Our website may contain links to other websites, which are provided for your convenience. We are only responsible for the privacy practices and security of this website and not external websites. You should therefore check any other linked website’s privacy policies.

What information we collect and use, and why

Users may visit our website and use it as often as they like without providing any information, however certain services provided via the website do require the processing of personal data.

Our ‘Contact us’ form

Our website contains a contact form which collects information such as your name and email address. By submitting the contact form online, you consent to the use of your details for this purpose.

Other Online Forms

Our website may also contain other online forms which could request the submission of personal information, such as your name, date of birth, address and postcode, telephone number, email address and health related data.

Each form will describe the purposes of the information required and the information will be used only as specified by the respective form. The submission of any form on our website provides your consent to the use of your details for the specified purpose.

Mailing lists

Some forms on our website also include a check box asking you for permission for us to add you to our mailing list. This is an opt-in mailing list, and your personal information will be used only by us. Under no circumstances will your personal information, collected in this way, be sold, shared with, or used by any other organisation.

From time to time, we may include links in our e-mails to other web sites which we think may be of interest to you. Each email you receive from us will have the option to remove your e-mail address from our list.

Information we monitor about visitors

During the course of any visit to our site, the pages you see, along with a short text file called a ‘cookie’, are downloaded to your computer. Many websites do this, because cookies facilitate useful features such as the ability to identify whether a user has successfully logged into the site or to find out whether the computer (and probably its user) has visited the website before.

Google Analytics

Google Analytics is a web analysis service provided by Google. Google utilises the data collected to track and examine the use of www.example.com, to prepare reports on its activities and share them with other Google services. Google may use the data collected to contextualize and personalize the ads of its own advertising network.

https://policies.google.comcurity

Our website is https-secured which means communication between the user web browser and the server hosting this website is encrypted and cannot be intercepted enroute. This can be verified by the padlock icon in the address bar.

How we store personal data

One Care (BNSSG) C.I.C will save and retain personal data for as long as it is required for the purpose for which the data is collected. Any data submitted via online forms are also retained on the web hosting server for a period as specified by us before automatic deletion, typically 30 days.

Personal data is held on-site and safeguarded by a robust mix of hardware, software and user-specific security protocols that ensure access is restricted to authorised One Care staff and devices only.

Data protection rights

UK GDPR provides individuals with legal rights over the processing of their personal information. One or many of the rights described below may apply to the different types of personal information we process. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.

Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.

Your right to erasure – You have the right to ask us to delete your personal information.

Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.

Your right to object to processing – You have the right to object to the processing of your personal data.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.

Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If a data protection rights request is made, we must respond without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the foot of this privacy notice.

Contact details

Post

One Care (BNSSG) C.I.C,
Unit 5 Osprey Court, Hawkfield Way,
Hawkfield Business Park,
BRISTOL.
BS14 0BB

Telephone

0117 941 0900

Email

enquiries@onecare.org.uk

Data Protection Officer

The One Care Data Protection Officer is Thomas Manning who can be contacted as per the contact details at the top of this privacy notice.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details above.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioners Office [ICO].

One Care (BNSSG) C.I.C is registered as a data controller with the ICO.

Our ICO Registration number is ZA269799

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: <ttps://www.ico.org.uk/make-a-complainthttps://www.ico.org.uk/make-a-complaint

This notice was last updated on 10th November 2025

One Care (BNSSG) C.I.C collects and uses personal data for the purposes of staff recruitment, administration and management; salaries and pensions; and staff health and wellbeing.

What information we collect and use, and why

Staff recruitment, administration and management

We collect or use personal information as part of staff recruitment, administration and management. Information we process includes, but is not limited to;

• Contact details;
• Date of birth;
• National Insurance number;
• Gender;
• Photographs (e.g. staff ID card);
• Copies of passports or other photo ID and proof of address documents (e.g. bank statements or bills);
• Marital status;
• Next of kin or emergency contact details;
• Employment history and references;
• Education history (e.g. qualifications);
• Right to work information;
• Details of any criminal convictions (e.g. DBS checks);
• Performance records (e.g. reviews, disciplinary records, complaints or disciplinary action);
• Training history and development needs.

Salaries and pensions

We collect or use personal information as part of managing salaries and pensions. Information we process includes, but is not limited to;

• Job role and employment contract (e.g. start and leave dates, salary, changes to employment contract or working patterns);
• Time spent working (e.g. time sheets or clocking in and out);
• Expense, overtime or other payments claimed;
• Leave (e.g. sick leave, holidays or special leave);
• Maternity, paternity, shared parental and adoption leave and pay;
• Pension details;
• Bank account details;
• Payroll records;
• Tax status.

Staff health and wellbeing

We collect or use the following personal information for managing staff health and wellbeing. Information we process includes, but is not limited to;

• Occupational health referrals and reports;
• Sick leave forms or fit notes (e.g. Statement of Fitness for Work from a GP or hospital);
• Accident at work records;
• Access needs or reasonable adjustments;
• Protected Characteristics (as defined by the Equality Act and s.75 of the Northern Ireland Act for the purpose of equal opportunities monitoring).

Where we get personal information from

We collect your information from the following places:

• Directly from you;
• Referees (external or internal);
• Occupational Health and other health providers.

Our lawful bases for the collection and use of your data

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Our lawful bases for collecting or using personal information as part of staff recruitment, administration and management; as well as salaries and pensions are:

Article 6(1)(b) processing is necessary for the performance of a contract
We must collect or use the information so we can enter into or carry out a contract with you.
All your data protection rights may apply except the right to object.

Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject
We must collect or use your information so we can comply with the law. e.g. PAYE
All your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information as part of managing staff health and wellbeing are:

Article 6(1)(b) processing is necessary for the performance of a contract
We must collect or use the information so we can enter into or carry out a contract with you.
All your data protection rights may apply except the right to object.

Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine
This legal basis further includes, ‘the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional.’

Data protection rights

The lawful bases we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.

Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.

Your right to erasure – You have the right to ask us to delete your personal information.

Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.

Your right to object to processing – You have the right to object to the processing of your personal data.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.

Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If a data protection rights request is made, we must respond without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the foot of this privacy notice.

How long we keep information

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided at the foot of this notice.

Who we share information with

Others we might share personal information with, subject to data sharing and processing agreements as required in law;

• HMRC [tax]
• Royal London [workplace pension]
• Experion [payroll administration]

Security measures

Your data is protected by industry standard combination of robust hardware, software, and user-specific security controls. Access is strictly restricted to authorised staff and devices only.
One Care (BNSSG) C.I.C is accredited against the NHS Data Security & Protection Toolkit [DSPT] and Cyber Essentials Plus [CE+].

Automated decision making

One Care (BNSSG) C.I.C does not employ automated decision-making tools in its corporate information technology infrastructure.

International data transfers

Where personal information relating to staff is concerned One Care (BNSSG) C.I.C only commissions digital solutions that transfer and store information in the United Kingdom and/or the European Union.

Contact details

Post

One Care (BNSSG) C.I.C,
Unit 5 Osprey Court, Hawkfield Way,
Hawkfield Business Park,
BRISTOL.
BS14 0BB

Telephone

0117 941 0900

Email

enquiries@onecare.org.uk

Data Protection Officer

The One Care Data Protection Officer is Thomas Manning who can be contacted as per the contact details at the top of this privacy notice.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details above.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioners Office [ICO].
One Care (BNSSG) C.I.C is registered as a data controller with the ICO.
Our ICO Registration number is ZA269799

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

This notice was last updated on 10th November 2025

One Care (BNSSG) C.I.C collects and uses personal data on behalf of General Practice to better understand how the population uses care and treatment services so that the health and social care system can maintain, improve and develop high quality safe care models that are as equitable and effective as resources allow.

What information we collect, use, and why

Health care professionals who provide you with care are required by law to maintain records about your health and any treatment or care you have received within any NHS organisation. These records help to provide you with the best possible healthcare.

We collect or use personal information to provide patient care, services, pharmaceutical products and other goods: Information we process includes, but is not limited to;

• Details about you such as your address, gender, date of birth and NHS number;
• Any contacts you have had with healthcare services such as GP and hospital/clinic appointments and telephone/online consultations;
• Health information (including medical conditions, allergies, medical requirements and medical history);
• Information about care needs (including disabilities, home conditions, medication and dietary requirements and general care provisions);
• Treatments and care;
• Test results (including psychological evaluations, scans, bloods, x-rays, tissue tests and genetic tests).

We also collect or use special category information to provide patient care, services, pharmaceutical products and other goods. This information is subject to additional protection due to its sensitivity, for example;

• Racial or ethnic origin;
• Health information, as above.

Where we get personal information from

• Other health and care providers
• General Practice organisations

Our lawful bases for the collection and use of your data

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Our lawful bases for collecting or using personal information to provide patient care, services, pharmaceutical products and other goods are:

Article 6(1)f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party
We are collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.

Processing personal information under the ‘legitimate interests’ basis requires data controllers to pass and document a three-part test.

Purpose Test – A clear and unambiguous definition
Personal patient data is processed by One Care (BNSSG) C.I.C on behalf of General Practice to better understand how the population uses care and treatment services so that the health and social care system can maintain, improve and develop high quality safe care models that are as equitable and effective as resources allow.

Necessity Test – Processing personal information must be absolutely necessary to achieve the defined purpose. The information must be relevant for the purpose and limited to what is necessary to achieve it.
Data processing agreements, internal processes, controls and security measures all contribute to ensuring that ‘data minimisation’ is applied at a level that ensures compliance with the necessity test.

Balancing Test – The legitimate interest of the controller must override the interests and/or fundamental rights and freedoms of individuals. The reasonable expectations of individuals based on their relationship with the controller should also be balanced.
The reasonable expectation of patients and carers is that their information is used by their registered Practice to better understand how their patients use care and treatment services to improve services to patients, individually and collectively. Our processing of personal and special category data is necessary to achieve this purpose, and all data processing is protected by industry leading security to mitigate the risks of processing such information.

Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine
This legal basis further includes, ‘the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law or pursuant to contract with a health professional.’

Lawful bases and data protection rights

The lawful bases we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.

Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.

Your right to erasure – You have the right to ask us to delete your personal information.

Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information.

Your right to object to processing – You have the right to object to the processing of your personal data.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.

Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.

If a data protection rights request is made, we must respond without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the foot of this privacy notice

How long we keep information

Individual Practice data is kept for as long as it remains useful within the timeframe of Practice Membership.

For more information on how long we store your personal information or the criteria we use to determine this please contact us using the details provided above.

Who we share information with

We have a joint controller relationship with Member GP Practices. We process your personal information with that joint controller for the following reason:

One Care (BNSSG) C.I.C is wholly owned by its Members and provides data analytics and processing support to General Practice Member organisations. Member data processing services are provided under a joint controllership agreement whereby One Care (BNSSG) C.I.C influences, determines and undertakes the extraction, analysis (including the selection of analytical products) and storage, of healthcare information..

Others we might share personal information with, subject to data sharing and processing agreements as required in law;

• Other health providers (e.g. GPs and consultants)
• Care providers
• Local authorities or councils

External sharing of personal data is only ever undertaken under the express instruction of General practice as data controllers in their own right.

Security measures

Your data is protected by industry standard combination of robust hardware, software, and user-specific security controls. Access is strictly restricted to authorised staff and devices only.
One Care (BNSSG) C.I.C is accredited against the NHS Data Security & Protection Toolkit [DSPT] and Cyber Essentials Plus [CE+].

Automated decision making

One Care (BNSSG) C.I.C does not employ automated decision-making tools in its corporate information technology infrastructure.

International data transfers

Where personal information relating to patients and healthcare activity is concerned One Care (BNSSG) C.I.C only commissions digital solutions that transfer and store information in the United Kingdom and/or the European Union.

Contact details

Post

One Care (BNSSG) C.I.C,
Unit 5 Osprey Court, Hawkfield Way,
Hawkfield Business Park,
BRISTOL.
BS14 0BB

Telephone

0117 941 0900

Email

enquiries@onecare.org.uk

Data Protection Officer

The One Care Data Protection Officer is Thomas Manning who can be contacted as per the contact details at the top of this privacy notice.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details above.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the Information Commissioners Office [ICO].
One Care (BNSSG) C.I.C is registered as a data controller with the ICO.
Our ICO Registration number is ZA269799

The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

This notice was last updated on 10th November 2025