Purpose

The purpose of this policy is to:

• Ensure that Merseycare Julie Ann (MCJA) follows the guidance of the Information Commissioners Office (ICO) in regard cookies and how the organisation uses them on its website.
• Inform users of its website regarding the use of cookies on the website.

This policy is a standalone document and is intended to form part of a layered Privacy Policy.

To support MCJA in meeting the following Key Lines of Enquiry:

To meet the legal requirements of the regulated activities that MCJA is registered to provide:

• The Privacy and Electronic Communications (EC Directive) Regulations 2003
• General Data Protection Regulation 2016
• Data Protection Act 2018

Scope

The scope of this policy may affect individuals and/or stakeholders directly or indirectly, both internally and external to MCJA, and may include:

• All staff
• Customers their carers, and family
• Advocates and/or Representatives
• Commissioners and/or Local Authorities
• External health professionals
• NHS

Objectives

The objectives of this policy are to:

• Provide assurance that MCJA has a Privacy Policy in place for users of its website that is GDPR
• Ensure MCJA has established ways of working in terms of the use, storage, retention, and security of personal data and will ensure that all Data Subjects, including Customer, understand the ways in which personal data, collected by the organisation via its website, is processed.

Policy

MCJA understands that as it operates a website, it needs to have in place an up-to-date Privacy Policy to ensure that it is compliant with GDPR. Furthermore, the organisation understands that as it collects personal data from the website, which includes online recruitment applications the privacy policy must be uploaded onto the website in order to make it accessible to users so that they are fully informed as to how we use cookies in data collection.

To inform all other Data Subjects we will use the organisations Fair Processing Notice. The use of this notice informs our Customers and other Data Subjects about how we will process personal data other than personal data collected via the MCJA website.

GDPR has changed the way cookies should be incorporated into websites which means that we must explain to individuals using our website what cookies will be set and what the cookies will do to the users of our website. MCJA understand that it needs to obtain consent from individuals to store certain cookies on devices. Cookies that are not strictly necessary need consent, which is GDPR compliant, which means that we can no longer rely on implied consent. MCJA will use a cookie banner on the organisations website to obtain consent to the use of cookies in line with this policy and that if no consent is obtained, no cookies will be set.

MCJA will, therefore, update its processes for collecting consent for cookies. In practice, this means:

• Users must take a clear and positive action to consent to non-essential
• All MCJA websites and apps will clearly tell users what cookies will be set and what they do, including any third-party
• Pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, will not be used for non- essential
• The user will have control over any non-essential
• Non-essential cookies will not be set on landing pages before MCJA gains the user’s consent.

Consent is not required for cookies that are defined as “strictly necessary” or that fall within the communication exemption. “Strictly necessary” cookies are those that are essential to providing the service requested by the user. Such cookies will be essential to fulfil their request. Those that are simply helpful or convenient, but not essential, or that are essential for the purposes of MCJA, will still require consent. The communication exemption is about the transmission of a communication over an electronic communications network. For the exemption to apply, the transmission of the communication must be impossible without the use of the cookie. Simply using a cookie to assist the communication is insufficient for the exemption to apply.

MCJA notes, in particular, that cookies used for analytical purposes or those used for marketing and advertising will always need consent as they are considered to be non-essential. Furthermore, MCJA understands that this guidance may change as the latest draft legislation is subject to some challenges on this point.

MCJA will refer to the ICO’s cookie guidance  https://ico.org.uk/for- organisations/guide-to-pecr/cookies-and-similar-technologies/ to keep up to date on the types of cookies that require consent and changes that may arise.

Procedure

MCJA has considered how it will collect personal data via its website (for example, via enquiry forms, requests to be sent, newsletters, requests for provision of services) and recognises that where data is collected via the website the organisations Privacy Policy should be applied.

MCJA acknowledges, that the use of cookies constitutes processing of personal data via the website and will ensure that the Privacy Policy is reviewed to ensure that it is compliant.

MCJA will review and upload the Privacy Policy on to the website to ensure that all aspects of the Privacy Policy are relevant and reflect the ways in which the organisation processes personal data collected via its website.

Should MCJA have any concerns or queries in relation to the Privacy Statement, we will seek legal advice to ensure that the policy is compliant.

MCJA has in place a Fair Processing Notice to inform all other Data Subjects, including Customers, about how the organisation processes personal data other than personal data collected via the website.

Jack Gardiner
MCJA Operations Director