Page

GDPR and Data Policy

GDPR & DATA PROTECTION POLICYNew Horizon Healthcare Staffing PlatformLast Updated: May 2026Version: 1.0 ================================================================================ TABLE OF CONTENTS ================================================================================ 1. INTRODUCTION New Horizon (“we”, “our”, “us”) is committed to protecting your personal data andrespecting your privacy. This Data Protection Policy explains how we collect, use,store, and protect your personal information when you use our healthcare staffingplatform. […]

GDPR & DATA PROTECTION POLICY
New Horizon Healthcare Staffing Platform
Last Updated: May 2026
Version: 1.0

================================================================================

TABLE OF CONTENTS

  1. Introduction
  2. What Personal Data We Collect
  3. How We Use Your Data
  4. Legal Basis for Processing
  5. Data Sharing and Disclosure
  6. Data Retention
  7. Your Data Protection Rights
  8. Data Security
  9. Cookies and Tracking
  10. International Data Transfers
  11. Children’s Privacy
  12. Changes to This Policy
  13. Contact Information

================================================================================

1. INTRODUCTION

New Horizon (“we”, “our”, “us”) is committed to protecting your personal data and
respecting your privacy. This Data Protection Policy explains how we collect, use,
store, and protect your personal information when you use our healthcare staffing
platform.

We are a data controller under the UK General Data Protection Regulation (UK GDPR)
and the Data Protection Act 2018.

================================================================================

2. WHAT PERSONAL DATA WE COLLECT

We collect the following categories of personal data:

2.1 Identity and Contact Information

  • Full name, date of birth, nationality
  • Address, city, postcode, country
  • Phone number, email address
  • National Insurance number
  • Profile photo

2.2 Professional Information

  • Job title, role, specialisms
  • Years of experience, work history
  • Professional registration numbers (NMC PIN, HCPC number)
  • SCW registration number (where applicable)

2.3 Compliance and Qualification Data

  • DBS certificate number and expiry date
  • Enhanced DBS update service status
  • Training certificates (BLS, Moving & Handling, Safeguarding, etc.)
  • Occupational health clearance
  • References from previous employers

2.4 Employment Data

  • Shift bookings and schedules
  • Timesheets and hours worked
  • Clock in/out records
  • Performance records
  • Availability preferences
  • Travel radius and transport details

2.5 Account Data

  • Username and password (encrypted)
  • Account status (pending, approved, suspended)
  • Login history and activity logs

2.6 Special Category Data (Sensitive Personal Data)

  • Health information (occupational health assessments)
  • Disability information (where disclosed)
  • Criminal record information (DBS checks)

================================================================================

3. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

3.1 Staff Management

  • To manage your employment with New Horizon
  • To assign you to the appropriate healthcare shifts
  • To process timesheets and payroll
  • To monitor compliance with regulatory requirements

3.2 Regulatory Compliance

  • To verify your professional qualifications (NMC, HCPC, DBS)
  • To ensure you meet mandatory training requirements
  • To maintain records required by CQC and other regulatory bodies
  • To report to safeguarding authorities where required

3.3 Health and Safety

  • To assess fitness for work
  • To ensure appropriate staffing levels for patient safety
  • To manage occupational health records

3.4 Communication

  • To send you shift assignments and schedules
  • To communicate compliance reminders and document expiry alerts
  • To respond to your enquiries and requests

3.5 Platform Administration

  • To maintain and improve our platform
  • To prevent fraud and ensure security
  • To analyse usage patterns for service improvement

================================================================================

4. LEGAL BASIS FOR PROCESSING

We rely on the following legal bases under UK GDPR:

4.1 Contractual Necessity (Article 6(1)(b))

  • Processing necessary for your employment contract
  • Managing shifts, timesheets, and payroll

4.2 Legal Obligation (Article 6(1)(c))

  • Compliance with CQC regulations
  • Mandatory reporting to regulatory bodies
  • Health and safety requirements

4.3 Vital Interests (Article 6(1)(d))

  • Emergency staffing situations
  • Safeguarding vulnerable individuals

4.4 Legitimate Interests (Article 6(1)(f))

  • Preventing fraud and ensuring platform security
  • Improving our services
  • Business administration

4.5 Special Category Data (Article 9)

  • Employment and social protection law (Article 9(2)(b))
  • Vital interests (Article 9(2)(c))
  • Legal claims or judicial acts (Article 9(2)(f))
  • Reasons of substantial public interest (safeguarding) (Article 9(2)(g))
  • Health and social care (Article 9(2)(h))

================================================================================

5. DATA SHARING AND DISCLOSURE

We may share your personal data with the following third parties:

5.1 Healthcare Providers

  • When assigning you to work at specific facilities
  • For shift management and supervision
  • For emergency contact purposes

5.2 Regulatory Bodies

  • CQC (Care Quality Commission) for inspections and compliance
  • NMC (Nursing and Midwifery Council) for registration verification
  • HCPC (Health and Care Professions Council) for registration verification
  • DBS (Disclosure and Barring Service) for criminal record checks
  • Local safeguarding boards (where required)

5.3 Service Providers

  • Payroll providers (for salary payments)
  • IT hosting providers (for secure data storage)
  • Email service providers (for communications)
  • Background check providers

5.4 Legal Authorities

  • Police or law enforcement (where legally required)
  • Courts (in legal proceedings)
  • Government agencies (for statutory reporting)

We never sell your personal data to third parties for marketing purposes.

================================================================================

6. DATA RETENTION

We retain your personal data for the following periods:

6.1 Employment Records

  • While you are employed with New Horizon
  • Plus 7 years after employment ends (statutory requirement)

6.2 Compliance Documents

  • DBS certificates: 3 years after expiry or until renewed
  • Training certificates: Until superseded by new certificates
  • Occupational health records: 7 years after employment ends

6.3 Timesheets and Payroll Records

  • 7 years (statutory requirement for tax and employment law)

6.4 Shift Records

  • 7 years (for audit and compliance purposes)

6.5 Application Records

  • Unsuccessful applications: 12 months
  • Successful applications: Retained as employment records

6.6 Account Data

  • Deleted upon account closure, except where legal retention applies

After retention periods expire, data is securely deleted or anonymised.

================================================================================

7. YOUR DATA PROTECTION RIGHTS

Under UK GDPR, you have the following rights:

7.1 Right to Access

  • Request a copy of your personal data
  • Receive information about how we use your data

7.2 Right to Rectification

  • Request correction of inaccurate data
  • Request completion of incomplete data

7.3 Right to Erasure (“Right to be Forgotten”)

  • Request the deletion of your data
  • Exceptions apply where legal retention is required

7.4 Right to Restrict Processing

  • Request a limitation on how we process your data
  • While we verify accuracy or contest processing

7.5 Right to Data Portability

  • Receive your data in a structured, machine-readable format
  • Transfer data to another organisation

7.6 Right to Object

  • Object to processing based on legitimate interests
  • Object to direct marketing

7.7 Rights Related to Automated Decision Making

  • Not subject to automated decision-making
  • Human review available for all significant decisions

To exercise these rights, contact us using the details in Section 13.

================================================================================

8. DATA SECURITY

We implement appropriate technical and organisational measures:

8.1 Technical Security

  • Encryption of data in transit (SSL/TLS)
  • Encryption of sensitive data at rest
  • Secure password hashing
  • Regular security updates and patches
  • Two-factor authentication for admin accounts

8.2 Organisational Security

  • Staff training on data protection
  • Access controls based on role and need-to-know
  • Regular security audits and penetration testing
  • Incident response procedures

8.3 Physical Security

  • Secure data centres with access controls
  • Environmental controls (fire, temperature, power)

8.4 Data Breach Response

  • Notification to affected individuals within 72 hours
  • Notification to ICO within 72 hours (where required)
  • Investigation and remediation procedures

================================================================================

9. COOKIES AND TRACKING

We use cookies and similar technologies:

9.1 Essential Cookies

  • Session management
  • Security authentication
  • Platform functionality

9.2 Analytics Cookies

  • Google Analytics (with IP anonymisation)
  • Platform usage statistics
  • Performance monitoring

9.3 Cookie Preferences

  • You can manage cookie preferences through browser settings
  • Disabling cookies may affect platform functionality

9.4 Third-Party Cookies

  • We do not use third-party advertising cookies
  • Third-party service providers may use cookies for their services

================================================================================

10. INTERNATIONAL DATA TRANSFERS

We primarily store and process data within the United Kingdom and European Union
Economic Area (EEA).

10.1 Data Stored Outside EEA

  • Some data may be processed by US-based service providers
  • We ensure adequate protection through:
  • Standard Contractual Clauses (SCCs)
  • EU-US Data Privacy Framework (where applicable)
  • UK Addendum to SCCs

10.2 Cloud Services

  • Data stored in UK-based cloud infrastructure
  • Regular security assessments of cloud providers

================================================================================

11. CHILDREN’S PRIVACY

Our platform is intended for use by adults (18+) for employment purposes.

We do not knowingly collect personal data from children under 18. If we discover
If we have inadvertently collected data from a child, we will take immediate
steps to delete it.

================================================================================

12. CHANGES TO THIS POLICY

We may update this Data Protection Policy from time to time. We will:

  • Notify you of significant changes by email
  • Post the updated policy on our platform
  • Update the “Last Updated” date at the top of this policy

Your continued use of the platform after changes constitutes acceptance of the
updated policy.

================================================================================

13. CONTACT INFORMATION

If you have questions about this policy or your data protection rights, please
contact:

Data Protection Officer (DPO)
New Horizon Healthcare Staffing
Email: dpo@newhorizon.co.uk
Phone: [Insert phone number]
Address: [Insert physical address]

For complaints about our handling of your data, you also have the right to contact
The Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom

Website: https://ico.org.uk
Phone: 0303 123 1113

================================================================================

END OF POLICY