses and website usage tracking via cookies (you can manage these preferences via our Cookie Banner). For some service users, this may include data generated by assistive technology (e.g., sensor mats or digital lock access logs) used as part of their care plan.
    • Surveillance & Telecare Data: If you visit our office premises, your image may be captured on CCTV, which is used strictly for security and crime prevention. Where overt surveillance (e.g., cameras or microphones) is used in a care setting to keep people safe, this will only be done with explicit consent, transparent signage, and documented legal rationale in line with the Human Rights Act 1998.
  3. How We Collect Your Data
    We collect personal data through:
    • Direct interactions via our website forms (Family Enquiries, Professional Referrals, and Job Applications).
    • Direct communication via email (referral@mutimacare.co.uk, recruitment@mutimacare.co.uk) or telephone (020 3951 4660).
    • Third parties, such as Hospital Discharge Coordinators, Social Services, GPs, and family members.
    • Care Delivery Systems: Data is continuously collected during the provision of care and recorded securely on our digital care planning system (Nourish Care) by our care staff.
  4. Our Lawful Basis for Processing Your Data
    Under the UK GDPR, we must have a legal basis to process your data. We rely on the following:
    • Direct Care (Service Users): Processing is necessary for the provision of health or social care treatment (Article 9(2)(h) of the UK GDPR) and for the performance of our contract with you (Article 6(1)(b)).
    • Employment (Staff): Processing is necessary for carrying out our obligations under employment law and to fulfil employment contracts.
    • Legitimate Interests: To operate our business securely, manage recruitment, and improve our services.
    • Legal Obligation: To comply with regulatory requirements, such as those mandated by the Care Quality Commission (CQC), HMRC, and health and safety legislation.
    • Consent: Where you have explicitly agreed to us processing your data (e.g., cookie preferences or using photographs for marketing). Note: We do not rely on consent for providing direct care, as this falls under the ‘Direct Care’ provision. Where we rely on your consent, you have the right to withdraw it at any time. We ensure that it is as easy to withdraw consent as it is to give it.
  5. Who We Share Your Information With
    We treat your data with strict confidentiality. We will only share your information when necessary for your care or when legally required. We may share data with:
    • Healthcare professionals (GPs, District Nurses, NHS Integrated Care Boards).
    • Local Authorities and Social Services (including Safeguarding Adult Boards where there is a risk of harm).
    • Emergency services (in life-or-death situations).
    • Trusted third-party IT processors (e.g., our secure website form providers, Nourish Care system servers, and encrypted payroll software). All third-party processors are bound by strict Data Processing Agreements.
    • The Care Quality Commission (CQC) when legally required to submit statutory notifications (e.g., regarding serious injuries or safeguarding incidents under Regulation 18).
  6. Data Security and Retention
    We embrace the principles of “Data Protection by Design and by Default.” Before starting any new data processing, we complete a Data Protection Impact Assessment (DPIA) to ensure safeguards are built in from the beginning. In all processing, we apply “data minimisation”, using the least amount of identifiable data necessary to complete the work.
    We have implemented robust security measures, including Role-Based Access Controls (RBAC) and encryption, to prevent your data from being accidentally lost, used, or accessed in an unauthorised way. Our physical care records are kept in lockable cabinets, and digital records are protected by multi-factor authentication (MFA).
    We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including satisfying any legal, accounting, or regulatory care reporting requirements. Mutima Care adheres to the Records Management Code of Practice for Health and Social Care:
    • Service User Care Records: Retained for 8 years after the conclusion of care (or death).
    • Employee Records: Retained for 6 years after employment ceases.
    • Unsuccessful Job Applications: Retained for 6 months.
    • Following the retention period, data is securely destroyed (cross-shredded) or permanently deleted.
  7. Your Data Protection Rights
    Under data protection law, you have rights including:
    • Your right of access (Subject Access Request – SAR): You have the right to ask us for copies of your personal information. We will provide this free of charge within one calendar month.
    • Your right to rectification: You can ask us to correct information you think is inaccurate or complete information you think is incomplete.
    • Your right to erasure: You can ask us to erase your personal information in certain circumstances. (Note: This right is not absolute and may not apply to clinical care records which we are legally obliged to retain).
    • Your right to restriction of processing: You can ask us to restrict the processing of your information.
    • Your right to object to processing: You have the right to object to processing if we are relying on legitimate interests.
    • Your right to data portability: You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
    • Your rights regarding automated decision-making and profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you.
  8. Contact Us & Complaints
    If you have any questions about this policy, wish to make a Subject Access Request, or have concerns about how we handle your data, please contact our Registered Manager / Data Protection Lead:
    • Email: admin@mutimacare.co.uk
    • Phone: 020 3951 4660
    • Address: Office 2.18, Clockwise, 50 Station Road, Wood Green, London, N22 7DE
    If you remain unhappy with how we have used your data, you have the right to complain to the Information Commissioner’s Office (ICO).
    • ICO Website: https://www.ico.org.uk
    • ICO Helpline: 0303 123 1113
    • ICO Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Signed:

Data Controller
Mutima Care

Scroll to Top