1. Introduction
Positive OT and Case Management Ltd (“we”, “us”, or “our”) is committed to protecting your
personal information and respecting your privacy. This Privacy Notice explains how we collect,
use, and protect personal data relating to our clients, employees, support workers, and
associates in accordance with the UK General Data Protection Regulation (UK GDPR) and
the Data Protection Act 2018.
We ensure that any personal data collected is handled lawfully, fairly, and transparently.

2. Data Controller and Data Protection Lead
Data Controller:
Jackie Chappel – Director & Case Manager
T: 07926 125431
E: jackie@positiveotcm.co.uk
Data Protection Lead:
For any privacy-related queries or to exercise your rights, please contact our Data Protection
Lead at jackie@positiveotcm.co.uk

3. What Data We Collect
We may collect and process the following categories of personal data depending on your
relationship with us:
Clients:
• Name, date of birth, and contact details
• Medical history, lifestyle information, and professional reports
• Solicitor and insurance details
• Employer details and property information
• Photos or videos (for therapeutic or documentation purposes)
• Names and contact details of key individuals such as family or support staff
Employees, Support Workers, and Associates:
• Contact details, date of birth, and employment history
• Qualifications, DBS checks, and professional registration details
• Payroll, pension, and tax information
• Emergency contact details and next of kin

• Performance and supervision records

4. Lawful Bases for Processing
We process personal data under the following lawful bases:
• Consent – where you have given clear consent for us to process your data for a
specific purpose.
• Contract – where processing is necessary for the performance of a contract with you
or a third party.
• Legal Obligation – where we are required by law to process certain data (e.g., clinical
records, court orders).
• Legitimate Interests – where processing is necessary for our legitimate business
interests (e.g., employee management, service delivery) and does not override your
rights.
• Vital Interests – where processing is necessary to protect someone’s life.

5. Special Category Data (Health and Sensitive Information)
As healthcare professionals, we collect and process special category data such as health
information under Article 9(2)(h) of the UK GDPR – processing necessary for the provision of
health or social care and management of health systems.

6. How We Collect Data
We collect personal data via email, telephone, post, forms, online platforms, and in-person
interactions.

7. How We Use Your Data
We use your information to:
• Communicate regarding care, treatment, or employment
• Maintain accurate professional records
• Provide case management and occupational therapy services
• Administer payroll, supervision, and compliance checks
• Share relevant data with authorised third parties such as solicitors, insurers, medical
professionals, regulatory bodies, or HMRC where necessary and lawful
We do not sell or trade your data to third parties.

8. International Data Transfers
We do not transfer your personal data outside the UK. If this changes, we will ensure
appropriate safeguards are in place in accordance with UK GDPR (such as adequacy
regulations or standard contractual clauses).

9. Data Retention
We retain personal data only for as long as necessary to fulfil the purpose it was collected for:
• Client data: 7 years for adults, and 7 years after the 18th birthday for children.
• Employee and associate data: 7 years after termination of engagement unless a longer
retention period is required by law.

10. Data Security
We use secure electronic systems, encryption, and managerial procedures to protect personal
information from unauthorised access, disclosure, alteration, or destruction.

11. Your Rights
You have the following rights under the UK GDPR:
• Access – request a copy of your data
• Rectification – correct inaccurate or incomplete data
• Erasure – request deletion of data where legally permissible
• Restriction – limit how your data is used
• Data Portability – request a copy of your data in a structured format
• Objection – object to processing under legitimate interests
• Withdraw Consent – withdraw your consent at any time where consent is the lawful
basis
Requests can be made by emailing jackie@positiveotcm.co.uk We will respond within one
month.

12. Data Breaches
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will
notify the Information Commissioner’s Office (ICO) within 72 hours and inform affected
individuals where appropriate.

13. Cookies and Website Data
If our website uses cookies or similar technologies, details will be provided in our Cookie
Policy, which explains how to manage or disable cookies in your browser.

14. Audits and Inspections
We will cooperate with all necessary audits, inspections, and requests for information from
supervisory authorities such as the ICO to ensure ongoing compliance.

15. Complaints
If you have any concerns about how we handle your data, please contact us first. If you remain
unsatisfied, you have the right to complain to:
Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
T: 0303 123 1113
W: www.ico.org.uk

Review Schedule: This Privacy Notice is reviewed annually or when significant regulatory
changes occur.