top of page

Privacy Notice

1. Introduction

​

Legend Integrated Care is committed to protecting the privacy, confidentiality, and security of personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable legislation. 

This Privacy Notice explains how Legend Integrated Care collects, uses, stores, and shares personal data when acting in different roles within health and social care services. 

Legend Integrated Care may act as: 

  • Data Controller – where we determine the purposes and means of processing your personal data. 

  • Joint Data Controller – where we jointly determine processing purposes with another organisation. 

  • Data Processor – where we process personal data on behalf of another organisation, such as the NHS, local authorities, or care providers. 

 

2. What Personal Data We Collect 

​

a) When Acting as a Data Controller / Joint Data Controller 

Legend Integrated Care processes personal data to deliver safe, effective care services and meet legal obligations. This may include: 

  • Personal Information: Name, date of birth, gender, address, contact details, photographs, account details, NHS number. 

  • Health Information: Medical history, diagnoses, treatments, prescriptions, care plans, vital statistics, and clinical notes. 

  • Social Care Information: Support plans, safeguarding records, social worker reports. 

  • Family & Emergency Contacts: Next of kin details. 

  • Financial Information: Billing details, funding arrangements, and payment records.

 

b) When Acting as a Data Processor 

Where Legend Integrated Care processes personal data on behalf of another organisation, we act strictly as a Data Processor and do not determine the purposes or lawful basis for processing. In these circumstances: 

  • We only process personal data in accordance with clear, documented instructions provided by the relevant Data Controller (for example, the NHS, a local authority, or a commissioned care provider). We do not act outside of these instructions.  

  • We do not make independent decisions about how or why personal data is collected, used, or disclosed. All decisions relating to the purpose of processing and the legal basis for it remain solely with the Data Controller.  

  • We do not use personal data for any of our own business purposes, including analytics, profiling, marketing, or service development, unless explicitly authorised in writing by the Data Controller and permitted by law.  

  • We ensure that personal data is only accessed and processed by authorised personnel who require it to perform the contracted services, and all such access is subject to strict confidentiality obligations.  

  • We retain personal data only for as long as specified by the Data Controller’s instructions or contractual agreements. Once the retention period ends, or upon instruction from the Data Controller, we will either securely delete or safely return the data, in line with applicable data protection requirements.  

  • We apply appropriate technical and organisational security measures throughout the processing period to protect personal data against unauthorised access, loss, or disclosure. 

 

 

3. Lawful Basis for Processing 

​

a) As Data Controller / Joint Controller 

Legend Integrated Care processes personal data under the following lawful bases, as defined by data protection law (including UK GDPR), depending on the nature of the service and the purpose of processing: 

  • Legal Obligation – We process personal data where it is necessary for us to comply with legal and regulatory requirements. This may include obligations related to safeguarding, statutory reporting, audit requirements, or compliance with applicable healthcare and social care legislation.  

  • Contractual Obligation – We process personal data where it is necessary to perform a contract with you or to take steps at your request prior to entering into a contract. This includes using your information to deliver the services you have requested, manage service delivery, communicate with you, and ensure continuity of care.  

  • Legitimate Interests – We may process personal data where it is necessary for the legitimate interests of Legend Integrated Care or a third party, provided those interests are not overridden by your rights and freedoms. This may include improving service quality, maintaining operational efficiency, ensuring service security, and developing or refining our services.  

  • Consent – In certain situations, we rely on your explicit consent to process your personal data. Where consent is used as the lawful basis, you have the right to withdraw it at any time, without affecting the lawfulness of processing carried out before withdrawal.  

  • Provision of Health and Social Care – Where we process special category data, such as health or care-related information, this is carried out as necessary for the provision of health or social care services, in line with applicable data protection legislation. This allows us to deliver safe, effective, and appropriate care services to individuals. 

 

b) As Data Processor 

We rely on the lawful basis determined by the data controller.If you need help to locate this, please contact info@lic-care.com  

 

4. How We Use Personal Data 

​

Legend Integrated Care uses personal data to: 

  • Deliver health and social care services. 

  • Maintain accurate care and service records. 

  • Coordinate care with healthcare professionals and organisations. 

  • Manage referrals and funding arrangements. 

  • Process recruitment and employment applications. 

  • Monitor service quality, feedback, and improvements. 

  • Meet legal and regulatory requirements. 

  • Investigate complaints or safeguarding concerns. 

 

5. How We Keep Data Secure 

Legend Integrated Care implements robust security measures, including: 

  • Strict access controls to limit data access - Access to personal data is restricted to authorised personnel only. 

  • Encryption of data in storage and transit - Personal data is protected using encryption technologies both when it is stored on our systems and when it is transmitted across networks. This helps ensure that data remains secure even if intercepted or accessed without authorisation. 

  • Regular security reviews and audits - We carry out ongoing monitoring, periodic security assessments, and internal audits to identify potential vulnerabilities and ensure our controls remain effective and compliant with relevant standards and legislation. 

  • Data minimisation practices - We only collect, store, and process personal data that is necessary for clearly defined purposes. 

  • Secure storage and system protection – Our systems are designed to protect against unauthorised access and cyber threats, using measures such as firewalls, intrusion detection, secure configuration standards, and routine patch management. 

  • Secure destruction and disposal of data when no longer needed - When personal data is no longer required, it is securely deleted, anonymised, or otherwise disposed of in a way that prevents recovery or misuse.  

 

6. Sharing of Personal Data 

​

We may share personal data where it is necessary to support safe, effective care delivery or to meet legal, regulatory, or contractual obligations. Any sharing is carried out on a strict need-to-know basis and only where a lawful basis for processing applies. 

This may include sharing information with the following categories of organisations: 

  • Healthcare providers – such as GPs, NHS trusts, hospitals, community health services, and other clinical professionals involved in your care, to ensure continuity, coordination, and safety of treatment.  

  • Local authorities and social care teams – where involvement is required to assess, commission, or deliver appropriate social care services and support safeguarding responsibilities.  

  • Regulatory bodies and auditors – where disclosure is required for compliance, inspection, audit, safeguarding investigations, or to meet statutory obligations.  

  • Commissioning organisations – including integrated care systems or other bodies responsible for planning, funding, and monitoring services.  

  • Approved service providers – such as IT system providers, cloud hosting services, and other third-party suppliers who support the delivery and secure operation of our services.  

We may also share personal data within the Legend Integrated Care group of organisations where appropriate, for purposes including: 

  • Supporting the efficient delivery and coordination of services across the group  

  • Meeting legal, regulatory, and compliance requirements  

  • Managing risk, safeguarding, and information security  

  • Service improvement, reporting, and analytics (using anonymised or pseudonymised data wherever possible)  

All data sharing is governed by appropriate contractual arrangements, including data sharing agreements and data processing agreements, and is subject to robust confidentiality, security, and access control measures to ensure personal data is protected at all times. 

To ensure intra-group data sharing is lawful, transparent, and secure, we apply the following safeguards: 

  • Data Sharing Agreements (DSAs) – Formal agreements are in place between group entities setting out the purpose, scope, and legal basis for sharing data.  

  • Lawful Basis – Personal data is only shared where a valid legal basis under data protection law applies.  

  • Purpose Limitation – Data is used solely for the specified and disclosed purposes and not for any unrelated activities.  

  • Access Controls – Access is restricted to authorised staff on a strict role-based, need-to-know basis.  

  • International Transfers – Where data is transferred across borders, we ensure compliance with applicable data protection laws using appropriate safeguards, such as the International Data Transfer Agreement (IDTA). 

 

Any third parties that process personal data on our behalf are required to comply with strict data protection standards. This includes entering into formal contractual agreements that set out their obligations under applicable data protection laws, ensuring confidentiality, implementing appropriate technical and organisational security measures, and processing data only in accordance with our documented instructions. They are also required to assist us in meeting our data protection obligations and to ensure that personal data is not used for any unauthorised purposes. 

 

7. International Data Transfers 

Where personal data is transferred outside the UK, Legend Integrated Careensures that such transfers are carried out in full compliance with UK GDPR requirements. We only transfer personal data where it is necessary and where appropriate safeguards are in place to protect its security and privacy. 

These safeguards may include: 

  • International Data Transfer Agreements (IDTA) – legally approved contracts used to ensure that overseas recipients protect personal data to UK GDPR standards.  

  • Standard Contractual Clauses (SCCs) – approved contractual terms that impose equivalent data protection obligations on the receiving organisation.  

  • Other lawful transfer mechanisms – where applicable, including adequacy regulations or other legally recognised safeguards under UK GDPR. 

 

8. Data Retention 

Legend Integrated Care retains personal data in line with NHS Records Management Code of Practice and legal requirements.Retention periods vary depending on the type of data. Once no longer required, data is securely deleted or anonymised. 

 

9. Your Rights 

Under data protection law, you have a number of rights in relation to your personal data. These rights are not absolute and may apply differently depending on the legal basis for processing and the circumstances of your request. 

Your rights include: 

  • Right of access – You can request a copy of the personal data we hold about you, along with information about how it is being used.  

  • Right to rectification – You have the right to request that inaccurate or incomplete personal data is corrected or updated.  

  • Right to erasure – In certain circumstances, you may request that your personal data is deleted, for example where it is no longer necessary for the purpose it was collected.  

  • Right to restriction of processing – You can request that we limit how your personal data is used in specific situations, such as while its accuracy or lawful use is being reviewed.  

  • Right to data portability – Where applicable, you may request that your personal data is provided to you or transferred to another organisation in a structured, commonly used, and machine-readable format.  

  • Right to object – You may object to the processing of your personal data in certain circumstances, including processing based on legitimate interests.  

Where Legend Integrated Care is acting as a Data Processor, we do not determine how or why personal data is used. In these cases, any requests to exercise your rights should be directed to the relevant Data Controller (for example, the NHS, local authority, or commissioning organisation), and we will support them in responding where required. 

 

 

10. Data Breaches 

Legend Integrated Care has procedures in place to manage data breaches. In the event of a breach: 

  • We will investigate and contain the issue. 

  • Notify the relevant organisation if acting as a processor. 

  • Report to the Information Commissioner’s Office (ICO) where required. 

  • Inform affected individuals where necessary. 

 

11. Complaints 

If you have concerns about how your data is handled, please contact us in the first instance. 

You also have the right to complain to the Information Commissioner’s Office (ICO). 

 

12. Contact Details 

For any questions about this notice or to exercise your data protection rights, please contact us using the details provided. Your request will be directed to our Data Protection Officer (DPO), who will handle and respond to it in accordance with applicable data protection legislation. 

 

Data Protection Officer (DPO) 

Legend integrated Care  

960 Capability Green  

REGUS  

Luton  

Bedfordshire  

LU1 3PE  

Email: info@lic-care.com 

 

13. Policy Updates 

Legend Integrated Care reviews this Privacy Notice regularly to ensure compliance with legal and operational changes. 

We reserve the right to update this notice and will notify you of any significant changes. 

 

​

bottom of page