Data Protection Policy

In compliance with the principals of
The Data Protection Act 1998
The Conduct of Employment Agencies
Employment Businesses Regulations 2003


Keystone Healthcare Ltd (“the Agency”) needs to keep certain information about its employees, associates and other users to allow it to monitor performance, achievements, and health and safety, for example. It also needs to process information so that members of staff can be recruited and paid, support for Associates organised and obligations to Partners and government complied with. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully. To do this, the Agency must comply with the Data Protection Principles, which are set out in the Data Protection Act 1998 and The Conduct of Employment Agencies Regulations 2003.

In summary these state that personal data shall:

1.  Be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met.

2.  Be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.

3.  Be adequate, relevant and not excessive for those purposes.

4.  Be accurate and kept up-to-date.

5.  Not be kept for longer than is necessary for that purpose.

6.  Be processed in accordance with the Data Subject’s rights.

7.  Be kept safe from unauthorised access, accidental loss or destruction.

8.  Not be transferred to a country outside the European Economic Area, unless that country has equivalent levels of protection for personal data.

The Agency and all members of staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, the Agency has developed this Data Protection Policy.


Status of the Policy

This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by the Agency from time-to-time. Any failure to follow the policy can therefore result in disciplinary proceedings.

Any Associate or member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the Designated Data Controller initially. If the matter is not resolved it should be raised as a formal grievance.


The Data Controller and the Designated Data Controller

The Agency as a body corporate is the Data Controller under the Act, and the Trustees are therefore ultimately responsible for the implementation of the Data Protection Policy. However, the Designated Data Controller will deal with day-to-day matters. The Agency has appointed Mr Richard Ward to act as Designated Data Controller and Data Protection Officer. Keystone Healthcare are registered Data Keepers.


Responsibilities of Staff

Staff Information

All members of staff are responsible for:

  • Checking that any information they provide to the Agency in connection with their employment is accurate and up-to-date.
  • Informing the Agency of any error or change to the information they have provided, for instance a change of address. The Agency cannot be held responsible for any such errors unless the member of staff has informed the Agency of them.

Data Security

When, as part of their responsibilities, members of staff collect information about other people (for instance about Associates’ backgrounds) they must comply with the Guidelines for Members of Staff.

All members of staff are responsible for ensuring that:

  • Any personal data held by them is kept securely, for instance, computerised data, should be password protected; and
  • Personal information is not disclosed either orally or in writing, accidentally or otherwise to any unathorised third party.

Members of staff should note that unauthorised disclosure will usually be a disciplinary matter, and may also result in a personal liability for the individual member of staff.


Responsibilities of Associates 

Associates should ensure that all personal data provided to the Agency (such as telephone numbers or email addresses) is accurate and up-to-date.


Right to Access Information

As per the Data Protection Act 1998, members of staff, Associates and other Data Subjects of the Agency have the right to request access to any personal data that is being kept about them either on computer or in certain files. Any person who wishes to exercise this right should complete a Subject Access Request in writing and submit it to the Designated Data Controller (see above).

In all cases where data is requested, the Agency will charge £20 on each occasion that access is requested. The Agency aims to comply with requests for access to personal information as quickly as possible, but will ensure it is provided within 40 days.


Subject Consent and Processing Sensitive Information

Personal Data

The Agency has to process personal information to efficiently manage its day-to-day operations and operate other policies, such as its equal opportunities policy Agreement to the Agency processing some specified types of personal data is a condition of becoming a Keystone Associate, and a condition of employment for members of staff.

Some examples of the ways in which this data may be used are set out below:

  • Informing a client about their background information or progress.
  • Informing a client of an Associate’s background and progress through application processes.
  • Sharing an Employee’s address with our payroll company.

A list of what information we consider to be personal data can be found in the Glossary section. 

Sensitive Data

The Agency may also have to process some sensitive personal information to best serve its purpose. Agreement to the Agency processing some specified types of sensitive data is a condition of becoming a Keystone Associate, and a condition of employment for members of staff. This includes past criminal convictions.

However, we will not share your sensitive information with a third party without obtaining your explicit consent.

Some examples of the why we might ask to share your personal data are set out below:

  • Informing a Partner Employer who has requested information to help inform their recruitment decision about an Associate. In compliance with the Data Protection Act 1998, a list of types of information that are considered to be sensitive data can be found in the Glossary section.

Retention of Data

Different categories of data will be retained for different periods of time. The Agency will need to keep

some data on members of staff and Associates indefinitely. This will include information necessary in respect of pensions, taxation, potential or current disputes or litigation regarding the employment,information required for job references as well as for future research.

Any sensitive information held on a Keystone Associate will either be disposed of, or if needed for future research, anonymised one year after the Associate has ceased their relationship with the Agency.

In the case of individuals who apply to become Associates but are rejected, the Agency will delete all information other than: name, email address, year of study and reason for rejection, one year after their application was made. This remaining information will be kept indefinitely.



Compliance with the Data Protection Act 1998 is the responsibility of all members of the Agency. Any deliberate breach of the Data Protection Policy may lead to disciplinary action being taken, or access to Agency facilities being withdrawn, or even a criminal prosecution. Any questions or concerns about the interpretation or operation of this policy should be taken up with the Designated Data Controller.

The Agency is obliged to abide by all legal requests for information made by law enforcement or judicial bodies.