Privacy & Data Protection Policy

Policy Statement

NYS Nursing Agency LTD needs to collect personal information to effectively carry out our everyday business functions and activities and to provide the services defined by our business type. Such data is collected from office staff, candidate’s suppliers and clients and includes (but is not limited to), name, address, email address, data of birth, identification numbers, private and confidential information, sensitive information, bank/card details and other financial-related documents.

In addition, we may be required to collect and use certain types of personal information to comply with the requirements of the law and/or regulations, however we are committed to processing all personal information in accordance with the General Data Protection Regulation (GDPR), UK data protection laws and any other relevant the data protection laws and codes of conduct.

NYS has developed policies, procedures, controls, and measures to ensure maximum and continued compliance with the data protection laws and principles, including staff training, procedure documents, audit measures and assessments. Ensuring and maintaining the security and confidentiality of personal and/or special category data is one of our top priorities and we are proud to operate a ‘Privacy by Design ‘approach, assessing changes and their impact from the start and designing systems and processes to protect personal information at the core of our business.


The purpose of this policy is to ensure that NYS meets its legal, statutory, and regulatory requirements under the data protection laws and to ensure that all personal and special category information is processed compliantly and, in the individuals, best interest.

The data protection laws include provisions that promote accountability and governance and as such NYS has put comprehensive and effective governance measures into place to meet these provisions. The aim of such measures is to ultimately minimise the risk of breaches and uphold the protection of personal data. This policy also serves as a reference document for employees and third parties on the responsibilities of handling and accessing personal data and data subject request.

General Data Protection Regulation (Gdpr):

The General Data Protection Regulation (GDPR) (EU)2016/679) was approved by the European Commission in April 2016 and will apply to all EU Member States from 25th May 2018. As a ‘Regulation’ rather than a ‘Directive’, its rules apply directly to Member States, replacing their existing local data protection laws and repealing and replacing Directive 95/46EC and its Member State implementing legislation. As the Company processes personal information regarding individuals (data subjects), we are obligated under the General Data Protection Regulation (GDPR) to protect such information, and to obtain, use, process, store and destroy it, only in compliance with its rules and principles.

Data Retention:

General Principle: NYS Nursing Agency Ltd will not retain personal data beyond the necessary period, deleting it when no longer needed unless required by law.

Legitimate Business Reasons: The company may retain data for longer due to legitimate business reasons, considering the likelihood of future claims.

Legal or Statutory Requirements: Compliance with legal obligations may necessitate retaining personal data for specified periods.

Contractual and Deed Claims: Contracts and deeds, along with relevant documents, may be kept for 6 or 12 years, considering potential claims.

HR Records: Retention periods for HR records will be determined based on the nature of personal data and the likelihood of future claims.

Guidelines: NYS Nursing Agency Ltd will consider advice and guidelines for retaining records, such as those related to immigration checks, PAYE records, and working time regulations.

Service User Records: Consideration of NHS guidelines or alternative policies will determine the retention of Service User personal data, potentially for at least 6 years post-service provision.

Security: Regardless of retention periods, all personal data must be kept secure, especially special categories of data.

Recordkeeping: NYS Nursing Agency Ltd must document decisions related to data retention, providing a rationale for the chosen retention periods.

Destruction Processes: The company must establish processes for the effective destruction or deletion of personal data at the end of the relevant retention period.

Data Security:

Secure Processing: NYS Nursing Agency Ltd must ensure the secure processing of personal data, protecting against unauthorized processing, loss, destruction, or damage.

Data Security and Protection Toolkit: Compliance with the Data Security and Protection Toolkit is required for health and care organizations, with specific considerations for various types of organizations.

Policies and Procedures The company will implement policies and procedures to ensure personal data security, considering confidentiality, integrity, availability, and resilience.

Electronic and Paper Documents: Measures for securing both electronic and paper documents include password protection, encryption, restricted access, and secure transfer processes.

Business Phones and Messaging Apps: Guidelines will be implemented for the use of business phones and messaging apps, ensuring compliance with GDPR and subject access request policies.

Staff Training: Staff will be trained on the importance of keeping personal data secure and preventing unauthorized disclosures.

Security Incidents: Policies and procedures will be adopted to recognize, resolve, and report security incidents, including breaches of GDPR.

Regular Testing: Regular testing, assessment, and evaluation of security measures will be conducted.

Privacy by Design:

Privacy by Design Approach: NYS Nursing Agency Ltd will consider privacy by design requirements outlined in GDPR, identifying, and addressing data protection and security issues early in projects.

Compliance: Privacy by design will be ensured by increasing awareness, updating policies, and integrating data protection into all services provided.

Privacy Impact Assessments: Privacy Impact Assessments will be conducted to identify and reduce privacy and security risks in projects or processing activities.


All new staff should be encouraged to read the policies on data protection and on confidentiality as part of their induction process. Existing staff will be offered training in the National Training Organization standards covering basic information about confidentiality, data protection and access to records. Training in the correct method for entering information in service users’ records should be given to all care staff. The nominated data user/data controller for the organization should be trained appropriately in the Data Protection Act 1998. All staff who need to use the computer system should be thoroughly trained in its use.

This summary highlights NYS Nursing Agency Ltd’s commitment to responsible data management, security, and compliance with privacy regulations.