Privacy Policy - AdaptationServices.co.uk

7 Years
DFG Data Retention Period

24 Hours

Data Breach Notification

30 Days

Subject Access Request Response

UK Data Protection Compliance Framework for Adaptation Services

Data Controller Information

Under UK GDPR Article 13, we are required to provide clear information about who controls your personal data and how you can contact us regarding your privacy rights.

Data Controller Details

Organization: Adaptation Services UK

Website: adaptationservices.co.uk

Email: hello@adaptationservices.co.uk

Data Protection Contact: privacy@adaptationservices.co.uk

Jurisdiction: United Kingdom

Regulatory Framework

Primary Legislation: UK GDPR (as amended by Data (Use and Access) Act 2025)

Data Protection Act: 2018 (as amended)

Supervisory Authority: Information Commissioner’s Office (ICO)

Sector-Specific Rules: NHS Data Security Standards, Local Authority Data Sharing Protocols

Registration: ICO Registration Number [Registered Data Controller]

What Personal Data We Collect and Why

We collect personal data necessary to provide adaptation services, process disabled facilities grant applications, conduct occupational therapy assessments, and coordinate with healthcare providers and contractors. All data collection follows data minimization principles under UK GDPR Article 5(1)(c).

Assessment and Application Data

Personal Information

• Full name, date of birth, NHS number
• Current address and contact details
• Emergency contact information
• Housing tenure status (owner/tenant)
• Household composition and income details

Medical and Disability Information

• Medical diagnoses and conditions
• Functional assessment results
• Mobility and accessibility requirements
• Healthcare provider referrals
• Occupational therapy reports

Financial and Eligibility Data

Means Testing Information

• Income from all sources (pensions, benefits, employment)
• Savings and investment details
• Property valuations and ownership details
• Benefit entitlements and claim history
• Financial hardship documentation

Grant Processing Data

• Application forms and supporting documents
• Local authority assessments
• Funding decisions and appeal records
• Payment schedules and transaction records
• Contractor selection and approval data

Property and Technical Data

Property Information

• Property surveys and structural assessments
• Planning permission and building regulation data
• Landlord consent and lease agreements (if applicable)
• Utility and service provider information
• Safety assessments and risk evaluations

Digital and Communication Data

• Email communications and appointment records
• Phone call logs and SMS communications
• Website usage data and cookies (see separate policy)
• Digital form submissions and timestamps
• Video call recordings (with explicit consent)

Legal Basis for Data Processing

Under UK GDPR Article 6, we must have a lawful basis for processing personal data. For special category data (health information), we also require a condition under Article 9. Our processing activities are carefully mapped to these legal frameworks.

Legal Basis Distribution by Data Processing Activity

Standard Personal Data (Article 6)

Public Task (Article 6(1)(e))

Processing disabled facilities grant applications, local authority assessments, and statutory duties under Housing Grants, Construction and Regeneration Act 1996

Legitimate Interests (Article 6(1)(f))

Service improvement, fraud prevention, contractor management, and quality assurance activities

Contract Performance (Article 6(1)(b))

Processing data necessary for service delivery, contractor coordination, and adaptation installations

Special Category Data (Article 9)

Health or Social Care (Article 9(2)(h))

Processing health data for occupational therapy assessments, medical referrals, and adaptation recommendations

Substantial Public Interest (Article 9(2)(g))

Equality of opportunity, disability assessments, and social protection under DPA 2018 Schedule 1, Part 2

Explicit Consent (Article 9(2)(a))

Sharing data with third-party contractors, family members, or additional support services (where consent obtained)

How We Process Your Personal Data

Our data processing activities are designed to support individuals through the adaptation process while maintaining strict privacy protections. All processing is documented in our Article 30 Register of Processing Activities, available upon request.

Assessment and Evaluation Processing

Occupational Therapy Assessments

• Functional capacity evaluations and mobility assessments
• Environmental risk assessments and safety planning
• Equipment recommendations and adaptation specifications
• Progress monitoring and reassessment scheduling
• Integration with NHS and social care records

Eligibility and Means Testing

• Income and asset verification with HMRC and DWP
• Benefit entitlement checks and cross-referencing
• Financial contribution calculations and adjustments
• Exceptional circumstances reviews and appeals
• Fraud prevention and data validation checks

Implementation and Contractor Management

Project Coordination

• Technical specifications development and approval
• Contractor selection and background verification
• Project timeline coordination and milestone tracking
• Quality assurance inspections and compliance checks
• Warranty management and post-installation support

Data Sharing with Third Parties

• Approved contractor access to property and technical data
• Local authority grant processing and approval workflows
• Healthcare provider integration and referral management
• Building control and planning authority notifications
• Insurance and warranty provider data sharing

Quality Assurance and Improvement

Service Monitoring

• User satisfaction surveys and outcome measurements
• Processing time analysis and efficiency improvements
• Contractor performance monitoring and ratings
• Complaint handling and resolution tracking
• Accessibility impact assessments and reporting

Research and Development

• Anonymous data analysis for service improvement
• Adaptation effectiveness studies and research projects
• Technology integration and smart home developments
• Policy development and legislative compliance
• Best practice sharing with sector organizations

Data Sharing and Third-Party Processors

We only share your personal data when necessary for service delivery, legal compliance, or with your explicit consent. All third parties are bound by comprehensive data processing agreements meeting UK GDPR Article 28 requirements.

Essential Service Partners

Local Authorities

Purpose: DFG processing, social services coordination
Legal Basis: Public task, statutory obligations
Data Shared: Application forms, assessments, financial information

NHS and Healthcare Providers

Purpose: Medical referrals, treatment coordination
Legal Basis: Health and social care provision
Data Shared: Medical history, functional assessments

Approved Contractors

Purpose: Adaptation installation and maintenance
Legal Basis: Contract performance, legitimate interests
Data Shared: Property details, technical specifications, contact information

Technology and Support Services

Cloud Hosting Providers

Purpose: Secure data storage and system hosting
Location: UK and EU data centers only
Safeguards: Encryption, access controls, audit logging

Communication Platforms

Purpose: Appointment scheduling, video consultations
Data Minimization: Automated deletion of recordings
Compliance: NHS Digital approved suppliers

Payment Processors

Purpose: Grant disbursements, contribution processing
Standards: PCI DSS compliance, FCA authorization
Retention: Minimum required for financial regulations

Data Sharing Safeguards and Controls

Technical Measures

• End-to-end encryption in transit and at rest
• Role-based access controls and authentication
• Automated audit logging and monitoring
• Regular penetration testing and security assessments

Contractual Protections

• Data Processing Agreements (Article 28)
• Data minimization and purpose limitation clauses
• Breach notification requirements (24-hour SLA)
• Regular compliance audits and certification

Organizational Controls

• Privacy impact assessments for new sharing arrangements
• Regular partner due diligence and reviews
• Staff training on data sharing protocols
• Incident response and breach notification procedures

Data Retention and Deletion Schedules

Under UK GDPR Article 5(1)(e), we must not keep personal data longer than necessary. Our retention schedules balance legal requirements, operational needs, and your privacy rights, with regular review and secure deletion procedures.

Data Retention Timeline by Category

Data Category	Retention Period	Legal Basis	Deletion Method
DFG Applications (Approved)	7 years from completion	Local Government transparency requirements	Secure deletion + audit trail
DFG Applications (Rejected)	3 years from decision	Appeals process, quality assurance	Automated deletion
Medical/Health Records	8 years from last contact	NHS Records Management Code	Clinical data destruction protocol
Financial Information	6 years from tax year end	HMRC requirements, audit compliance	Secure shredding/digital wipe
Contractor Communications	2 years from project completion	Warranty claims, quality issues	Automated system deletion
Marketing Consent	Until consent withdrawn + 1 month	GDPR consent management	Immediate suppression + deletion
Website Analytics	26 months (Google Analytics 4)	Legitimate interests, service improvement	Automatic expiry
CCTV/Security Footage	30 days (unless incident reported)	Security, health & safety	Automatic overwrite cycle
Backup Data	Same as original + backup cycle	Business continuity, disaster recovery	Coordinated deletion across systems

Extended Retention Circumstances

Legal Proceedings

Data retention may be extended when legal proceedings are ongoing, anticipated, or where litigation hold notices are in effect. This includes:

• Active court cases or tribunal proceedings
• Investigation by regulatory authorities (ICO, Ombudsman)
• Insurance claims and dispute resolution
• Safeguarding investigations or child protection cases

Ongoing Care Relationships

Where individuals continue to receive services or maintain active relationships with partner organizations:

• Continuing healthcare support and monitoring
• Long-term equipment maintenance and warranty
• Research studies with ongoing data collection
• Quality improvement programs and outcome tracking

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights over your personal data. We are committed to facilitating these rights promptly and without charge, with most requests completed within one month of receipt.

Right of Access (Article 15)

Request copies of all personal data we hold about you, including processing purposes, data categories, and retention periods.

Response Time: 30 days (extendable to 90 for complex requests)
Format Options: Secure PDF, encrypted email, postal delivery
Cost: Free for first request per year

Right to Rectification (Article 16)

Correct inaccurate personal data or complete incomplete records. We will notify third parties of corrections where appropriate.

Process: Online form, email, or written request
Verification: Identity and supporting evidence required
Notification: Third parties informed of changes

Right to Erasure (Article 17)

Request deletion of personal data where processing is no longer necessary or consent is withdrawn.

Limitations: Legal obligations, public interest, legitimate interests
Process: Secure deletion with audit trail
Notification: Third parties informed where practicable

Right to Restrict Processing (Article 18)

Limit how we use your data while disputes are resolved or accuracy is verified.

Triggers: Accuracy disputes, unlawful processing, legal claims
Effect: Data stored but not processed without consent
Duration: Until restriction reason resolved

Right to Data Portability (Article 20)

Receive personal data in structured, machine-readable format for transfer to another service.

Scope: Data provided by you, processed automatically
Formats: JSON, XML, CSV as appropriate
Transfer: Direct transmission where technically feasible

Right to Object (Article 21)

Object to processing based on legitimate interests, direct marketing, or research purposes.

Direct Marketing: Immediate cessation required
Legitimate Interests: Must demonstrate compelling grounds
Research: Exceptions for public interest research

How to Exercise Your Rights

Contact Methods

• Email: privacy@adaptationservices.co.uk
• Online form: Available on website
• Postal address: Via registered mail
• In-person: By appointment only

Required Information

• Full name and current address
• Date of birth or NHS number
• Specific data or processing activity
• Preferred response format
• Identity verification documents

Response Process

• Acknowledgment within 72 hours
• Identity verification (if required)
• Processing and internal consultation
• Response within 30 days (or explanation)
• Follow-up support if needed

Complaints and Regulatory Oversight

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to complain to the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can address your concerns directly.

Internal Complaints Process

Stage 1: Direct Resolution

Contact our privacy team directly at privacy@adaptationservices.co.uk. Most issues are resolved within 5 working days through direct dialogue and corrective action.

Stage 2: Formal Investigation

If unresolved, complaints are escalated to our Data Protection Officer for formal investigation. Written response provided within 20 working days with findings and remedial actions.

Stage 3: Independent Review

Final internal stage involves independent review by senior management. Comprehensive assessment and final response within 40 working days of original complaint.

Information Commissioner’s Office

Contact Information

Website: ico.org.uk

Phone: 0303 123 1113

Online: ICO complaints portal

Address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF

When to Contact ICO

• Our internal process has been exhausted
• You believe we’ve seriously breached GDPR
• Systematic or widespread data protection issues
• You prefer independent investigation from start

ICO Investigation Process

The ICO will assess complaints and may investigate, issue enforcement notices, or impose fines up to £17.5m or 4% of annual turnover for serious breaches.

Contact Information and Support

Privacy and Data Protection Team

Primary Contact

Email: privacy@adaptationservices.co.uk

General Inquiries: hello@adaptationservices.co.uk

Response Time: Within 72 hours for privacy inquiries

Office Hours: Monday-Friday, 9:00 AM – 5:00 PM GMT

Data Protection Officer

Email: dpo@adaptationservices.co.uk

Role: Independent oversight of data protection compliance

Direct Access: Available for complex privacy matters

Reporting: Reports directly to senior management

Privacy Support Resources

Self-Service Options

• Online privacy request forms
• Consent management portal
• Privacy notice updates and alerts
• Data subject rights guidance documents

Specialized Support

• Accessible format privacy notices
• Telephone support for complex requests
• Translation services (major languages)
• Easy-read versions for learning disabilities

Emergency Contact

For urgent data protection concerns or potential breaches affecting your personal data, contact our emergency line: 24/7 incident hotline available

Policy Updates and Notification Process

This privacy policy is reviewed annually and updated as necessary to reflect changes in law, regulation, or our processing activities. Significant changes affecting your rights will be communicated directly to you.

Notification Methods

Material Changes

Changes affecting your rights or significantly altering how we process your data:

• Direct email notification (where contact details available)
• Prominent website banner for 30 days
• Letter notification for high-risk changes
• 30-day notice period before implementation

Minor Changes

Clarifications, contact updates, or technical amendments:

• Updated version published on website
• “Last updated” date modified
• Quarterly newsletter inclusion
• No additional notification required

Version Control and Archive

Current Version

Version: 3.1

Effective Date: January 1, 2025

Next Review: December 2025

Approval: Data Protection Officer & Board

Previous Versions

Historical versions maintained for compliance and audit purposes:

• Version 3.0 (January 2024 – December 2024)
• Version 2.1 (May 2023 – December 2023)
• Available upon request for legitimate interests
• 10-year retention for regulatory compliance

Our Commitment to Your Privacy

At Adaptation Services UK, we recognize that your personal data is among your most valuable assets. Our commitment extends beyond legal compliance to embedding privacy-by-design principles in everything we do. We continually invest in training, technology, and processes to ensure your data remains secure and is used only for your benefit.

Security First

End-to-end encryption and multi-layer security

Rights Respected

Comprehensive data subject rights support

Full Transparency

Clear communication about data processing

Questions about this privacy policy or your data rights? Contact us at privacy@adaptationservices.co.uk – we’re here to help ensure your privacy is protected throughout your adaptation journey.