Blue Skies Case Management & Care
Privacy Notice

Blue Skies Case Management & Care

Last updated: 23 March 2026

Blue Skies Case Management & Care (“we”, “us”, “our”) is committed to protecting the privacy and security of the personal information we collect. This Privacy Notice explains how we use, store, share, and protect personal data when providing case management and care services in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

1. Who We Are

Blue Skies Case Management & Care
Email: catrin@blueskiescm.uk
Phone: 07595226097 
Address: West View, Sandy Lane, Woolacombe, Devon, EX347AR

We act as a Data Controller when determining how and why personal information is processed. 

2. Personal Data We Collect

For Clients

  • Name (or identifying code), date of birth, contact details 

  • Medical, clinical and rehabilitation information 

  • Care plans, assessments and professional reports 

  • Safeguarding and risk information 

  • Legal case information 

  • Family or representative contact details 

For Support Workers, Staff & Contractors

  • Name and contact details 

  • Employment records and training information 

  • DBS check information 

  • Payroll data and HR documentation 

For Referrers & Professionals

  • Name, organisation and role 

  • Contact details 

  • Case‑related correspondence 

3. How We Collect Personal Data

We may collect information: 

  • Directly from you 

  • From solicitors, insurers, referrers or clinical professionals 

  • From family members or representatives 

  • From health, social care or education services 

  • Through online forms or digital communication 

4. Purposes of Processing & Lawful Bases

GDPR requires that each purpose has one clear lawful basis. Below is a complete breakdown. 

4.1 Clients

Purpose: Providing case management and care services

  • Lawful basis (Article 6): Legitimate Interests 

  • Special category basis (Article 9): Provision of health or social care 

Purpose: Preparing reports, assessments and clinical records

  • Lawful basis: Legitimate Interests 

  • Special category basis: Provision of health or social care 

Purpose: Safeguarding and risk management

  • Lawful basis: Legal Obligation 

  • Special category basis: Substantial public interest (safeguarding) 

Purpose: Supporting legal case progression (where applicable)

  • Lawful basis: Legitimate Interests 

Purpose: Communicating with professionals, funders, commissioners and family representatives

  • Lawful basis: Legitimate Interests 

4.2 Staff, Support Workers & Contractors

Purpose: Recruitment, employment checks and onboarding

  • Lawful basis: Contract / Legal Obligation 

Purpose: HR administration, payroll and supervision

  • Lawful basis: Contract / Legal Obligation 

Purpose: Training, audit and service quality monitoring

  • Lawful basis: Legitimate Interests 

5. Our Legitimate Interests

Where we rely on Article 6(1)(f), our legitimate interests include: 

  • Ensuring safe, continuous and coordinated care 

  • Clinical, safeguarding and risk management 

  • Running an efficient, compliant and safe organisation 

  • Supporting legal case progression 

  • Allocating staff and managing rotas 

  • Facilitating essential communication within care teams 

  • Maintaining accurate records and service quality 

We always balance these interests against your rights and freedoms. 

6. Communication Tools (WhatsApp, Messaging Apps and Social Media)

To support efficient day‑to‑day coordination within care teams, we may use secure group messaging platforms such as WhatsApp. When doing so: 

  • Only the minimum‑necessary information is shared 

  • Staff use non‑identifying formats, such as initials or role‑based references (e.g., “Client J”) 

  • Full client names are not used 

  • Sensitive documents, reports or clinical records are not shared via messaging apps 

  • Chats are restricted to authorised team members only 

  • Staff must have secure devices with passcodes 

  • All communication must follow our confidentiality and data protection policies 

We do not use social media for any client‑related communication. 

7. Systems We Use to Store and Manage Data

We store personal data in secure, GDPR‑compliant systems: 

  • Qunote – case management records and reports 

  • Roundsys – care planning, rotas and support worker notes 

  • SharePoint – secure document storage and internal communication 

  • Avensure – HR and employment‑related documentation 

Roundsys is used only on authorised tablets located at the client’s property. It must not be used on personal devices. 

8. Who We Share Data With

We may share data with: 

  • Solicitors, insurers or case funders 

  • NHS and private healthcare professionals 

  • Social care teams and external professionals 

  • Support workers and authorised care staff 

  • Payroll, HR and compliance services 

  • Emergency services (when required) 

  • Regulatory bodies (e.g., ICO or CQC), when legally required 

We never sell personal data. 

9. International Transfers

We store data within the UK wherever possible. If any data is transferred outside the UK, we use appropriate safeguards such as Standard Contractual Clauses or recognised adequacy decisions. 

10. Automated Decision‑Making and Profiling

In accordance with GDPR Article 22, we confirm: 
We do not use automated decision‑making or profiling. All decisions relating to your care, support or employment are made by qualified professionals. 

11. How We Keep Your Data Secure

Our security measures include: 

  • Encryption and access controls 

  • Password and multi‑factor authentication 

  • Staff training and confidentiality obligations 

  • Regular audits and monitoring 

  • Secure retention and disposal processes 

Access is limited to individuals who need it to fulfil their role. 

12. Data Retention

We retain personal data only for as long as necessary: 

  • Client records: 7 years after services end 

  • Children’s records: until the client turns 25 (or 26 if treated after age 18) 

  • HR and employment records: in line with statutory requirements 

13. Your Rights Under UK GDPR

You have the right to: 

  • Access your personal data 

  • Request correction 

  • Request deletion (where appropriate) 

  • Restrict or object to processing 

  • Request data portability 

  • Withdraw consent (where consent is the basis) 

  • Complain to the ICO: www.ico.org.uk

Identity Verification

Before processing any rights‑based request, we may need to verify your identity. 

We may request: 

  • Your name and contact details 

  • A form of ID (e.g., passport or driving licence) 

  • Proof of address (if relevant) 

We only request what is necessary. Copies of ID are deleted immediately after verification. A simple verification note (e.g., “ID confirmed”) may be kept for up to 12 months for audit compliance. 

14. How to Contact Us

Data Protection Lead
Blue Skies Case Management & Care Name: Catrin May Email: catrin@blueskiescm.uk Phone: 07595226097 

 After discussing with our data protection lead and you still wish to complain about how we have dealt with your request, please contact: 

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF 
https://ico.org.uk/global/contact-us/