Please read these Terms of Service carefully before using the www.rancehealthcareservices.co.uk website (the “Service”) operated by Rance Healthcare Services (“us”, “we”, or “our”).
Your access to and use of the Service is conditioned on your acceptance of and compliance with these Terms. These Terms apply to all visitors, users and others who access or use the Service.
By accessing or using the Service you agree to be bound by these Terms. If you disagree with any part of the terms then you may not access the Service. This Terms of Service agreement for Rance Healthcare services is managed by Terms Feed Terms and Conditions.

ACCOUNTS
When you create an account with us, you must provide us information that is accurate, complete, and current at all times. Failure to do so constitutes a breach of the Terms, which may result in immediate termination of your account on our Service.
You are responsible for safeguarding the password that you use to access the Service and for any activities or actions under your password, whether your password is with our Service or a third-party service.
You agree not to disclose your password to any third party. You must notify us immediately upon becoming aware of any breach of security or unauthorised use of your account.

LINKS TO OTHER WEB SITES
Our Service may contain links to third-party web sites or services that are not owned or controlled by Rance Healthcare Services.
Rance Healthcare Services has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that Rance Healthcare Services shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods or services available on or through any such web sites or services.
We strongly advise you to read the terms and conditions and privacy policies of any third-party web sites or services that you visit.

TERMINATION
We may terminate or suspend access to our Service immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the Terms.
All provisions of the Terms which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.
We may terminate or suspend your account immediately, without prior notice or liability, for any reason whatsoever, including without limitation if you breach the Terms.
Upon termination, your right to use the Service will immediately cease. If you wish to terminate your account, you may simply discontinue using the Service.
All provisions of the Terms which by their nature should survive termination shall survive termination, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.

GOVERNING LAW
These Terms shall be governed and construed in accordance with the laws of United Kingdom, without regard to its conflict of law provisions.
Our failure to enforce any right or provision of these Terms will not be considered a waiver of those rights. If any provision of these Terms is held to be invalid or unenforceable by a court, the remaining provisions of these Terms will remain in effect. These Terms constitute the entire agreement between us regarding our Service, and supersede and replace any prior agreements we might have between us regarding the Service.

CHANGES
We reserve the right, at our sole discretion, to modify or replace these Terms at any time. If a revision is material we will try to provide at least 30 days notice prior to any new terms taking effect. What constitutes a material change will be determined at our sole discretion.
By continuing to access or use our Service after those revisions become effective, you agree to be bound by the revised terms. If you do not agree to the new terms, please stop using the Service.
Contact Us
If you have any questions about these Terms, please contact us. All Our Policies

BACKGROUND:
These Terms and Conditions, together with any and all other documents referred to herein, set out the terms of use under which you may use this website, rancehealthcareservices.co.uk (“Our Site”). Please read these Terms and Conditions carefully and ensure that you understand them. [Your agreement to comply with and be bound by these Terms and Conditions is deemed to occur upon your first use of Our Site] AND/OR [You will be required to read and accept these Terms and Conditions when signing up for an Account]. If you do not agree to comply with and be bound by these Terms and Conditions, you must stop using Our Site immediately.

1. Definitions and Interpretation
1.1 In these Terms and Conditions, unless the context otherwise requires, the following expressions have the following meanings:
“Account” means an account required for a User to access certain areas of Our Site, as detailed in Clause 4;
“Blog” means a blog hosted on Our Site, created by a User, containing Post(s) submitted by that User;
“Comment” means a comment on a Blog or Post on Our Site made by a User;
“Content” means any and all text, images, audio, video, scripts, code, software, databases and any other form of information capable of being stored on a computer that appears on, or forms part of, Our Site;
“Post” means a post created by a User in a Blog on Our Site;
“User” means a user of Our Site; and
“We/Us/Our” means Rance Healthcare Services Ltd [, a company registered in England under company number 12154188, whose registered address is 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.

2. Information About Us
2.1 Our Site, www.rancehealthcareservices.co.uk, is [owned and] operated by Rance Healthcare Services [, a limited company registered in England under company number 12154188, whose registered address is 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR. [Our VAT number is <<insert VAT number>>.] 2.2 [We are regulated by CQC.] 2.3 [We are a member of <<insert name(s) of association(s) etc.>>.] 2.4 [<<insert further information as required>>.]

3. Access to Our Site
3.1 Access to Our Site is free of charge.
3.2 It is your responsibility to make any and all arrangements necessary in order to access Our Site.
3.3 Access to Our Site is provided “as is” and on an “as available” basis. We may alter, suspend or discontinue Our Site (or any part of it) at any time and without notice. We will not be liable to you in any way if Our Site (or any part of it) is unavailable at any time and for any period.

4. Accounts
4.1 Certain parts of Our Site (including the ability to create Blogs and Posts) may require an Account in order to access them.
4.2 You may not create an Account if you are under 18 years of age. [If you are under 18 years of age and wish to use the parts of Our Site that require an Account, your parent or guardian should create the Account for you and you must only use the Account with their supervision.] 4.3 When creating an Account, the information you provide must be accurate and complete. If any of your information changes at a later date, it is your responsibility to ensure that your Account is kept up-to-date.
4.4 We [require] OR [recommend] that you choose a strong password for your Account, consisting of “a combination of lowercase and uppercase letters, numbers, and symbols”. It is your responsibility to keep your password safe. [You must not share your Account with anyone else.] If you believe your Account is being used without your permission, please contact Us immediately at email. We will not be liable for any unauthorised use of your Account.
4.5 You must not use anyone else’s Account [without the express permission of the User to whom the Account belongs].
4.6 Any personal information provided in your Account will be collected, used, and held in accordance with your rights and Our obligations under the law, as set out in Clause 16.
4.7 If you wish to close your Account, you may do so at any time. Closing your Account will result in the removal of your information. Closing your Account will also remove access to any areas of Our Site requiring an Account for access.
4.8 If you close your Account, any Blogs or Posts you have created on Our Site will be deleted. Any Comments you have made on other Users’ Blogs or Posts will [also be deleted] OR [be anonymised by “removing your username and avatar”].

5. Intellectual Property Rights
5.1 With the exception of the content of Blogs and Posts (see Clause 6), all Content on Our Site and the copyright and other intellectual property rights subsisting in that Content, unless specifically labelled otherwise, belongs to or has been licensed by Us. All Content (including the content of Blogs and Posts) is protected by applicable United Kingdom and international intellectual property laws and treaties.
5.2 Subject to the licence granted to Us under sub-Clause 6.4, Users retain the ownership of copyright and other intellectual property rights subsisting in the content of their Blogs, Posts and Comments (unless any part of that content is owned by a third party who has given their express permission for their material to be used).
5.3 For personal use (including research and private study) only, you may:
5.3.1 Access, view and use Our Site in a web browser (including any web browsing capability built into other types of software or app);
5.3.2 Download Our Site (or any part of it) for caching;
5.3.3 Print [one copy of any] page[s] from Our Site;
5.3.4 Download, copy, clip, print, or otherwise save extracts from pages on Our Site;
5.3.5 Save pages from Our Site for later and/or offline viewing; and
5.3.6 View and use other Users’ Blogs, Posts and Comments in accordance with Clause 7.
5.4 You may not use any Content (including Blogs, Posts and Comments) downloaded, copied, clipped, printed or otherwise saved from Our Site for commercial purposes without first obtaining a licence to do so from Us, our licensors, or from the relevant User, as appropriate. [This does not prohibit the normal access, viewing and use of Our Site for general information purposes whether by business users or consumers].
5.5 You may not systematically copy Content from Our Site with a view to creating or compiling any form of comprehensive collection, compilation, directory, or database unless given Our express permission to do so.
5.6 Subject to sub-Clause[s] 5.3 [and 5.7] and Clause 7 (governing Blogs, Posts and Comments) you may not otherwise reproduce, copy, distribute, sell, rent, sub-licence, store, or in any other manner re-use Content or any other material from Our Site unless given express written permission to do so. For further information, please contact Us at email.
5.7 Our status as the owner and author of the content on Our Site (or that of identified licensors or Users, as appropriate) must always be acknowledged.
5.8 [Nothing in these Terms and Conditions limits or excludes the fair dealing provisions of Chapter III of the Copyrights, Designs and Patents Act 1988 ‘Acts Permitted in Relation to Copyright Works’, covering, in particular, the making of temporary copies; research and private study; the making of copies for text and data analysis for non-commercial research; criticism, review, quotation and news reporting; caricature, parody or pastiche; and the incidental inclusion of copyright material.]

6. Blogs, Posts and Comments
6.1 An Account is required if you wish to create a Blog, submit Posts, and/or Comment on other Users’ Blogs and Posts. Please refer to Clause 4 for more information.
6.2 You agree that you will be solely responsible for your Blog(s) and Posts and for any Comments you make anywhere on Our Site. Specifically, you agree, represent and warrant that you have the right to use the content that you submit and that your Blog(s), Posts, or Comments comply with Our Acceptable Usage Policy, detailed below in Clause 8.
6.3 You agree that you will be liable to Us and will, to the fullest extent permissible by law, indemnify Us for any breach of the warranties given by you under sub-Clause 6.2. You will be responsible for any loss or damage suffered by Us as a result of such breach.
6.4 You (or your licensors, as appropriate) retain ownership of the content of your Blog(s), Posts and Comments, and all intellectual property rights subsisting therein. When you create a Blog, Post, or Comment you grant Us an unconditional, non-exclusive, fully transferable, royalty-free, perpetual, [irrevocable,] worldwide licence to use, store, archive, syndicate, publish, transmit, adapt, edit, reproduce, distribute, prepare derivative works from, display, perform and sub-licence the content of your Blog, Post or Comment for the purposes of operating or promoting Our Site.
6.5 If you wish to remove a Blog or Post, you may do so via My Dashboard. The Blog or Post in question will be deleted from Our Site [, however, due to the functionality of Our Site, any reblogs, quotes of your content will remain]. [Removing a Blog or Post also revokes the licence granted to Us to use that Blog or Post under sub-Clause 6.4.] Please note that caching or references to your Blog or Post may not be made immediately unavailable (or may not be made unavailable at all where they are outside of Our reasonable control).
6.6 If you wish to remove a comment, you may do so via My Dashboard. The Comment in question will be [deleted] OR [anonymised by “removing your username and avatar”]. [Removing a Comment also revokes the licence granted to Us to use that Comment under sub-Clause 6.4.] Please note, however, that caching or references to your Comment may not be made immediately unavailable (or may not be made unavailable at all where they are outside of Our reasonable control).
6.7 We may reject, reclassify, or remove any Blogs, Posts or Comments from Our Site where their content, in Our sole opinion, violates Our Acceptable Usage Policy, or if We receive a complaint from a third party and determine that the Blog, Post or Comment in question should be removed as a result.

7. Intellectual Property Rights and Use of Other Users’ Blogs, Posts and Comments
7.1 The content of Blogs, Posts, and Comments on Our Site and the copyright and other intellectual property rights subsisting therein, unless specifically labelled otherwise, belongs to or has been licensed by the User identified along with the Blog, Post, or Comment in question. All such content is protected by applicable to the United Kingdom and international intellectual property laws and treaties.
7.2 You may copy and share (reblog) [parts of] other Users’ [Posts] AND/OR [Comments] within Our Site, provided that the original User is credited. [Our system does this automatically]. [If you wish to re-use another User’s content in any other way, you must contact the User directly and obtain their express permission to do so.] 7.3 [Nothing in these Terms and Conditions limits or excludes the fair dealing provisions of Chapter III of the Copyright, Designs and Patents Act 1988 ‘Acts Permitted in Relation to Copyright Works’, covering, in particular, the making of temporary copies; research and private study; the making of copies for text and data analysis for non-commercial research; criticism, review, quotation and news reporting; caricature, parody or pastiche; and the incidental inclusion of copyright material.]

8. Acceptable Usage Policy
8.1 You may only use Our Site (including, but not limited to, the creation of Blogs, Posts, and Comments) in a manner that is lawful and that complies with the provisions of this Clause 8. Specifically:
8.1.1 you must ensure that you comply fully with any and all applicable local, national and international laws and/or regulations;
8.1.2 you must not use Our Site in any way, or for any purpose, that is unlawful or fraudulent;
8.1.3 you must not use Our Site to knowingly send, upload, or in any other way transmit data that contains any form of virus or other malware, or any other code designed to adversely affect computer hardware, software, or data of any kind; and
8.1.4 you must not use Our Site in any way, or for any purpose, that is intended to harm any person or persons in any way.
8.2 When creating Blogs, Posts, or Comments (or communicating in any other way using Our Site), you must not post, communicate, or otherwise do anything that:
8.2.1 [is sexually explicit;] 8.2.2 is obscene, deliberately offensive, hateful or otherwise inflammatory;
8.2.3 promotes violence;
8.2.4 promotes or assists in any form of unlawful activity;
8.2.5 discriminates against, or is in any way defamatory of, any person, group or class of persons, race, sex, religion, nationality, disability, sexual orientation or age;
8.2.6 is intended or otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
8.2.7 is calculated or is otherwise likely to deceive;
8.2.8 is intended or otherwise likely to infringe (or threaten to infringe) another person’s right to privacy or otherwise uses their personal data in a way that you do not have a right to;
8.2.9 misleadingly impersonates any person or otherwise misrepresents your identity or affiliation in a way that is calculated to deceive (obvious parodies are not included within this definition provided that they do not fall within any of the other provisions of this sub-Clause 8.2);
8.2.10 implies any form of affiliation with Us where none exists;
8.2.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, patents, trademarks and database rights) of any other party; or
8.2.12 is in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
8.3 We reserve the right to suspend or terminate your Account and/or your access to Our Site if you materially breach the provisions of this Clause 8 or any of the other provisions of these Terms and Conditions. Specifically, We may take one or more of the following actions:
8.3.1 suspend, whether temporarily or permanently, your Account and/or your right to access Our Site;
8.3.2 remove any content submitted by you that violates this Acceptable Usage Policy;
8.3.3 issue you with a written warning;
8.3.4 take legal proceedings against you for reimbursement of any and all relevant costs on an indemnity basis resulting from your breach;
8.3.5 take further legal action against you as appropriate;
8.3.6 disclose such information to law enforcement authorities as required or as We deem reasonably necessary; and/or
8.3.7 any other actions that We deem reasonably appropriate (and lawful).
8.4 We hereby exclude any and all liability arising out of any actions (including, but not limited to those set out above) that We may take in response to breaches of these Terms and Conditions.

9. Links to Our Site
9.1 You may link to Our Site provided that:
9.1.1 you do so in a fair and legal manner;
9.1.2 you do not do so in a manner that suggests any form of association, endorsement or approval on Our part where none exists;
9.1.3 you do not use any logos or trademarks displayed on Our Site without Our express written permission; and
9.1.4 you do not do so in a way that is calculated to damage Our reputation or to take unfair advantage of it.
9.2 [You may link to any page of Our Site.] OR
• [You may not link to any page other than the homepage of Our Site, https://rancehealthcareservices.co.uk/. Deep-linking to other pages requires Our express written permission.] 9.3 [Framing or embedding of Our Site on other websites is not permitted without Our express written permission. Please contact Us via email for further information.] 9.4 You may not link to Our Site from any other site the content of which contains material that:
9.4.1 [is sexually explicit;] 9.4.2 is obscene, deliberately offensive, hateful, or otherwise inflammatory;
9.4.3 promotes violence;
9.4.4 promotes or assists in any form of unlawful activity;
9.4.5 discriminates against, or is in any way defamatory of, any person, group or class of persons, race, sex, religion, nationality, disability, sexual orientation, or age;
9.4.6 is intended or is otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
9.4.7 is calculated or is otherwise likely to deceive another person;
9.4.8 is intended or is otherwise likely to infringe (or to threaten to infringe) another person’s privacy;
9.4.9 misleadingly impersonates any person or otherwise misrepresents the identity or affiliation of a particular person in a way that is calculated to deceive (obvious parodies are not included in this definition provided that they do not fall within any of the other provisions of this sub-Clause 9.4);
9.4.10 implies any form of affiliation with Us where none exists;
9.4.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, trademarks and database rights) of any other party; or
9.4.12 is made in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
9.5 [The content restrictions in sub-Clause 9.4 do not apply to content submitted to sites by other users provided that the primary purpose of the site accords with the provisions of sub-Clause 9.4. You are not, for example, prohibited from posting links on general-purpose social networking sites merely because another user may post such content. You are, however, prohibited from posting links on websites which focus on or encourage the submission of such content from users.]

10. Links to Other Sites
Links to other sites may be included on Our Site. Unless expressly stated, these sites are not under Our control. We neither assume nor accept responsibility or liability for the content of third party sites. The inclusion of a link to another site on Our Site is for information only and does not imply any endorsement of the sites themselves or of those in control of them.

11. Advertising
11.1 We may feature advertising on Our Site and We reserve the right to display advertising on your Blog.
11.2 You agree that you will not attempt to remove or hide any advertising using HTML/CSS or by any other method.
11.3 We are not responsible for the content of any advertising on Our Site. [Rance Healthcare Services Ltd is responsible for the content of advertising material] OR [Each advertiser is responsible for the content of their own advertising material]. We will not be responsible for any advertising on Our Site including, but not limited to, any errors, inaccuracies, or omissions.]

12. Disclaimers and Legal Rights
12.1 Nothing on Our Site constitutes advice on which you should rely. It is provided for general information purposes only. [Professional or specialist advice should always be sought before taking any action relating to using this auction website.] 12.2 Insofar as is permitted by law, We make no representation, warranty, or guarantee that Our Site will meet your requirements, that it will not infringe the rights of third parties, that it will be compatible with all software and hardware, or that it will be secure.
12.3 If, as a result of Our failure to exercise reasonable care and skill, any digital content from Our Site damages your device or other digital content belonging to you, as a consumer you may be entitled to certain legal remedies. For more details concerning your rights and remedies as a consumer, please contact your local Citizens Advice Bureau or Trading Standards Office.
12.4 We make reasonable efforts to ensure that Our Content on Our Site is complete, accurate, and up-to-date. We do not, however, make any representations, warranties, or guarantees (whether express or implied) that the Content is complete, accurate, or up-to-date.
12.5 We are not responsible for the content or accuracy, or for any opinions, views, or values expressed in any Blogs, Posts, or Comments submitted by Users. Any such opinions, views, or values are those of the relevant User, and do not reflect Our opinions, views, or values in any way.

13. Our Liability
13.1 To the fullest extent permissible by law, We accept no liability to any User for any loss or damage, whether foreseeable or otherwise, in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising out of or in connection with the use of (or inability to use) Our Site or the use of or reliance upon any Content (whether that Content is provided by Us or contained in Blogs, Posts, or Comments created by Users) included on Our Site.
13.2 To the fullest extent permissible by law, We exclude all representations, warranties, and guarantees (whether express or implied) that may apply to Our Site or any Content (including Blogs, Posts, or Comments created by Users) included on Our Site.
13.3 [Our Site is intended for non-commercial use only.] If you are a business user, We accept no liability for loss of profits, sales, business or revenue; loss of business opportunity, goodwill or reputation; loss of anticipated savings; business interruption; or for any indirect or consequential loss or damage.
13.4 We exercise all reasonable skill and care to ensure that Our Site is free from viruses and other malware, however, subject to sub-Clause 12.3, We accept no liability for any loss or damage resulting from a virus or other malware, a distributed denial of service attack, or other harmful material or event that may adversely affect your hardware, software, data or other material that occurs as a result of your use of Our Site (including the downloading of any content (including any provided in Blogs, Posts, or Comments) from it) or any other site referred to on Our Site.
13.5 We neither assume nor accept responsibility or liability arising out of any disruption or non-availability of Our Site resulting from external causes including, but not limited to, ISP equipment failure, host equipment failure, communications network failure, natural events, acts of war, or legal restrictions and censorship.
13.6 Nothing in these Terms and Conditions excludes or restricts Our liability for fraud or fraudulent misrepresentation, for death or personal injury resulting from negligence, or for any other forms of liability which cannot be excluded or restricted by law. For full details of consumers’ legal rights, including those relating to digital content, please contact your local Citizens’ Advice Bureau or Trading Standards Office.

14. Viruses, Malware and Security
14.1 We exercise all reasonable skill and care to ensure that Our Site is secure and free from viruses and other malware [including, but not limited to, the scanning of all Content uploaded to Our Site by Users for viruses and malware].
14.2 You are responsible for protecting your hardware, software, data and other material from viruses, malware, and other internet security risks.
14.3 You must not deliberately introduce viruses or other malware, or any other material which is malicious or technologically harmful either to or via Our Site.
14.4 You must not attempt to gain unauthorised access to any part of Our Site, the server on which Our Site is stored, or any other server, computer, or database connected to Our Site.
14.5 You must not attack Our Site by means of a denial of service attack, a distributed denial of service attack, or by any other means.
14.6 By breaching the provisions of sub-Clauses 14.3 to 14.5 you may be committing a criminal offence under the Computer Misuse Act 1990. Any and all such breaches will be reported to the relevant law enforcement authorities and We will cooperate fully with those authorities by disclosing your identity to them. Your right to use Our Site will cease immediately in the event of such a breach and, where applicable, your Account will be suspended and/or deleted.

15. Privacy and Cookies
15.1 All personal information that We may use will be collected, processed and held in accordance with the provisions of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and your rights under the GDPR.
15.2 For complete details of Our collection, processing, storage, and retention of personal data including, but not limited to, the purpose(s) for which personal data is used, the legal basis or bases for using it, details of your rights and how to exercise them, and personal data sharing (where applicable), please refer to Our Privacy Policy [and Cookie Policy].

16. Communications from Us
16.1 If you have an Account, We may from time to time send you important notices by email. Such notices may relate to matters including, but not limited to, service changes, changes to these Terms and Conditions, and changes to your Account.
16.2 We will never send you marketing emails of any kind without your express consent. If you do give such consent, you may opt out at any time. Any and all marketing emails sent by Us include an unsubscribe link. [Email marketing options can also be changed in your Account preferences.] If you opt out of receiving emails from Us at any time, it may take up to 3 business days for your new preferences to take effect.
16.3 For questions or complaints about communications from Us (including, but not limited to marketing emails), please contact Us via email.

17. Changes to these Terms and Conditions
17.1 We may alter these Terms and Conditions at any time. [If We do so, details of the changes will be highlighted at the top of this page.] Any such changes will become binding on you upon your first use of Our Site after the changes have been implemented. You are therefore advised to check this page from time to time.
17.2 In the event of any conflict between the current version of these Terms and Conditions and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.

18. Contacting Us
To contact Us, please email Us or using any of the methods provided on Our Contact Us page.

19. Law and Jurisdiction
19.1 These Terms and Conditions, and the relationship between you and Us (whether contractual or otherwise) shall be governed by, and construed in accordance with the law of [England & Wales] [Northern Ireland] [Scotland].
19.2 If you are a consumer, you will benefit from any mandatory provisions of the law in your country of residence. Nothing in Sub-Clause 19.1 above takes away or reduces your rights as a consumer to rely on those provisions.
19.3 If you are a consumer, any dispute, controversy, proceedings or claim between you and Us relating to these Terms and Conditions, or the relationship between you and Us (whether contractual or otherwise) shall be subject to the jurisdiction of the courts of England, Wales, Scotland, or Northern Ireland, as determined by your residency.
19.4 If you are a business, any disputes concerning these Terms and Conditions, the relationship between you and Us, or any matters arising therefrom or associated therewith (whether contractual or otherwise) shall be subject to the [non] exclusive jurisdiction of the courts of [England & Wales] [Northern Ireland] [Scotland].

BACKGROUND:
Rance Healthcare Services understands that your privacy is important to you and that you care about how your personal data is used. [We] OR [I] respect and value the privacy of all of [our] OR [my] auction users and will only collect and use personal data in a lawful and transparent manner, as set out in [our] OR [my] [Privacy Policy] OR [Privacy Notice], available from the Privacy Policy Link.
As a ‘data subject,’ you have a number of rights under the law with respect to [our] OR [my] use of your personal data. This policy explains those rights and how to exercise them.

1. Information About [Us] OR [Me] Rance Healthcare Services Ltd.
limited company, [registered in England under company number 12154188].
[Registered address: 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.] [Main trading address:] OR [Address:] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.
[VAT number: <<insert VAT number>>.] [Data Protection Officer: Edwin Rance.
Email address: edwin@rancehealthcareservices.co.uk.
Telephone number: 01902 973451.
Postal address: 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.] [Representative: Edwin Rance.
Email address: edwin@rancehealthcareservices.co.uk.
Telephone number: 01902 973451.
Postal address: 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.] [[We are regulated by CQC.] [[We are members of Skills for Care] [ISO 9001:2015 –Certificate number: 431662023 ]

2. What Does This Policy Cover?
Under data protection law in the UK, including key legislation such as EU Regulation 2016/769 General Data Protection Regulation (the “GDPR”) and the Data Protection Act 2018, (collectively, “the Data Protection Legislation”) individuals have important rights designed to protect them and their personal data.
This Policy sets out those rights, explains them in clear terms, and provides guidelines on how to exercise them.

3. What Is Personal Data?
Personal data is defined by the Data Protection Legislation as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.
In simpler terms, personal data is any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers. The personal data that [we] use is set out in [our]  [Privacy Policy] OR [Privacy Notice].

4. What Are My Rights? (Summary)
The GDPR sets out your key rights as a ‘data subject’ as follows:
a) The right to be informed;
b) The right of access;
c) The right to rectification;
d) The right to erasure;
e) The right to restrict processing;
f) The right to data portability;
g) The right to object;
h) Rights in relation to automated decision-making and profiling.
The following sections of this Policy explain each right in more detail. If you have any questions about any of your rights under the Data Protection Legislation or require more detailed information, please contact [[our] Data Protection Officer at <<84 Salop Street, Wolverhampton, WV3 0SR>>,] the Information Commissioner’s Office[,] or your local Citizens Advice Bureau.

5. The Right to Be Informed
You have the right to be informed about [our] collection and use of your personal data. The information [we]  provide must include details of the purpose or purposes for which your data is used, how long [we]  keep it, and who (if anyone) it will be shared with.
This important privacy information is provided in [our][Privacy Policy] OR [Privacy Notice]. Additional information about your rights is also provided here, in this Policy.
If [we]  collect data directly from you, this privacy information will be provided at the time it is collected. “We will ask you to read our Privacy Policy and indicate that you have read it and accepted it when visiting our website.”
If [we] collect data about you from a third party, this privacy information will be provided to you as soon as possible and in any event, no later than one month after [we]have obtained that data.

6. The Right of Access
This right, also known as ‘subject access’ gives you the right to obtain a copy of any personal data that [we] hold about you as well as other supporting information.
This right is designed to help you understand how and why [we]  use your data, and to check that [we are]  using it lawfully.
You can exercise this right by making a ‘subject access request’. A subject access request can be made orally or in writing and although the more detail you can provide, the easier it will be for [us] to respond quickly, there is no prescribed format for such requests. [A Subject Access Request Form is available email for you to use when making a request.] [You can also find out about and access your personal data held by [us]  by “logging into your account on our website and selecting ‘access my personal data’.”] [We are]  required by law to respond to a subject access request within one calendar month of receipt. In certain limited cases, for example, where a request is ‘manifestly unfounded or excessive’ or because [we are]  waiting for proof of identity from you, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for a subject access request. For ‘manifestly unfounded or excessive’ requests, however, [we are] permitted to charge a ‘reasonable fee’ that covers [our]  costs.

7. The Right to Rectification
Under the Data Protection Legislation, you have the right to have inaccurate personal data corrected, or incomplete personal data completed.
As a ‘data controller’ [we are]  required to take all reasonable steps to ensure that personal data [we] hold is accurate and, where necessary, kept up-to-date. Your right to rectification is closely tied to this obligation.
You can exercise this right by contacting [us] and asking for your data to be rectified if you believe it is incorrect, out-of-date, or incomplete. Requests for rectification can be made orally or in writing. [You can also update your personal data held by [us] by “logging into your account on our website and selecting ‘change my details’.”] [We are] required by law to respond to a request for your personal data to be rectified within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for having your personal data rectified. For ‘manifestly unfounded or excessive’ requests, however, [we are]permitted to charge a ‘reasonable fee’ that covers [our] costs. Alternatively, in some limited circumstances, [we] may be permitted to refuse your request.
8. The Right to Erasure
This right is also known as the ‘right to be forgotten’ and gives you the right to have your personal data deleted (or ‘otherwise disposed of’ if, for example, it is kept in paper records rather than electronically).
You can exercise this right by contacting [us] and asking for your data to be erased. Requests for erasure can be made orally or in writing. [You can also erase your personal data held by [us] by “logging into your account on our website and selecting ‘delete my account’.”] [We are] required by law to respond to a request for your personal data to be erased within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for having your personal data erased. For ‘manifestly unfounded or excessive’ requests, however, [we are] permitted to charge a ‘reasonable fee’ that covers [our] costs. Alternatively, in some limited circumstances, [we] may be permitted to refuse your request.
Please note that the right to erasure is not an absolute right and there are certain circumstances set out in the Data Protection Legislation in which the right does not apply. For example, [we] may not have to erase your personal data if [we] need it to comply with a legal obligation. If any of these circumstances apply, [we] will explain why your personal data cannot be erased when responding to your request for erasure.
9. The Right to Restrict Processing
You have the right to request the restriction or suppression of your personal data. In practice, this is an alternative to having your personal data erased. This means that you can limit the way in which [we] use your personal data, while still allowing [us] to retain it.
Please note that the right to restrict processing is not an absolute right and only applies in certain circumstances as follows:
a) You have contested the accuracy of your personal data and [we are] verifying the accuracy of it;
b) Your personal data has been processed unlawfully and you want [us] to restrict processing rather than erasing your personal data;
c) [We] do not need the personal data any more, but you need [us] to keep it in order to establish, exercise, or defend a legal claim; or
d) You have exercised your right to object (see Part 10, below), and [we are] considering whether [our] legitimate grounds for processing your personal data override your right to object to [us] using it.
When processing is restricted, [we] cannot do anything with your personal data other than store it unless we have your consent to do so or unless one of the following applies:
a) [We] need to use your personal data in the establishment, exercise, or defence of legal claims;
b) [We] need to use your personal data in order to protect the rights of another person; or
c) Important public interest reasons justify using it.
You can exercise this right by contacting [us] and asking for the processing of your data to be restricted. Requests for the restriction of processing can be made orally or in writing. [You can also restrict [our] processing of your personal data by “logging into your account on our website and selecting ‘restrict the processing of my personal data’.”] [We are] required by law to respond to a request to restrict the processing of your personal data within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for having the processing of your personal data restricted. For ‘manifestly unfounded or excessive’ requests, however, [we are] permitted to charge a ‘reasonable fee’ that covers [our] costs. Alternatively, in some limited circumstances, [we] may be permitted to refuse your request.
10. The Right to Data Portability
Where [we are] processing your personal data either with your consent or for the performance of a contract between us, and [we are] using automated means of processing (i.e. not using paper files), you have the right to obtain a copy of your personal data in a commonly used format for use with another organisation. You can also request that [we] send your personal data directly to another organisation.
This right is designed to enable you to easily move, copy, or transfer your personal data from one organisation’s IT system to another organisation’s IT system in a safe and secure way, without affecting its usability.
Please note that this right only applies to personal data that you have provided to [us] . This includes information in your “profile” or “account” as well as data that [we] may obtain from your activities on “our website” such as usage history and other factors such as location data, statistics from IoT devices such as wearables and smart meters etc. It does not include additional data that [we] may create based upon the data you have provided or to data that has been anonymised. In some cases, more personal data relating to you may be available under your right of access (see Part 6, above).
You can exercise this right by contacting [us] and asking either for a copy of your personal data for use with another organisation or for your personal data to be transferred to that organisation. Requests can be made orally or in writing. [You can also download your personal data in CSV, XML format by “logging into your account on our website and selecting ‘download my personal data’.”].
[We are] required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for exercising your right to data portability. For ‘manifestly unfounded or excessive’ requests, however, [we are] permitted to charge a ‘reasonable fee’ that covers [our] costs. Alternatively, in some limited circumstances, [we] may be permitted to refuse your request.
11. The Right to Object
Where [we are] processing your personal data either on the basis of [our] ‘legitimate interests’ [, in the exercise of official authority vested in [us] ,] or in the performance of a task carried out in the public interest, you have the right to object to [us] processing your personal data.
You also have the absolute right to object to [us] using your personal data for direct marketing purposes.
If you object to [us] using your personal data for direct marketing purposes, your right to do so is absolute and [we] have no grounds on which to refuse.
If you object to [us] using your personal data either on the basis of [our] ‘legitimate interests’ [, in the exercise of official authority vested in [us],] or in the performance of a task carried out in the public interest, please note that your right to do so is not absolute. When making your request to exercise this right, you must give specific reasons for your objection based upon your particular situation. [We] can continue using your personal data if [we] can demonstrate ‘compelling legitimate grounds’ which override your interests, rights, and freedoms; or if the processing is necessary for the establishment, exercise, or defence of legal claims. Additional limitations apply if your personal data is being processed for research purposes.
You can exercise this right by contacting [us] and stating your objection to the processing of your personal data for the relevant purpose or purposes, providing an explanation if required (see the previous paragraph). Objections to processing can be made orally or in writing. [You can also object to [our] processing of your personal data [for direct marketing purposes only] by “logging into your account on our website and selecting ‘object to the processing of my personal data’.” or “logging into your account on our website and selecting ‘change my marketing preferences’.”] [We are] required by law to respond to your request within one calendar month of receipt. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for exercising your right to object. For ‘manifestly unfounded or excessive’ requests, however, [we are] permitted to charge a ‘reasonable fee’ that covers [our] costs. Alternatively, in some limited circumstances, [we] may be permitted to refuse your request.
12. Automated Decision-Making (Including Profiling)
[[We] do not carry out automated decision-making (i.e. making a decision using automated means only, without any human involvement) using your personal data.] OR [[We] carry out certain automated decision-making (i.e. making a decision using automated means only, without any human involvement) using your personal data, as described in [our]  [Privacy Policy] OR [Privacy Notice].] You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal or ‘similarly significant’ effects.
You have the right to challenge decisions made in this way and can:
a) Request human intervention;
b) Express your own point of view; and
c) Obtain an explanation from [us] about the decision and challenge it.
You can exercise this right by contacting [us] and stating that you wish to ask about or challenge a decision made using your personal data by solely automated means, telling [us] which of the above (a, b, and/or c) you wish to do (see the previous paragraph). You can contact [us] orally or in writing.
[We are] required by law to respond within one calendar month of receipt of your request to exercise this right. In certain limited cases, for example, where your request is complex or you have made multiple requests, this period may be extended by up to two months; however, you will be kept informed at all times.
There is not normally a fee payable for exercising your rights relating to automated decision-making (including profiling). For ‘manifestly unfounded or excessive’ requests, however, [we are] permitted to charge a ‘reasonable fee’ that covers [our] costs. Alternatively, in some limited circumstances, [we] may be permitted to refuse your request.
13. Exercising Your Rights
To exercise any of your rights as a data subject, please contact [[our] Data Protection Officer (“DPO”)] OR [Edwin Rance and Company Director] via:
• Email: edwin@rancehealthcareservices.co.uk;
• Post: 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR;
• Telephone: 01902 973451.
When contacting [us] to exercise your right of access, please [use the Subject Access Request Form available from provide:
• Your full name;
• Your address;
• Your telephone number;
• Your email address; and
• Details of the information being requested.
When contacting [us] to exercise your right to rectification, please provide:
• Your full name;
• Your address;
• Your telephone number;
• Your email address;
• Details of the information you wish to have rectified; and
• (Where relevant) any information that supports your request or otherwise provides evidence of the need for rectification.
When contacting [us] to exercise your right of erasure, please provide:
• Your full name;
• Your address;
• Your telephone number;
• Your email address;
• Details of the information you wish to have erased; and
• (Where relevant) any information that supports your request or otherwise justifies the need to have the data erased.
When contacting [us] to exercise your rights to restrict processing or to object to processing, please provide:
• Your full name;
• Your address;
• Your telephone number;
• Your email address;
• Details of the processing you wish to restrict or object to;
• Details of why you want the processing to be restricted or why you object to it; and
• (Where relevant) any information that supports your request or otherwise provides evidence of the need for processing to be restricted or stopped.
When contacting [us] to exercise your right to data portability, please provide:
• Your full name;
• Your address;
• Your telephone number;
• Your email address;
• Details of the personal data you wish to use with another service or organisation, also stating whether you require a copy of that data for yourself or whether you would like [us] to transfer it directly to the other service or organisation; and
• (Where relevant) any information that supports your request.
When [us] to exercise your rights relating to automated decision-making (including profiling), please provide:
• Your full name;
• Your address;
• Your telephone number;
• Your email address;
• Details of the decision that you wish [us] to explain or review, also stating whether you would like [us] to explain the decision, if you are requesting human intervention, wish to express your own point of view about the decision, or wish to challenge the decision; and
• (Where relevant) any information that supports your request.
14. [Our] Acknowledgement and Response
[We] OR [I] will always respond quickly to your request to exercise any of your rights in relation to your personal data. [We] OR [I] will acknowledge receipt without undue delay and will provide a complete response to your request as quickly as possible. Normally, as stated above, this will be within one calendar month of receipt of your request. If additional time is required, [we] will contact you within the first calendar month to explain why the delay is necessary.
15. Your Right to Complain
If you have any cause for complaint about [our] use of your personal data, or about [our] handling of your request to exercise your rights under this Policy, you have the right to lodge a complaint with the Information Commissioner’s Office.
[We] would welcome the opportunity to resolve your concerns [ourselves], however, so please contact [us] first using the details set out above in Part 12.
16. Changes to this Policy
[We] may change this Policy from time to time. This may be necessary, for example, if the law changes, or if [we] change [our] business in a way that affects personal data protection. This Policy will also be reviewed [regularly] OR [on a 30 day basis].
Any changes will be made available online. This Policy was last reviewed on 29 December 2020 and last updated on 29 December 2020

1. Introduction
Rancers Pro is a UK registered company providing Online Auction Services. The business of the Company is [low] risk in relation to money laundering, however in order to prevent any of our services being used (or potentially used) for any money laundering activity, as well as any of our users and staff being exposed to money laundering, we wish to put in place the following anti-money laundering policy.

2. Scope of the Policy
The broad definition of money laundering means that potentially anyone could commit a money laundering offence, this includes all auction users, employees of the Company, all temporary staff and contractors.
Our policy is to enable the Company to meet its legal and regulatory requirements in a way which is proportionate to the low risk nature of the business, by taking reasonable steps to minimise the likelihood of money laundering occurring.
All auction users and employees must be familiar with their legal responsibilities and failure to comply with this Policy may lead to suspension or disciplinary action.

3. What is Money Laundering?
The Proceeds of Crime Act 2002 (POCA) consolidated, updated and reformed criminal law with regard to money laundering.
Money laundering can be defined as the process to move illegally acquired cash through financial systems so that it appears to be from a legitimate source. Money laundering offences include: concealing, disguising, converting, transferring criminal property or removing it from the UK (Section 327 POCA); entering into or becoming concerned in an arrangement which you know or suspect facilitates the acquisition, retention, use or control of criminal property by or on behalf of another person (Section 328 POCA); and acquiring, using or possessing criminal property (Section 329 POCA).
There are also several secondary offences, failure to disclose knowledge or suspicion of money laundering to the Money Laundering Reporting Officer (MLRO); failure by the MLRO to disclose knowledge or suspicion of money laundering to the National Crime Agency; and ‘tipping off’ whereby somebody informs a person or persons who are, or who are suspected of being involved in money laundering, in such a way as to reduce the likelihood of their being investigated or prejudicing an investigation.
Any user or member of staff could potentially be caught by the money laundering provisions, if they suspect money laundering and either become involved with it in some way, and/or do nothing about it. This Policy sets out how any concerns should be raised.

4. Money Laundering Reporting Officer (MLRO)
The Company will appoint a MLRO to receive disclosures about money laundering activity and be responsible for anti-money laundering activity on the auction site or within the Company. The officer nominated to do this is.
The MLRO will ensure that appropriate training and awareness is provided to new and existing employees/temporary staff/contractors and that this is reviewed and updated as required.
The MLRO will ensure that appropriate anti-money laundering systems and processes are incorporated by the Company.

5. Suspicions of Money Laundering
All users and employees/temporary staff/contractors must immediately/promptly report any suspicious activity to the MLRO in the prescribed form as set out in this policy document.
Once the matter has been reported to the MLRO, the employee/temporary staff/contractor must follow the directions given to him/her and must NOT make any further enquiry into the matter.
The employee/temporary staff/contractor must NOT voice any suspicions to the person(s) whom they suspect of money laundering, as this may result in the commission of the offence of “tipping off”. They must NOT discuss the matter with others or note on the file that a report has been made to the MLRO in case this results in the suspect becoming aware of the situation.
6. Consideration of the Disclosure by the MLRO
Once the MLRO has received the report, it must be evaluated in a prompt/timely manner in order to determine whether:
•
o There is actual or suspected money laundering taking place; or
•
o There are reasonable grounds to know or suspect that this is the case; and
• Whether the MLRO needs to lodge a Suspicious Activity Report (SAR) with the National Crime Agency (the NCA).
Where the MLRO concludes that there are no reasonable grounds to suspect money laundering then consent will be given for any on-going or imminent transaction(s) to proceed.
Where consent is required from the NCA for a transaction to proceed, then the transaction(s) in question must not be undertaken or completed until the NCA has given specific consent, or there is deemed consent through the expiration of the relevant time limits without objection from the NCA.
All disclosure reports referred to the MLRO and reports made to the NCA will be retained by the MLRO in a confidential file kept for that purpose, for a minimum of 5 years.
The MLRO must also consider whether additional notifications and reports to other relevant enforcement agencies should be made.

7. Customer Identification and Due Diligence
Due diligence is performed on all buyers and seller (”the Users”) who must provide basic information including user names of the offenders.
With instructions from new users or users not known well to the Company, users in known high risk industries and/or jurisdictions, transactions that are unusual for the customer or other unusual requests, highly complex transactions or payment arrangements, the Company may wish to seek additional evidence of identity. This may include:
•
o checking the organisations website to confirm the identity of personnel, its business address and any other details;
•
o attending the customer at their business address;
•
o searching the telephone directory;
• evidence or the personal identity of the key contact officer (passport, photo, driving licence).
If satisfactory evidence of identity is not obtained at the outset then the business relationship or one off transaction(s) cannot proceed any further.

8. Record Keeping
Where “relevant business” is carried out then the user identification evidence and details of the relevant transaction(s) for that user must be retained for at least 5 years.

Rance Healthcare Services Ltd
Ethical Policy
29 May 2023

1. Purpose
1.1 Rance Healthcare Services Ltd (“the Company”) is committed to the practice of responsible corporate behaviour.
1.2 Through its business practices the Company seeks to protect and promote the human rights and basic freedoms of all its employees and agents.
1.3 Further the Company is committed to protecting the rights of all of those whose work contributes to the success of the Company, including those employees and agents of suppliers to the Company.
1.4 The Company is also committed to eliminating bribery and corruption. It is essential that all employees and persons associated with the Company adhere to this policy and abstain from giving or receiving bribes of any form.
1.5 This policy is non-exhaustive, and all aspects of the Company’s business should be considered in the spirit of this policy.

2. Human Rights
2.1 The Company is vehemently opposed to the use of slavery in all forms; cruel, inhuman or degrading punishments; and any attempt to control or reduce freedom of thought, conscience and religion.
2.2 The Company will ensure that all of its employees, agents and contractors are entitled to their human rights as set out in the Universal Declaration of Human Rights and the Human Rights Act 1998.
2.3 The Company will not enter into any business arrangement with any person, company or organisation which fails to uphold the human rights of its workers or who breach the human rights of those affected by the organisation’s activities.

3. Workers’ Rights
3.1 The Company is committed to complying with all relevant employment legislation and regulations. The Company regards such regulations and legislation as the minimum rather than the recommended standard.
3.2 No worker should be discriminated against on the basis of age, gender, race, sexual orientation, religion or beliefs, gender reassignment, marital status or pregnancy. All workers should be treated equally. Workers with the same experience and qualifications should receive equal pay for equal work.
3.3 No worker should be prevented from joining or forming a staff association or trade union, nor should any worker suffer any detriment as a result of joining, or failing to join, any such organisation.
3.4 Workers should be aware of the terms and conditions of their employment or engagement from the outset. In particular workers must be made aware of the wage that they receive, when and how it is to be paid, the hours that they must work and any legal limit which exists for their protection and any overtime provisions. Workers should also be allowed such annual leave, sick leave, maternity / paternity leave and such other leave as is granted by legislation as a minimum.
3.5 The Company does not accept any corporal punishment, harassment in any form, or bullying in any form.

4. Environmental Issues
4.1 The Company is committed to keeping the environmental impact of its activities to a minimum and has established an Environmental Policy in order help achieve this aim. Copies of the Environmental Policy are available from relevant officer.
4.2 As an absolute minimum, the Company will ensure that it meets all applicable environmental laws in whichever jurisdiction it may be operating.

5. Conflicts of Interest
5.1 The Company holds as fundamental to its success the trust and confidence of those with whom it deals, including clients, suppliers and employees. Conflicts of interest potentially undermine the relationship of the Company with its partners.
5.2 In order to help preserve and strengthen these relationships the Company has developed a Corporate Hospitality and Gifts Policy, which provide rules and guidelines concerning the conduct of its officers and employees aimed at minimising the possibility of conflicts of interest and at avoiding risks associated with bribery and corruption. Copies of the Corporate Hospitality and Gifts Policy are available from relevant officer.
5.3 All officers, employees and representatives of the Company are expected to act honestly and within the law.

6. Information and Confidentiality
6.1. Information received by employees, contractors or agents of the Company will not be used for any personal gain, nor will it be used for any purpose beyond that for which it was given.
6.2 The Company will at all times ensure that it complies with all applicable requirements of the Data Protection Legislation. “Data Protection Legislation” means (1) unless and until General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time) in the UK and subsequently (2) any legislation which succeeds the GDPR.

7. [Shareholders and Investors
The Company, its officers, employees and representatives are committed to ensuring that no act or omission which is within their power and which would have the effect of deliberately, negligently or recklessly misleading the shareholders, creditors or other investors in the Company occurs.]

8. Suppliers and Partners
8.1 The Company expects all suppliers and partners to work towards and uphold similar ethical and moral standards.
8.2 The Company will investigate the ethical record of potential new suppliers before entering into any agreement. Further, the Company reserves the right to request information from suppliers regarding the production and sources of goods supplied.
8.3 The Company reserves the right to withdraw from any agreement or other arrangement with any supplier or partner who is found to have acted in contravention of the spirit or principles of this Ethical Policy.

9. Bribery and Corruption
9.1 The Company is fundamentally opposed to any acts of bribery and to the making of facilitation payments as defined by the Bribery Act 2010.
9.2 Employees and any other persons associated with the Company such as agents, subsidiaries and business partners are not permitted to either offer or receive any type of bribe and/or facilitation payment.
9.3 All employees are encouraged to report any suspicion of corruption or bribery within the Company in accordance with the Whistle blowing Policy available from relevant officer.
9.4 Should any employee or associated person be in doubt when receiving or issuing gifts and hospitality, he/she must refer to the Gift and Hospitality Policy available from relevant officer.
9.5 The Company uses its reasonable endeavours to implement the guidance principles on bribery management that are published, from time to time, by Secretary of State in accordance with Section 9 of the Bribery Act 2010.
9.6 If an employee or associated person is found guilty of giving or receiving a bribe, he/she will be personally criminally liable and may be subject to disciplinary action.
9.7 Anyone found guilty of bribery, will be responsible for bearing any related remedial costs such as losses, court fees or expenses.

This policy has been approved & authorised by:
Name: Edwin Rance
Position: Director
Date: 28 May 2023
Signature: Rance Healthcare Services Ltd

Rance Healthcare Services Ltd
Anti-Bribery Policy
28 May 2023

1. Purpose
1.1 Rance Healthcare Services Ltd (“the Company”) is committed to the practice of responsible corporate behaviour and to complying with all laws, regulations and other requirements which govern the conduct of our operations.
1.2 The Company is fully committed to instilling a strong anti-corruption culture and is fully committed to compliance with all anti-bribery and anti-corruption legislation including, but not limited to, the Bribery Act 2010 (“the Act”) and ensures that no bribes or other corrupt payments, inducements or similar are made, offered, sought or obtained by us or anyone working on our behalf or Sellers and Buyers (”the Users”) of our site.

2. Bribery
2.1 Bribery is defined as the giving or promising of a financial (Full or Part refund to buyers for a Positive Review) or other advantage to another party where that advantage is intended to induce the other party to perform a particular function improperly, to reward them for the same, or where the acceptance of that advantage is in itself improper conduct.
2.2 Bribery is also deemed to take place if any party requests or agrees to receive a financial or other advantage from another party where that advantage is intended to induce that party to perform a particular function improperly, where the acceptance of that advantage is in itself improper conduct, or where that party acts improperly in anticipation of such advantage.
2.3 Bribery of a foreign official is defined as the giving or promising of a financial or other advantage which is intended to influence the official in order to obtain business or an advantage in the conduct of business unless the foreign official is required or permitted by law to be influenced by such advantage.

3. Consequences of Bribery
3.1 Anyone or any organisation found guilty of bribery under the Act may face suspension/ fines and/or prison terms. In addition, high legal costs and adverse publicity are likely to result from any breach of the Act.
3.2 For employees of the Company, failure to comply with this Policy and/or with the Act may result in:
3.2.1 disciplinary action which may include dismissal; and
3.2.2 criminal penalties under the Act which may result in a fine and/or imprisonment for up to 10 years.
3.3 For the Company, any breach of this Policy by any employee or business associate may result in:
3.3.1 the Company being deemed to be in breach of the Act;
3.3.2 the Company being subject to fines; and
3.3.3 the Company suffering negative publicity and further associated damage as a result of such breach.

4. Responsibility for Compliance and Scope of Policy
4.1 This Policy applies to all employees, agents, contractors, subcontractors, consultants, business partners and any other parties (including individuals, partnerships and bodies corporate) associated with the Company or any of its subsidiaries.
4.2 It is the responsibility of all of the above-mentioned parties to ensure that bribery is prevented, detected and reported and all such reports should be made in accordance with the Company’s Whistle-blowing Policy or as otherwise stated in this Policy, as appropriate.
4.3 No party described in section 4.1 may:
4.3.1 give or promise any financial or other advantage to another party (or use a third party to do the same) on the Company’s behalf where that advantage is intended to induce the other party to perform a particular function improperly, to reward them for the same, or where the acceptance of that advantage will in itself constitute improper conduct;
4.3.2 request or agree to receive any financial or other advantage from another party where that advantage is intended to induce the improper performance of a particular function, where the acceptance of that advantage will in itself constitute improper conduct, or where the recipient intends to act improperly in anticipation of such an advantage.
4.4 Parties described in section 4.1 must:
4.4.1 be aware and alert at all times of all bribery risks as described in this Policy and in particular as set out in section 9 below;
4.4.2 exercise due diligence at all times when dealing with third parties on behalf of the Company; and
4.4.3 report any and all concerns relating to bribery to Rance Healthcare Services Ltd or, in the case of non-employees, their normal point of contact within the Company, or otherwise in accordance with the Company’s Whistle-blowing Policy.

5. Facilitation Payments
5.1 A facilitation payment is defined as a small payment made to officials in order to ensure or speed up the performance of routine or necessary functions.
5.2 Facilitation payments constitute bribes and, subject to section 5.3, may not be made at any time irrespective of prevailing business customs in certain territories.
5.3 Facilitation or similar payments may be made in limited circumstances where your life is in danger but under no other circumstances. Any payment so made must be reported to Rance Healthcare Services Ltd as soon as is reasonably possible and practicable.

This policy has been approved & authorised by:
Name: Edwin Rance
Position: Director
Date: 28 May 2023
Signature: E. Rance

1. A Brief Introduction to Copyright
Governed in the UK by the Copyright Designs and Patents Act 1988, copyright is an intellectual property right which protects various different types of material and bestows upon the creator and/or owner of that material a number of exclusive rights including the right to permit or deny the copying of that material.
Copyright protects various different types of material which can be broken down into the following categories:
•
o Literary, dramatic and musical works;
•
o Certain databases;
•
o Artistic works;
•
o Sound Recordings;
•
o Films;
•
o Broadcasts; and
• The typographical arrangement of published editions.
It is important to bear in mind that the above categories, though clearly separate, may become mixed in a real-world work or product. It is common, therefore, for multiple copyright works to form part of one overall product.
Copyright protection, unlike patent protection or a registered trademark, arises automatically. Although certain organisations provide for voluntary forms of registration, no official registration is required for copyright to take effect. Unlike the use of the ® symbol in relation to trademarks, therefore, you need to observe no formalities in order to use the © symbol in relation to copyright. Indeed it is advisable to use this on your work, noting also the year that the work was created and the name of the copyright owner.
Although there are no registration requirements to be met, works must meet certain criteria in order to qualify for copyright protection. Most importantly, no work can be protected by copyright unless it is recorded or “fixated” in some form. This reflects the notion that copyright protects the expression of an idea rather than the idea itself.
To further establish the date of creation of a copyright work, it may be advisable to send yourself a copy of that work by special delivery post or to lodge a copy of it with a bank or solicitor. This can prove useful in the event of later disputes as to the date of creation and originality of a work.

2 Infringement
Copyright owners have certain rights in relation to their works which are exercisable by them alone. Acts which may be carried out in relation to copyright works are known as “restricted acts”. These restricted acts are as follows:
•
o Copying the work;
•
o Issuing copies of the work to the public;
•
o Renting or lending the work to the public;
•
o Performing, showing or playing the work in public;
•
o Communicating the work to the public; and
• Making adaptations of the work (or performing any of the above acts in relation to such adaptations).
If anyone other than the copyright owner performs any of the restricted acts without the copyright owner’s consent, or authorises another to perform those acts, that party will be infringing copyright.
It is important to note that the restricted acts need not be performed in relation to a whole copyright work in order for there to be infringement. Performing the acts in relation to a “substantial part” is enough. Defining a “substantial part” can be tricky as it is not defined anywhere in copyright law. When determining whether a substantial part of a work has been infringed, the assessment will be qualitative rather than quantitative.
Certain acts are still permitted even though they may at first appear to constitute infringement. These acts fall under the following headings:
•
o The making of temporary copies;
•
o Incidental inclusion;
•
o Criticism, review and news reporting;
•
o Educational Use;
•
o Use by libraries, archives;
•
o Use for public administration;
•
o Public interest;
•
o Copying for the visually impaired; and
• Works permanently situated in public places.

Temporary Copies
Copyright is not infringed by the making of temporary copies which are “transient or incidental” where the making of those copies is an integral and essential part of a technological process where that process serves to transmit the work over a network via an intermediary or some other lawful use of the work. This is subject to one key condition that the temporary copy must have no independent economic significance. It is also important to note that this exception does not apply to a computer program or database.

Incidental Inclusion
This exception applies primarily to artistic works, sound recordings, films and broadcasts. There is no infringement if a copyright work is “incidentally included” in such a work. As to what is classed as “incidental”, this will be assessed on a case-by-case basis but may generally be taken to refer to little more than a fleeting glance or something which is barely discernible in the background. The inclusion of music is not so straightforward. Music can still be “incidentally included”, however if its inclusion is deliberate (for example, background music deliberately played to ‘set the scene’) then it will not fall within this exception.

Criticism, Review and News Reporting
Another of the “fair dealing” exceptions, the use of a work for the purposes of criticism or review does not infringe copyright provided that a sufficient acknowledgement is given. This exception applies either to the work being reviewed or another work which is used for the purpose of reviewing it. It is important to note that the work in question must have been made available to the public.
With the exception of photographs, a work may be used for the purpose of reporting current events (i.e. news) provided that a sufficient acknowledgement is given. It should be noted that acknowledgement is not required when reporting current events using film, broadcast or sound recordings where to give such an acknowledgement would be impossible.

Educational Use
This category of exception can be further divided into the following
• Research and private study;
o This exception applies to non-commercial research and students. Limited copying and the taking of short extracts are permitted. It is important to note that this exception applies only to literary, dramatic, musical or artistic works or the typographical arrangement of a published edition.
o Generally speaking any work used should be acknowledged however if it would be impossible (from a practical standpoint) to give an acknowledgement, this requirement is waived.
• Things done for the purposes of instruction or examination;
o This exception covers the copying of literary, dramatic, musical or artistic works for use in teaching provided reprographic methods are not used. Photocopying (or other mass duplication) is therefore not permitted under this exception. This applies to copying which may take the form of, for example, a teacher writing material on a whiteboard or students writing, typing or drawing their own copies of works.
o Copies may also be taken for examinations under this exception; however this does not extend to the copying of sheet music for performance in an examination.
• Anthologies for educational use;
• Performing, playing or showing work in the course of the activities of an educational establishment;
o This exception is more limited than it may first appear. It will not, for example, apply to a school play to which parents are invited. Instead, this exception covers the performance, playing or showing of copyright works to teaching staff, students and others directly connected with the activities of the educational establishment.
• Reprographic copying by educational establishments of passages from published works;
o Again, this exception is far more limited than its title suggests. Numerous conditions apply. Most notably, no more than 1% of any work may be copied in any calendar quarter. In any event, no copying is permitted without a licence where licences are available and the person making the copies either knew or ought to have been aware of that fact. Simply put, therefore, this exception is of extremely limited practical use.
• Lending of copies by educational establishments.

Libraries and Archives
This exception is perhaps one of the most complex. In simple terms, public libraries do not infringe copyright by lending books within the Public Lending Right scheme. Similarly, not-for-profit, non-public libraries prescribed by the Secretary of State do not infringe copyright by lending copies of works. Furthermore, such prescribed libraries may also produce single copies of works for lending to readers for the purposes of private study or research. The borrowers of such copies must pay a sum which is at least equivalent to the cost of producing the copy.
Public Administration
Copyright in works is not infringed by various actions which fall broadly under the following headings:
•
o Parliamentary and judicial proceedings;
•
o Royal Commissions and statutory inquiries;
•
o Material open to public inspection or on an official register;
•
o Material communicated to the Crown in the course of public business;
•
o Public records; and
• Acts done under statutory authority.
It is important to note, however, that the exception does not extend to the copying of a work which is created as a part of such public administration. Hansard reports of parliamentary proceedings, for example, are protected by Parliamentary copyright.

Public Interest
Another seemingly broad exception, the public interest exception is also one which is largely undefined. It is perhaps better to think of the public interest exception as a defence to a claim of copyright infringement. Certain works may be viewed as undeserving of copyright protection – for example works published in breach of confidence or, perhaps, those which might be deemed to be obscene. On the flip-side, copyright protection may be overlooked in cases where it is in the public interest that the works in question be disseminated widely. It should, however, be noted that the boundaries of this defence are both uncertain and narrow. Matters pertaining to the public interest will often be limited to those relating to national security, illegality, fraud or matters which could be ‘destructive’ to the country or its people.

Copying for the Visually Impaired
Provided that a visually impaired person lawfully possesses a ‘master copy’ of the work in question which, as a result of their visual impairment is ‘inaccessible’, they may create an accessible copy for personal use. Certain approved bodies may make multiple copies, again provided they have lawful possession of a ‘master copy’ of the work in question.
Works Permanently Situated in Public Places
Finally, the copyright in buildings, sculptures, models for buildings and works of artistic craftsmanship is not infringed by the making of a graphic work which includes such a work, by taking photographs or films or by including a visual image of such a work in a broadcast. This exception applies provided that the work (building, sculpture, etc.) is permanently situated in a public place or in premises which are open to the public.

3 Computer Programs
Thus far, we have overlooked a very important type of copyright work: the computer program. Many restrictions and exceptions relating to computer programs will be set out in licence agreements. Most acts which are restricted with respect to software, then, will be dealt with under the terms of the end user licence agreement.
Outside of the licence, however, there are certain acts which may appear to infringe the copyright that subsists in that software which are, in fact, permitted:
• Making back-up copies of computer programs which are necessary for the purposes of the lawful use of the program in question;
• Decompiling computer programs in order to obtain information necessary to create a new program which will be compatible with the decompiled program;
• Observing, studying and testing computer programs in order to determine the ideas and principles which underlie any particular element of the program in question whilst loading, displaying, running, transmitting or storing the program as entitled to; and
• Copying or adapting computer programs either as is necessary for lawful use (provided that copying or adapting is not contractually prohibited, for example, by the end user licence agreement). A particular example in this case is error correction.
It is important to note that software licences (or other contracts or agreements) may not prohibit or restrict the first three of the above acts. Any clauses which purport to do so would be held as void under the terms of the Copyright Designs and Patents Act 1988.

4 Dealing With Infringement
If none of the exceptions detailed above apply to a third party’s actions with respect to your copyright, you may have legitimate grounds to claim for copyright infringement. This does not, however, mean that your first step should be to run to your lawyer’s office and sue the infringer for every penny they have got.
The first step, in any event, is to gather your evidence:
• Firstly, be sure to obtain a copy of the infringing work. Ensure that you have as much evidence as possible in this regard to prove the existence of the infringing work.
• Next, you should take a copy of your own work, clearly indicating where there are similarities between your work and the infringing work. If you had previously taken steps to create a “registration copy” of the work (for example, by posting a copy to yourself by registered post), now is the time to find it and have it ready in the event that the infringer challenges your claim.
• If you have any additional documents or evidence that can be used to further prove your ownership of your work and the date on which it was created, gather this together too. Useful examples of such evidence may include letters, minutes, notes, drafts, sketches and previous (or developmental) versions of the work.
The next step is to contact the infringer. A cease and desist letter is usually the best means of contact. A cease and desist letter should:
•
o Establish your ownership of your work;
•
o Set out your allegation of infringement;
•
o Set out your requests which should, first and foremost, include the requirement to cease and desist the recipient’s infringement; and
• Establish a deadline for the recipient’s acknowledgement and response.
The requests made by a cease and desist letter (in addition to the obvious) may include one or more of the following:
•
o The payment of a backdated licence fee;
•
o The payment of licence fees henceforth (in which case, the infringer may continue to exploit your work lawfully under a licence);
•
o The attachment of a credit to the infringing work (which, again, will likely mean that the work is no longer infringing and is used under a licence from you);
•
o The delivery-up of all copies of the infringing work to you for destruction; or
• A written undertaking from the infringer stating that they will cease and desist from infringing your work and further that they will obtain your express written consent in the future for any further use of your work.
Choosing the right combination of requests is important and will also determine the ‘tone’ of your letter. Simply demanding that the recipient cease and desist their actions and deliver-up the infringing copies to you for destruction may be received rather differently to a letter which offers the option of, for example, a waiver of the previous infringement and the establishment of a licence agreement to legitimise the infringer’s on-going use of your work.
Ultimately, the requests made and the tone in which they are made must be decided based upon the circumstances and indeed the severity of the infringement. No cease and desist letter comes with a guarantee of success, but if your requests are reasonable and supported by sound evidence, you will likely meet with greater success.
What if my allegation is disputed?
Depending upon the nature of the infringer’s rebuttal, there may still be an opportunity to resolve the matter privately simply by discussing the matter. This may still not yield the desired result, however all is not yet in the hands of the courts.
If the infringing party is open to the idea, it may be advisable to turn to some form of alternative dispute resolution prior to an all-out claim for infringement. Mediation, for example, may resolve the matter without the need to incur the considerable time and expense associated with taking the matter to court.
If neither private attempts at a resolution nor the use of alternative dispute resolution methods have succeeded then it may be time to seek legal advice on an action for infringement. Under the provisions of the Copyright Designs and Patents Act 1988, copyright owners may, under an action for infringement, obtain relief which may take the form of damages, injunctions or an account of profits.

NOTICE AND TAKE DOWN POLICY & PROCEDURE

NOTICE AND TAKEDOWN POLICY & PROCEDURE

BACKGROUND:

This Policy applies to the materials published by Sellers (”the Users”) on its website at www.rancehealthcareservices.co.uk [and Facebook / YouTube or any other publications].
1. Definitions and Interpretation
In this Policy the following terms shall have the following meanings:
“Business Day” means any day (other than Saturday or Sunday) on which ordinary banks are open for their full range of normal business in England, UK;
“Infringing Material” means any material published by the Company which is alleged (and/or found) to infringe any Intellectual Property Rights;
“Intellectual Property Rights” means any and all patents, rights in inventions, rights in designs, trademarks, trade and business names and all associated goodwill, rights to sue for passing-off or for unfair competition, copyright, moral rights and related rights, rights in databases, topography rights, domain names, rights in information (including know-how and trade secrets) and all other similar or equivalent rights (subsisting now or in the future) in any part of the world, in each case whether registered or unregistered and including all applications for, and renewals or extensions of, such rights for their full term;
“Notice” means a communication received by the Company informing us of an alleged infringement.

2. Notice and Take Down
2.1 Whilst Sellers (”the Users”) make all reasonable efforts to ensure that all materials published by them do not infringe the Intellectual Property Rights of any third party, the risk of such infringement cannot be entirely removed.
2.2 Under the terms of this Policy, a third party who identifies any material belonging to them which has been used by the Seller (”the Users”) without the requisite consent should contact the Us using the procedures set out herein.

3. Notice Procedure
3.1 If you identify any material protected by Intellectual Property Rights belonging to you in any material published by the Seller (”the Users”) you should immediately contact us (Rancers Pro) using the following procedure:
3.1.1 Send an email containing the following details:
3.1.1.1 Your name and contact details;
3.1.1.2 Full details of the material you believe to be infringing. This may include, for example, URLs, highlighted copies of material containing infringing material, screenshots and/or any other evidence you feel appropriate;
3.1.1.3 Details of the alleged infringement;
3.1.1.4 Proof of your ownership of the Intellectual Property Rights subsisting in the Infringing Material or of your right to contact us on behalf of the owner of such rights.
3.2 The Company shall acknowledge receipt of all Notices within 1 Business Days.

4. Assessment and Take Down
4.1 Following receipt of a Notice, the Company shall make a preliminary assessment of the alleged infringement in order to determine its plausibility and validity.
4.2 If the outcome of the preliminary assessment shows that the complaint in the Notice is plausible and valid, the Infringing Material will be removed pending the completion of our enquiries and/or the reaching of an agreement between the Seller (”the Users”) and you.
4.3 In the event that the Infringing Material was provided to the Company by a third party, the Seller (”the Users”) will contact that third party in the course of its enquiries in order to determine the extent of that third party’s rights over the Infringing Material.
4.4 In cases where it is deemed necessary and appropriate, the Sellers (”the Users”) shall seek legal advice in order to resolve any matters of infringement.
4.5 Following the Company’s preliminary assessment of the alleged infringement, we shall contact you in order to inform you of the outcome of the assessment and to discuss, where relevant, an appropriate resolution to your complaint.

5. Resolution of Complaints
5.1 The Company shall use all reasonable endeavours to resolve complaints quickly and fairly. One of the following outcomes shall be desirable (but not guaranteed):
5.1.1 Where no infringement is found, the (alleged) Infringing Material shall remain without modification;
5.1.2 The Infringing Material shall be replaced without modification without the requirement for licensing fees;
5.1.3 The Infringing Material shall be replaced without modification under the terms of a negotiated paid licence;
5.1.4 The Infringing Material shall be replaced with modifications to remove infringing elements; or
5.1.5 The Infringing Material shall be removed and not republished.
5.2 In the event that a complaint cannot be resolved the Infringing Material shall remain removed indefinitely or until such time that an appropriate resolution is reached.
5.3 In the event that a complaint cannot be resolved and becomes the subject of legal proceedings, the Infringing Material shall remain removed, the provisions of this Policy shall cease to apply and the complaint shall be resolved as the parties, their legal advisers and/or the courts of England and Wales may direct.

6. Changes to this Policy and Procedure
The Company reserves the right to change this Policy as we may deem necessary from time to time or as may be required by law.

Cookies Policy of Rance Healthcare Services Ltd
This website, www.rancehealthcareservices.co.uk is operated by Rance Healthcare Services Ltd.

COOKIES POLICY

BACKGROUND:

This website https://rancehealthcareservices.co.uk/ (“Our Site”) uses Cookies and similar technologies in order to distinguish you from other users. By using Cookies, We are able to provide you with a better experience and to improve Our Site by better understanding how you use it. Please read this Cookie Policy carefully and ensure that you understand it. Your acceptance of Our Cookie Policy is deemed to occur [if you continue using Our Site] OR [when you press the “accept” button on Our Cookie pop-up] OR [when you have selected your preferred Cookie options in Our Cookie pop-up and pressed the “continue” button]. If you do not agree to Our Cookie Policy, please stop using Our Site immediately.

1. Definitions and Interpretation
1.1 In this Cookie Policy, unless the context otherwise requires, the following expressions have the following meanings:
“Cookie” means a small file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site;
“Cookie Law” means the relevant parts of the Privacy and Electronic Communications (EC Directive) Regulations 2003 [and of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”)];
“personal data” means any and all data that relates to an identifiable person who can be directly or indirectly identified from that data, as defined by [the Data Protection Act 1998] OR [EU Regulation 2016/679 General Data Protection Regulation (“GDPR”)]; and
“We/Us/Our” means Rance Healthcare Services [, a limited company registered in England under company number company number 12154188, whose registered address is 3rd & 4th Floors, 84 Salop Street, Wolverhampton, WV3 0RS, and whose main trading address is] OR [of] 3rd & 4th Floors, 84 Salop Street, Wolverhampton, WV3 0RS.

2. Information About Us
2.1 Our Site is [owned and] operated by Rance Healthcare Services [, a limited company registered in England under company number 12154188, whose registered address is <<84 Salop Street, Wolverhampton, WV3 0SR>> and whose main trading address is] OR [of] 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.
2.2 [Our VAT number is <<insert VAT number>>.] 2.3 [Our Data Protection Officer is Edwin Rance, and can be contacted by email , by telephone on 01902 973451, or by post at 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.] 2.4 [We are regulated by CQC.] 2.5 [We are a member of <<Skills for Care>>.] 2.6 [<<insert further information as required>>.]

3. How Does Our Site Use Cookies?
3.1 Our Site may place and access certain first party Cookies on your computer or device. First party Cookies are those placed directly by Us and are used only by Us. We use Cookies to facilitate and improve your experience of Our Site and to provide and improve Our [products] AND/OR [services]. We have carefully chosen these Cookies and have taken steps to ensure that your privacy and personal data is protected and respected at all times.
3.2 By using Our Site, you may also receive certain third party Cookies on your computer or device. Third party Cookies are those placed by websites, services, and/or parties other than Us. Third party Cookies are used on Our Site for advertising and monitoring purposes. For more details, please refer to section 4 below.
3.3 All Cookies used by and on Our Site are used in accordance with current Cookie Law. We may use some or all of the following types of Cookie:
3.3.1 Strictly Necessary Cookies
A Cookie falls into this category if it is essential to the operation of Our Site, supporting functions such as logging in, your shopping basket, and payment transactions.
3.3.2 Analytics Cookies
It is important for Us to understand how you use Our Site, for example, how efficiently you are able to navigate around it, and what features you use. Analytics Cookies enable us to gather this information, helping Us to improve Our Site and your experience of it.
3.3.3 Functionality Cookies
Functionality Cookies enable Us to provide additional functions to you on Our Site such as personalisation and remembering your saved preferences. Some functionality Cookies may also be strictly necessary Cookies, but not all necessarily fall into that category.
3.3.4 Targeting Cookies
It is important for Us to know when and how often you visit Our Site, and which parts of it you have used (including which pages you have visited and which links you have visited). As with analytics Cookies, this information helps us to better understand you and, in turn, to make Our Site and advertising more relevant to your interests. [Some information gathered by targeting Cookies may also be shared with third parties.] 3.3.5 [Third Party Cookies
Third party Cookies are not placed by Us; instead, they are placed by third parties that provide services to Us and/or to you. Third party Cookies may be used by advertising services to serve up tailored advertising to you on Our Site, or by third parties providing analytics services to Us (these Cookies will work in the same way as analytics Cookies described above).] 3.3.6 Persistent Cookies
Any of the above types of Cookie may be a persistent Cookie. Persistent Cookies are those which remain on your computer or device for a predetermined period and are activated each time you visit Our Site.
3.3.7 Session Cookies
Any of the above types of Cookie may be a session Cookie. Session Cookies are temporary and only remain on your computer or device from the point at which you visit Our Site until you close your browser. Session Cookies are deleted when you close your browser.
3.4 Cookies on Our Site are not permanent and will expire [after 30 days] OR [as indicated in the table below].
3.5 For more details of the personal data that We collect and use, the measures we have in place to protect personal data, your legal rights, and our legal obligations, please refer to our Privacy Policy.
3.6 For more specific details of the Cookies that We use, please refer to the table below.

4. What Cookies Does Our Site Use?
4.1 The following first party Cookies may be placed on your computer or device:
Name of Cookie Purpose & Type Strictly Necessary
<<insert file name>>
<<insert user-friendly description>>
<<yes / no>>
<<insert file name>>
<<insert user-friendly description>>
<<yes / no>>
<<insert file name>>
<<insert user-friendly description>>
<<yes / no>>
4.2 The following third party Cookies may be placed on your computer or device:
Name of Cookie Purpose & Type Provider Strictly Necessary
<<insert file name>>
<<insert user-friendly description>>
<<insert name of provider>>
<<yes / no>>
<<insert file name>>
<<insert user-friendly description>>
<<insert name of provider>>
<<yes / no>>
<<insert file name>>
<<insert user-friendly description>>
<<insert name of provider>>
<<yes / no>>
4.3 Our Site uses analytics services provided by Bing and Google Analytics . Website analytics refers to a set of tools used to collect and analyse anonymous usage information, enabling Us to better understand how Our Site is used. This, in turn, enables Us to improve Our Site and the [products] AND/OR [services] offered through it. You do not have to allow Us to use these Cookies, however whilst Our use of them does not pose any risk to your privacy or your safe use of Our Site, it does enable Us to continually improve Our Site, making it a better and more useful experience for you.
4.4 The analytics service(s) used by Our Site use(s) analytics Cookies to gather the required information.
4.5 The analytics service(s) used by Our Site use(s) the following analytics Cookies:
Name of Cookie Purpose & Type Provider Strictly Necessary
<<insert file name>>
<<insert user-friendly description>>
<<insert name of provider>>
<<yes / no>>
<<insert file name>>
<<insert user-friendly description>>
<<insert name of provider>>
<<yes / no>>
<<insert file name>>
<<insert user-friendly description>>
<<insert name of provider>>
<<yes / no>>

5. Consent and Control
5.1 Before Cookies are placed on your computer or device, you will be shown a pop-up requesting your consent to set those Cookies. By giving your consent to the placing of Cookies you are enabling Us to provide the best possible experience and service to you. You may, if you wish, deny consent to the placing of Cookies [unless those Cookies are strictly necessary]; however certain features of Our Site may not function fully or as intended. [You will be given the opportunity to allow and/or deny different categories of Cookie that We use.] [You can return to your Cookie preferences to review and/or change them at any time by <<insert description>>.] 5.2 In addition to the controls that We provide, you can choose to enable or disable Cookies in your internet browser. Most internet browsers also enable you to choose whether you wish to disable all Cookies or only third party Cookies. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser or the documentation that came with your device.
5.3 The links below provide instructions on how to control Cookies in all mainstream browsers:
5.3.1 Google Chrome: https://support.google.com/chrome/answer/95647?hl=en-GB
5.3.2 Microsoft Internet Explorer: https://support.microsoft.com/en-us/kb/278835
5.3.3 Microsoft Edge: https://support.microsoft.com/en-gb/products/microsoft-edge (Please note that there are no specific instructions at this time, but Microsoft support will be able to assist)
5.3.4 Safari (macOS):
5.3.5 Safari (iOS): https://support.apple.com/en-gb/HT201265
5.3.6 Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-Cookies-website-preferences
5.3.7 Android: https://support.google.com/chrome/answer/95647?co=GENIE.Platform%3DAndroid&hl=en (Please refer to your device’s documentation for manufacturers’ own browsers)

6. Changes to this Cookie Policy
6.1 We may alter this Cookie Policy at any time. [If We do so, details of the changes will be highlighted at the top of this page.] Any such changes will become binding on you on your first use of Our Site after the changes have been made. You are therefore advised to check this page from time to time.
6.2 In the event of any conflict between the current version of this Cookie Policy and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.

7. Further Information
7.1 If you would like to know more about how We use Cookies, please contact Us via email.
7.2 For more information about privacy, data protection and our terms and conditions, please visit the following:
7.2.1 Privacy Policy;
7.2.2 Terms and Conditions.

Cookie Law Guidance Notes

1. Introduction
The current legal requirements for website cookies and similar technologies stem from the Privacy and Electronic Communications (EC Directive) Regulations 2003 and, as of 25 May 2018, from the European General Data Protection Regulation 2016 (“GDPR”).
Privacy online is of great importance, all the more so in light of the GDPR which represents the single greatest step forward in privacy legislation since the Data Protection Act of 1998; a piece of legislation which was crafted before the advent (or at least the rise) of many forms of data collection and usage that are commonplace today, particularly online.
Privacy in general is also increasingly an important issue for internet users who are increasingly concerned that their data is being commodified largely without their permission or knowledge. This is not only important from a legal standpoint, but also from a business one. By complying with the law, not only is your business safe from penalties – particularly the tough ones introduced by the GDPR – but it is also likely to engender a greater degree of trust from its customers.
Central to the laws which govern cookies and similar technologies is the issue of consent. The law does not say that you cannot use cookies, trackers, beacons and so on. Rather, it requires that, in many cases, you must only do so with users’ permission. Current common practice is to simply inform users that your website uses cookies with their continued use of the site being taken as consent. As will be seen below, this is no longer sufficient. Users must be properly informed, must be given a genuine choice, and must give some kind of explicit indication of their consent.
1.1 Cookies and Similar Technologies
While most guidance focuses on cookies (indeed, the laws governing such technologies are commonly collectively referred to as “cookie law”) it is important to note that the law does not only govern cookies. A number of technologies may be used in a similar way, such as local shared objects (also known as “flash cookies”), web beacons, clear gifs, page tags, and web bugs. References to “cookies” in these Guidance Notes should be taken as also referring to these similar technologies. As technology develops quickly, the law could not keep up if it limited itself in scope to particular terms of art.
1.2 The Law’s Purpose
Simply put, the law aims to protect the privacy of internet users. The GDPR extends this protection due to the far greater scope of its definition of “personal data”. It may not be immediately obvious that a cookie or the data within it qualifies as personal data; however, where a cookie can identify an individual via their device, even if identification can only be made by combining the data in question with other data, it will fall within the definition. The rule of thumb we would suggest, then, is to err on the side of caution and treat all cookies and similar technologies in the same manner.
Those operating websites within the EU (even if the website itself or its operator/owner is based outside of the EU) are required by law to do the following:
• Inform users about the purpose of the cookies that their website places and stores on users’ computers or devices; and
• Obtain users’ consent before placing and storing those cookies.
1.3 Why Have This Law?
It is an inescapable truth that as regulations limiting the use of cookies and similar technologies get stricter, they become more of an impediment to business. Indeed, tougher consent requirements stand to negatively impact a number of things including behavioural advertising and the ability to track and analyse people’s use of your website.
A reasonable question to ask is why the cookie controls built into internet browsers cannot be relied upon for consent. Users are, after all, free to block cookies using browser settings or, for the more technically aware, browser extensions. The problem with such settings, however, is that many users are unaware of them. Furthermore, not all browsers are created equal and the sophistication of cookie and privacy settings varies considerably, often not providing sufficient levels of control. A user might want to stop you from tracking their use of your website, for example, but not prevent their login details and shopping basket contents from being saved. Even a browser that allows users to pick from blocking third-party cookies or blocking all cookies would not provide sufficient control in this scenario of your tracking was done using first-party cookies.
Proposals are afoot to address this state of affairs and were originally planned to come into force alongside the GDPR on 25 May 2018; however, at the time of writing the legislation in question remains in draft form and is still working its way through the European Union legislative process. Of particular interest is a new requirement imposed on the makers of web browsers to incorporate better controls — controls that would, in theory, eliminate the need for the consent mechanisms outlined below — however, until the legislation is finalised and browser makers have been given sufficient time to implement improved controls, the burden remains on the operators of websites to obtain consent from users proactively.

2. What Do I Need to Do?
The answer to this question depends largely upon what cookies you use on your website and for what purpose or purposes. The most effective way of identifying cookies (and similar technologies, remember), their functions, and indeed their importance, is to conduct a thorough cookie audit. This may also provide a useful opportunity to re-evaluate your use of cookies and their real value to your business.
2.1 Know Your Cookies
Before we move on to lay out the steps of a cookie audit, it important that you understand the different types of cookie.
2.1.1 Strictly Necessary Cookies
A cookie falls into this category if it is essential to the operation of your website. Strictly necessary cookies may, for example, be required for functions such as logging in, storing items in a shopping basket, or enabling payment transactions.
2.1.2 Analytics Cookies
Understanding how users use your website can be extremely valuable. Analytics cookies provide insights into many factors such as how users are navigating around the site and what features they are using. Analytics cookies may often be set by third parties, but not always. To add to complications, however, even if analytics cookies are set by you, if the data collected by them is processed by a third party, they will be treated differently from a data protection perspective.
2.1.3 Functionality Cookies
Many websites offer some level of personalisation and functionality cookies play a key role here. For auditing purposes, however, it is important not to confuse these with the strictly necessary variety. If the site can be used properly without the cookie, it isn’t strictly necessary.
2.1.4 Targeting Cookies
It is important to know when and how often someone visits your website, and which parts of it they have used (including which pages they have visited and which links they have followed). As with analytics cookies, targeting cookies allow you to better understand your users, enabling you to make your site and, more importantly, the advertising on it more relevant to those users’ interests. Targeting cookies may often be set by third parties.
2.1.5 First-Party Cookies
As the name suggests, these cookies are placed directly by your website (as opposed to those placed by third-party services, for which see below). Most, if not all, of your strictly necessary and functionality cookies will likely be first-party cookies.
2.1.6 Third-Party Cookies
These cookies are placed by third parties providing services such as advertising and analytics. Analytics and targeting cookies are common types of third-party cookie as such work is often not undertaken in-house.
2.1.7 Persistent Cookies
Any of the cookies listed above may be a persistent cookie. Persistent cookies are those which remain active on a user’s computer or device for a predetermined period of time and are activated when that user visits your website.
2.1.8 Session Cookies
Any of the cookies listed above may be a session cookie. Session cookies are temporary and only remain on a user’s computer or device from the point at which they visit your website until the web browser is closed, at which point they are removed.
2.2 The Cookie Audit
A cookie audit will help you to identify the cookies that are used by your website, what those cookies are doing, what type of cookies they are, how long they remain on a user’s computer or device, what personal data they collect, and whether or not they are being used in compliance with the law.
2.2.1 What Cookies Am I Using?
Begin by listing all of the cookies (yes, and similar technologies) currently used on your website. If you don’t know what cookies you are using, your web developer should be able to provide a list. Alternatively, a number of tools – free and otherwise – are available online.
2.2.2 What Do My Cookies Do?
For each cookie in your list, make a note of what it is used for. It is important that you are clear about each cookie’s function as this will assist in the next step.
2.2.3 What Types of Cookies Am I Using?
Going through the list again, identify what types of cookie are at work on your website. Refer back to the list above for guidance. Identify whether each cookie is first or third-party; whether it is a persistent or a session cookie; and whether it is strictly necessary, for analytics, functionality, or for targeting.
2.2.4 How Long Do My Persistent Cookies Last?
If you use persistent cookies, it is important to take note of their duration. Persistent cookies are considered to be more privacy-intrusive than session cookies, so for each one, consider whether its lifespan is truly necessary for the cookie’s purpose and shorten that lifespan if it seems excessive.
2.2.5 What Data Do My Cookies Collect?
Not all cookies collect and store personal data, but some do and in light of the GDPR it is more likely now that data used by cookies will be defined as “personal data”. In addition to the obvious – name, email address etc. – IP addresses and other seemingly anonymous identifiers qualify under the GDPR. As noted above, even an anonymised identifier that does not identify an individual on its own can count as personal data if it can be combined with other data and used to identify someone. If your cookies do use personal data, you will be processing personal data and must, as such, ensure that you comply with the requirements of the GDPR.
2.2.6 Are My Cookies Legal?
Keeping your own first-party cookies under control is important, and in addition to obtaining the correct consent to use them (see below), if any personal data is involved, it is crucial to comply fully with the GDPR. Moreover, if you use third-party cookies, while control over them rests (at least to a point) with the third party providing them, they are still being used on your website. It is therefore important to ensure that the third party or parties involved are also complying with the law.
2.3 Information and Consent
2.3.1 Informing Users
One of the most important principles of the GDPR focuses on transparency. Where personal data is concerned (and remember, this can include cookies), it is vital that individuals know what data you hold about them and what you are doing with it. It is only after being provided with such information that users can give you their informed consent.
It is a good idea to start with a clear, simple explanation of what cookies are and what they actually do. Many users will have heard of cookies, but they may not know a great deal about them. Consider, for example, including an explanation of the different cookie types similar to that included above in these Guidance Notes.
Even if you are only using strictly necessary cookies, it is important that users are fully informed about what you are doing. You may not need consent to place strictly necessary cookies, but that does not mean that you can avoid telling users about them. If you have reason to hide them, it is worth re-evaluating whether they are in fact strictly necessary after all. The general rule is, the more prominent your information, the better. Another general rule is to keep things simple; the average internet user does not possess a high degree of technical knowledge so using user-friendly, straightforward language in your cookie information is always advisable. Some websites tend to go a little overboard with friendly, fuzzy, humorous language, but this does have the benefit of downplaying the perception that cookies are little more than spyware rather than being the useful, innocuous little files that they (usually) really are.
Your cookie information should enable users to fully understand the functions of the various cookies placed by your website, what effect they will have on users, and in particular, what personal data is involved. In situations where cookies are used to provide useful information to you, such as analytics cookies, it may also be worth explaining how they benefit the user. Your explanation should be positive rather than negative. It is thus preferable to say something like:
“By seeing how you use our website using analytics cookies, we are better able to understand our customers and continually improve our services.”
as opposed to:
“If you do not accept our analytics cookies we will not be able to improve our services as we will be unable to track your movement and activity around our website.”
Put simply, tell your users why accepting your cookies is good for them, rather than why their refusal to accept them is bad for you.
Another useful element to include in your information is a table listing the cookies you use, what each one does, and what information it collects. Again, try to use user-friendly terminology as much as possible.

2.3.2 Where Should I Put My Information?
The keyword here is “prominence”. Burying a brief mention of cookies in your privacy policy is not the best way to attract attention. That being said, the increased importance of transparency and consent under the GDPR also means that your privacy policy should be similarly prominent.
It is a good idea to bring cookies directly to first-time visitors’ attention, along with a request for consent to use cookies (where appropriate) and this is something we’ll go into in more detail below. Because your information and consent mechanisms (also see below for more information) should be presented together, it is important that it is available at all times. A prominent link on every page of your website, therefore, is the preferable route.
While it is a matter of taste to an extent, the separation of cookie information from your privacy policy is also important. Once again, the increased importance of consent and controls plays a part here. It is advisable to separate out your privacy policy and cookie information (or at least the links to them by linking directly to the cookie section of your privacy policy, for example). Not only does this help with prominence, but it also makes it easier for non-technical users to find what they are looking for.
2.3.3 Consent
Consent is one of the key features of the GDPR and an area in which stricter standards have been applied. Implied consent has, for quite some time, been a popular method of obtaining users’ permission to use cookies. A common method prior to the GDPR has been to provide users with information about cookies, informing them that their continued use of the website will be taken as consent to the use of those cookies. Controls have also been decidedly inconsistent.
This does not necessarily mean that users must be given control over every single cookie that you wish to use. Strictly necessary cookies are still acceptable. The GDPR itself in reality says very little about cookies and related technologies. The Privacy and Electronic Communications (EC Directive) Regulations 2003 are more focused on such matters, as is the forthcoming Regulation on Privacy and Electronic Communications (commonly referred to as the “ePrivacy Regulation”). It is important to note that, at the time of writing, the ePrivacy Regulation remains in draft form and is still being debated and amended by the various EU lawmaking bodies. It is intended to come into force at the same time as the GDPR (25 May 2018) however this is currently thought to be quite unlikely with some legal experts suggesting that it may not see the light of day until 2019. These Guidance Notes will be updated as more information becomes available. It is nevertheless helpful to be aware of the Regulation as it provides some insight, even as a draft, into what will and will not be acceptable in the future. Under the most recent draft available, if a cookie (or related technology) is “necessary for providing an information society service requested by the end-user” (i.e. your website or the service it provides), it is acceptable.
Can I Rely on Implied Consent?
Implied consent is no longer a sensible option in a GDPR world. Users must now take some affirmative action in order to indicate consent. Moreover, this must take place before any cookies are placed.
Can I Rely on Browser Settings?
This is a difficult question at present. The general advice has long been that relying solely on users’ browser settings is not a sensible idea. As has already been noted, many users do not possess sufficient technical knowledge or awareness. This, therefore, makes relying on browser settings for genuine consent a highly flawed method.
There is nothing, of course, to stop you from providing additional advice to your users on adjusting their browser’s privacy settings; however, reliance on those settings alone is not recommended.
This is a position that may change in the future under the aforementioned ePrivacy Regulation which is currently designed to impose new obligations on the makers of web browsers to the extent that, eventually, browser settings could be sufficient. It is very important, however, to note that this is not currently the law and that browser settings are not currently sufficient. Do not rely on them!
What About Affirmative Consent?
This, if it is not already clear by now, is by far the best way. It leaves no room for doubt, either on your part, on your users’ part, or on the Information Commissioner’s part, meaning that it is safest for everyone.
It is important that users are given a real choice. As has already been noted, it is no longer acceptable to simply tell users that by continuing to use your website, they are agreeing to accept your cookies. An important concept under the GDPR is known as “granular consent”. In practice, this means giving users more finite control over what their data is used for. You are not expected to enable users to prevent your website from letting them log in, store items in an online shopping basket etc. but you are expected to allow them to be selective. If, for example, your website offers additional personalisation features that are not essential to its functionality, but still make for a better user experience, it is not in your interests, or your users’ interests, to turn these off alongside, say, analytics cookies. Consider, therefore, breaking your cookies down into categories and providing separate opt-in and opt-out controls for each category. It is also important to keep in mind that it should remain possible for users to use your website in some way, even if they do not consent to your use of cookies.
It must also be easy for users to change their preferences later on. A popup that appears the first time a user visits your site, never to be seen again, is unlikely to deliver here. A first-visit popup is still a good idea for catching users’ attention, however the settings must remain easy to find on subsequent visits.
A further important point is keeping users aware of their privacy settings. It is good practice to apply this not only to cookies, but also to other user data such as personal information stored, for example, in a user’s account or profile on your website, and with respect to direct marketing preferences. Consider, therefore, a yearly email or other message to each user (where possible) reminding them to check their settings, including cookies.
It is undeniable that stricter consent requirements will be more onerous; not only for you as a business, but also for your users. Popups laden with information and asking for controls to be adjusted can often be annoying to users, but it is nonetheless important to comply with your obligations under the law and to help safeguard users’ rights, even if they might be unaware of them. The key, therefore, is to make the whole experience as unobtrusive and efficient as possible, while also maintaining sufficient prominence to avoid it being missed.
2.4 How Should I Do It?
Depending upon the types of cookies you use, and the purposes you use them for, you have various options that will assist in complying with the law. Some methods will be more suitable than others, and it is always important to remember that if you use anything more than strictly necessary cookies, you will need to give users a genuine choice and the ability to opt-in or opt-out not only before your website places any cookies on the user’s computer or device, but also at any time afterwards.
Option 1: Information Banner
This has been one of the most popular methods of providing cookie information to users thus far. A simple banner at the top or bottom of the (visible) web page provides a brief outline of your use of cookies and similar technologies along with a link to more detailed information. Note also the “about cookies” link in the navigation.
This option has the benefit of simplicity; however, it does not provide any form of control, only information. It is therefore only suitable for websites which use strictly necessary cookies alone — those without which the website would not function correctly for users.
This version of the banner adds simple opt-in / opt-out controls. This may be suitable where only a few cookies are used, particularly if they are of the same category. Care should nevertheless be taken with simple controls as they risk forcing users to disable functions that are still useful to them in order to disable those that they do not like; and forcing you to forego useful functions such as analytics. As above, note the presence of the “about cookies” link, helping to provide the ease of controlling cookies as users continue to use your website.
The approach taken here in this third evolution of the banner incorporates the so-called granular approach referred to above. Users are given essential information about cookies, with a link to more details, along with controls over each category of cookie. Strictly necessary cookies are noted, but no control is given; functional cookies can be turned on or off; and performance cookies (a friendlier name for analytics, in most cases) can also be turned on or off. Of the three banner options, unless your website only uses strictly necessary cookies, this should be the preferred option for legal compliance.
Option 2: Information Popup
In this scenario, a popup takes over the screen and provides the same details as the information banner. Popups can be more effective than banners when it comes to grabbing users’ attention as they require at least some kind of interaction from the user in order to get past them and return to the main features of the website, even if this is only clicking on a button or on an area of the screen outside of the popup’s border. In extreme cases, the website behind the popup could be effectively disabled until the user acknowledges the popup.
As with the information banner, however, keep in mind that this option is only suitable for strictly necessary cookies where you are not required to provide controls.
Once again, the popup approach here has the benefit of catching users’ attention. In addition, as with the information banner with controls, it provides a simple opt-in or opt-out choice. However, also as with the banner approach, offering such basic binary controls may often be undesirable.
As with the information banner with sophisticated controls, this choice has the benefit of granularity. Users are given more information and more control over how cookies and, by extension, their data, are used. As a popup, rather than a banner, this option also has the advantage of more space in which to provide information. Of the popup options, unless your website only uses strictly necessary cookies, this should be the preferred option for legal compliance.
Option 3: Settings or Feature-led Consent
This approach may be attractive if your website does not use cookies from the outset, but instead only uses them when a user wishes to use certain features — personalisation, in this case. Information can be provided and consent obtained at the time that a user wishes to use the relevant features. Despite the fact that such features may not work without cookies, unless they can be reasonably categorised as strictly necessary, users must remain free to refuse them, even though that may mean missing out on certain features.
Which Option for Me?
There is not necessarily a right or wrong answer to this question, however it remains important to emphasise that unless you are only using some basic, strictly necessary cookies that underpin the vital functions of your website, it is essential to get users’ express consent to cookies before placing them. As noted above, the GDPR expands the definition of “personal data” considerably over and above that under the Data Protection Act 1998. Data contained in cookies and similar technologies that might not qualify as personal data under the 1998 Act, or even by any conventional understanding, may well be caught by the GDPR. Instead of attempting to engage in a complex decision-making exercise to determine whether or not a particular cookie does or does not fall under the GDPR’s remit, it is, we would argue, preferable to treat all cookies alike and get users’ prior express permission to use them. Even if strict compliance with the letter of the law may not appear necessary, compliance with the spirit of the law and its push for improved transparency and user-led consent can surely only stand your business in good stead.

3. A Word On Advertising and Analytics
Many analytics and advertising services are provided by third parties and many use cookies and similar technologies in order to function. In many cases, advertising is often now provided with its own privacy controls and opt-out tools. AdChoices, for example, is a self-regulatory programme with hundreds of participants including major advertisers. Ads served up by AdChoices include controls enabling users to control related cookies.
The online advertising and tracking world is in a constant state of flux and it is expected by some that the GDPR, and the accompanying emphasis on consent and transparency, could herald a significant shift in how such technologies work, not least because asking for someone’s permission to “track” them and feed them advertising is unlikely to go down well.
Wherever possible, the importance of prior consent must be remembered. Placing cookies when a user first arrives on your site and getting permission after the fact is not true consent at all. At the very least, a detailed, user-friendly explanation should be provided. If you track users’ activity around your site for performance purposes using, for example, Google Analytics, explain the benefits to you and to your users. If your site serves up advertising, explain the benefits of allowing behavioural tracking here too — namely that users see ads that are more relevant to their interests and, therefore, less annoying and intrusive.
As the new world of the GDPR settles into reality (not to mention the forthcoming new world of the aforementioned ePrivacy Regulation) it is likely that providers of third-party services such as analytics and advertising will change the way in which their services work. For now, as the owner and/or operator of a website that employs such services, your job is to ensure that you are doing whatever you can to comply with the law and, at the risk of excessive repetition, this means keeping users as informed as possible, and getting their consent to use cookies and similar technologies that go beyond the strictly necessary category.

4. Conclusion
The collective bundle of requirements known as “Cookie Law” represents something of a thorn in the side for website operators. Indeed, when the so called “EU Cookie Law” first came into force in 2011, many website operators were unhappy, arguing that nobody particularly complained about cookies. What is evident, however, is that the lack of complaint was more down to a lack of knowledge and understanding among users than it was down to users being happy. It is quite possible that many still do not know or understand a great deal about the technology — simply clicking the close button or the “I agree” button and continuing to use the website in question. Meanwhile, at the other end of the scale, with the rise in the availability and popularity of browser extensions such as AdBlock and Ghostery, the more tech savvy user is quite clearly unwilling to let you or your cookies into their system or their personal data to any degree greater than is absolutely necessary for them to use your website. Some try to fight against these forms of user-centric controls, but we would argue that it is perhaps preferable to take the hint and address the reasons for their existence rather than trying to disable their effect (a course of action which is unlikely to meet with success for long anyway as the developers of such extensions frequently update them to address workarounds).
The current state of play, it must be said, is not perfect. Indeed, the increased emphasis on consent alone is set to make things more onerous for website operators and for users. More interruptions will be necessary to the user experience and users will need to read and do more before getting on with the business of using your website. Things are set to change again in the future, but for now, this is the approach that should be taken. These rules do, despite such annoyances, have honourable roots in seeking to increase and protect individuals’ rights to privacy and ultimately, it is to be hoped, there is more to be gained by complying than by resisting.

BACKGROUND:
These Terms of Use, together with any and all other documents referred to herein, set out the terms of use under which you may use this website, www.rancehealthcareservices.co.uk (“Our Site”). Please read these Terms of Use carefully and ensure that you understand them. [Your agreement to comply with and be bound by these Terms of Use is deemed to occur upon your first use of Our Site] AND/OR [You will be required to read and accept these Terms of Use when signing up for an Account]. If you do not agree to comply with and be bound by these Terms of Use, you must stop using Our Site immediately. These Terms of Use do not apply to Paid Ads. Please refer to our Terms of Sale for more information.

1. Definitions and Interpretation
1.1 In these Terms of Use, unless the context otherwise requires, the following expressions have the following meanings:
“Account” means an account required for a User to access and/or use certain areas of Our Site, as detailed in Clause 4;
“Advertiser” means a User that posts a [Free Ad or a] Paid Ad on Our Site;
“Content” means any and all text, images, audio, video, scripts, code, software, databases and any other form of information capable of being stored on a computer that appears on, or forms part of, Our Site;
[“Free Ad” means a free advertisement posted on Our Site by an Advertiser, providing details of the item or service offered by the Advertiser;] “Paid Ad” means a premium advertisement posted on Our Site by an Advertiser, in exchange for a fee, providing details of the item or service offered by the Advertiser;
[“Third Party Advertiser” means a party responsible for Third Party Advertising displayed on Our Site;] [“Third Party Advertising” means advertising displayed on Our Site in addition to [Free Ads and] Paid Ads, as detailed in Clause 9;] “User” means a user of Our Site; and
“We/Us/Our” means Rance Healthcare Services Ltd [, a company registered in England under company number 12154188, whose registered address is 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR> and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.

2. Information About Us
2.1 Our Site, www.rancehealthcareservices.co.uk, is [owned and] operated by Rance Healthcare Services [, a limited company registered in England under company number 12154188, whose registered address is 3rd & 4th Floors, 84 Salop Street, Wolverhampton, WV3 0RS and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR. [Our VAT number is <<insert VAT number>>.] 2.2 [We are regulated by CQC.] 2.3 [We are a member of <<insert name(s) of association(s) etc.>>.] 2.4 [<<insert further information as required>>.]

3. Access to Our Site
3.1 Access to Our Site is free of charge.
3.2 It is your responsibility to make any and all arrangements necessary in order to access Our Site.
3.3 Access to Our Site is provided “as is” and on an “as available” basis. We may alter, suspend or discontinue Our Site (or any part of it) at any time and without notice. We will not be liable to you in any way if Our Site (or any part of it) is unavailable at any time and for any period.

4. Accounts
4.1 Certain parts of Our Site (including the ability to post [Free Ads and] Paid Ads) may require an Account in order to access them.
4.2 You may not create an Account if you are under 18 years of age. [If you are under 18 years of age and wish to use the parts of Our Site that require an Account, your parent or guardian should create the Account for you and you must only use the Account with their supervision.] 4.3 When creating an Account, the information you provide must be accurate and complete. If any of your information changes at a later date, it is your responsibility to ensure that your Account is kept up-to-date.
4.4 We [require] OR [recommend] that you choose a strong password for your Account, consisting of “a combination of lowercase and uppercase letters, numbers, and symbols”. It is your responsibility to keep your password safe. [You must not share your Account with anyone else.] If you believe your Account is being used without your permission, please contact Us immediately via email. We will not be liable for any unauthorised use of your Account.
4.5 You must not use anyone else’s Account [without the express permission of the User to whom the Account belongs].
4.6 Any personal information provided in your Account will be collected, used, and held in accordance with your rights and Our obligations under the law, as set out in Clause 18.
4.7 If you wish to close your Account, you may do so at any time. Closing your Account will result in the removal of your information. Closing your Account will also remove access to any areas of Our Site requiring an Account for access. [ user’s data will also be deleted .] 4.8 [If you close and delete your Account, any Free Ad(s) you have posted to Our Site will [also be deleted and the licence granted to Us under sub-Clause 6.4 will be terminated] OR [ Free Ads will also be deleted].

5. Intellectual Property Rights
5.1 With the exception of [Free Ads and] Paid Ads, all Content included on Our Site and the copyright and other intellectual property rights subsisting in that Content, unless specifically labelled otherwise, belongs to or has been licensed by Us. All Content (including that in [Free Ads and] Paid Ads) is protected by applicable United Kingdom and international intellectual property laws and treaties.
5.2 Subject to sub-Clause[s] 5.3 [and 5.6] you may not reproduce, copy, distribute, sell, rent, sub-licence, store, or in any other manner re-use Content from Our Site unless given express written permission to do so by Us.
5.3 You may:
5.3.1 Access, view and use Our Site in a web browser (including any web browsing capability built into other types of software or app);
5.3.2 Download Our Site (or any part of it) for caching;
5.3.3 Print [one copy of any] page(s) from Our Site;
5.3.4 Download extracts from pages on Our Site; and
5.3.5 Save pages from Our Site for later and/or offline viewing.
5.4 Our status as the owner and author of the Content on Our Site (or that of identified licensors, as appropriate) must always be acknowledged.
5.5 You may not use any Content printed, saved or downloaded from Our Site for commercial purposes without first obtaining a licence from Us (or our licensors, as appropriate) to do so. [This does not prohibit the normal access, viewing and use of Our Site for general information purposes whether by business users or consumers.] 5.6 [Nothing in these Terms of Use limits or excludes the fair dealing provisions of Chapter III of the Copyrights, Designs and Patents Act 1988 ‘Acts Permitted in Relation to Copyright Works’, covering in particular the making of temporary copies; research and private study; the making of copies for text and data analysis for non-commercial research; criticism, review, quotation and news reporting; caricature, parody or pastiche; and the incidental inclusion of copyright material.]

6. [Free Ads
6.1 An Account is required if you wish to post a Free Ad. Please refer to Clause 4 for more information.
6.2 You agree that you will be solely responsible for your Free Ad. Specifically, you agree, represent and warrant that you have the right to submit the Free Ad and that all information in the Free Ad is accurate and truthful, that all such information will be kept accurate and up-to-date, that no personal data will be included that you do not have the right to include, and that your Free Ad will comply with Our Acceptable Usage Policy, detailed below in Clause 13.
6.3 You agree that you will be liable to Us and will, to the fullest extent permissible by law, indemnify Us for any breach of the warranties given by you under sub-Clause 6.2. You will be responsible for any loss or damage suffered by Us as a result of such breach.
6.4 You (or your licensors, as appropriate) retain ownership of the content of your Free Ad and all intellectual property rights subsisting therein. By submitting a Free Ad, you grant Us an unconditional, non-exclusive, fully transferrable, royalty-free, perpetual, [irrevocable,] worldwide licence to use, store, archive, syndicate, publish, transmit, adapt, edit, reproduce, distribute, prepare derivative works from, display, perform and sub-licence that Free Ad for the purposes of operating and promoting Our Site.
6.5 If you wish to remove a Free Ad from Our Site, you may do so by contacting us via email. We will use reasonable efforts to remove the Free Ad in question from Our Site. Removing a Free Ad also revokes the licence granted to Us to use that Free Ad under sub-Clause 6.4. Please note, however, that caching or references to your Free Ad may not be made immediately unavailable (or may not be made unavailable at all where they are outside of Our reasonable control).
6.6 We may reject, reclassify, or remove any Free Ad from Our Site where, in Our sole opinion, it violates Our Acceptable Usage Policy, or if We receive a complaint from a third party and determine that the Free Ad in question should be removed as a result.]

7. Links to Our Site
7.1 You may link to Our Site provided that:
7.1.1 you do so in a fair and legal manner;
7.1.2 you do not do so in a manner that suggests any form of association, endorsement or approval on Our part where none exists;
7.1.3 you do not use any logos or trademarks displayed on Our Site without Our express written permission; and
7.1.4 you do not do so in a way that is calculated to damage Our reputation or to take unfair advantage of it.
7.2 [You may link to any page of Our Site.] OR
• [You may not link to any page other than the homepage of Our Site, rancehealthcareservices.co.uk. Deep-linking to other pages requires Our express written permission. Please contact Us via email for further information.] 7.3 [Framing or embedding of Our Site on other websites is not permitted without Our express written permission. Please contact Us via email for further information.] 7.4 You may not link to Our Site from any other site the main content of which contains material that:
7.4.1 [is sexually explicit];
7.4.2 is obscene, deliberately offensive, hateful or otherwise inflammatory;
7.4.3 promotes violence;
7.4.4 promotes or assists in any form of unlawful activity;
7.4.5 discriminates against, or is in any way defamatory of, any person, group or class of persons, race, gender, religion, nationality, disability, sexual orientation, or age;
7.4.6 is intended or is otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
7.4.7 is calculated or is otherwise likely to deceive another person;
7.4.8 is intended or is otherwise likely to infringe (or to threaten to infringe) another person’s privacy;
7.4.9 misleadingly impersonates any person or otherwise misrepresents the identity or affiliation of a particular person in a way that is calculated to deceive (obvious parodies are not included in this definition provided that they do not fall within any of the other provisions of this sub-Clause 7.4);
7.4.10 implies any form of affiliation with Us where none exists;
7.4.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, trademarks and database rights) of any other party; or
7.4.12 is made in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
7.5 [The content restrictions in sub-Clause 7.4 do not apply to content submitted to sites by other users provided that the primary purpose of the site accords with the provisions of sub-Clause 7.4. You are not, for example, prohibited from posting links on general-purpose social networking sites merely because another user may post such content. You are, however, prohibited from posting links on websites which focus on or encourage the submission of such content from users.]

8. Links to Other Sites
Links to other sites may be included on Our Site. Unless expressly stated, these sites are not under Our control. We neither assume nor accept responsibility or liability for the content of third party sites. The inclusion of a link to another site on Our Site is for information only and does not imply any endorsement of the sites themselves or of those in control of them.

9. [Advertising
9.1 We may feature Third Party Advertising on Our Site and We reserve the right to display Third Party Advertising on the same page as any content from any Advertiser.
9.2 You agree that you will not attempt to remove or hide any Third Party Advertising using HTML/CSS or by any other method.
9.3 We are not responsible for the content of any Third Party Advertising on Our Site. [Rance Healthcare Services is responsible for the content of advertising material] OR [Each Third Party Advertiser is responsible for the content of their own Third Party Advertising material]. We will not be responsible for any Third Party Advertising on Our Site including, but not limited to, any errors, inaccuracies, or omissions.]

10. Disclaimers and Legal Rights
10.1 Nothing on Our Site constitutes advice on which you should rely. It is provided for general information purposes only. [Professional or specialist advice should always be sought before taking any action [relating to listing auctions] OR [on the basis of any information provided on Our Site].] 10.2 Insofar as is permitted by law, We make no representation, warranty, or guarantee that Our Site will meet your requirements, that it will not infringe the rights of third parties, that it will be compatible with all software and hardware, or that it will be secure. If, as a result of Our failure to exercise reasonable care and skill, any digital content from Our Site damages your device or other digital content belonging to you, if you are a consumer, you may be entitled to certain legal remedies. For more details concerning your rights and remedies as a consumer, please contact your local Citizens Advice Bureau or Trading Standards Office.
10.3 We make reasonable efforts to ensure that Our Content on Our Site is complete, accurate, and up-to-date. We do not, however, make any representations, warranties or guarantees (whether express or implied) that the Content is complete, accurate, or up-to-date.
10.4 [We are not responsible for the content or accuracy of, or for any opinions, views, or values expressed in Free Ads. Any such opinions, views, or values are those of the relevant User and do not reflect Our opinions, views, or values in any way. We have no control over, nor any involvement in, any Free Ads, and We accept no responsibility for any actions taken, or for any products or services advertised in, any Free Ad.]

11. Our Liability
11.1 The provisions of this Clause 11 apply only to the use of Our Site [and Free Ads] but not to Paid Ads, which are governed separately by Our Terms of Sale. Limitations and exclusions stated to apply to Content in this Clause 11 may not apply to Paid Ads.
11.2 To the fullest extent permissible by law, We accept no liability to any User for any loss or damage, whether foreseeable or otherwise, in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising out of or in connection with the use of (or inability to use) Our Site or the use of or reliance upon any Content [(whether it is provided by Us or whether it is a Free Ad)] included on Our Site.
11.3 To the fullest extent permissible by law, We exclude all representations, warranties, and guarantees (whether express or implied) that may apply to Our Site or any Content [(including Free Ads)] included on Our Site.
11.4 If you are a business user, We accept no liability for loss of profits, sales, business or revenue; loss of business opportunity, goodwill or reputation; loss of anticipated savings; business interruption; or for any indirect or consequential loss or damage.
11.5 We exercise all reasonable skill and care to ensure that Our Site is free from viruses and other malware. However, subject to sub-Clause 10.2, We accept no liability for any loss or damage resulting from a virus or other malware, a distributed denial of service attack, or other harmful material or event that may adversely affect your hardware, software, data or other material that occurs as a result of your use of Our Site (including the downloading of any Content from it) or any other site referred to on Our Site.
11.6 We neither assume nor accept responsibility or liability arising out of any disruption or non-availability of Our Site resulting from external causes including, but not limited to, ISP equipment failure, host equipment failure, communications network failure, natural events, acts of war, or legal restrictions and censorship.
11.7 Nothing in these Terms of Use excludes or restricts Our liability for fraud or fraudulent misrepresentation, for death or personal injury resulting from negligence, or for any other forms of liability which cannot be excluded or restricted by law. For full details of consumers’ legal rights, including those relating to digital content, please contact your local Citizens’ Advice Bureau or Trading Standards Office.

12. Viruses, Malware and Security
12.1 We exercise all reasonable skill and care to ensure that Our Site is secure and free from viruses and other malware [including, but not limited to, the scanning of all Content uploaded by Advertisers for viruses and malware as it is uploaded]. [We do not, however, guarantee that Our Site is secure or free from viruses or other malware and accept no liability in respect of the same, as detailed in sub-Clause 11.5.] 12.2 You are responsible for protecting your hardware, software, data and other material from viruses, malware, and other internet security risks.
12.3 You must not deliberately introduce viruses or other malware, or any other material which is malicious or technologically harmful either to or via Our Site.
12.4 You must not attempt to gain unauthorised access to any part of Our Site, the server on which Our Site is stored, or any other server, computer, or database connected to Our Site.
12.5 You must not attack Our Site by means of a denial of service attack, a distributed denial of service attack, or by any other means.
12.6 By breaching the provisions of sub-Clauses 12.3 to 12.5, you may be committing a criminal offence under the Computer Misuse Act 1990. Any and all such breaches will be reported to the relevant law enforcement authorities and We will cooperate fully with those authorities by disclosing your identity to them. Your right to use Our Site will cease immediately in the event of such a breach.

13. Acceptable Usage Policy
13.1 You may only use Our Site in a manner that is lawful and that complies with the provisions of this Clause 13. Specifically:
13.1.1 you must ensure that you comply fully with any and all local, national or international laws and/or regulations;
13.1.2 you must not use Our Site in any way, or for any purpose, that is unlawful or fraudulent;
13.1.3 you must not use Our Site to knowingly send, upload, or in any other way transmit data that contains any form of virus or other malware, or any other code designed to adversely affect computer hardware, software, or data of any kind; and
13.1.4 you must not use Our Site in any way, or for any purpose, that is intended to harm any person or persons in any way.
13.2 When [posting a Free Ad (or communicating in any other way using Our Site)] OR [communicating in any way using Our Site], you must not [submit,] communicate or otherwise do anything that:
13.2.1 [is sexually explicit;] 13.2.2 is obscene, deliberately offensive, hateful or otherwise inflammatory;
13.2.3 promotes violence;
13.2.4 promotes or assists in any form of unlawful activity;
13.2.5 discriminates against, or is in any way defamatory of, any person, group or class of persons, race, gender, religion, nationality, disability, sexual orientation or age;
13.2.6 is intended or otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
13.2.7 is calculated or is otherwise likely to deceive [(including any unsubstantiated or unsupportable claims or comparisons concerning the subject matter of a Free Ad or any other Free or Paid Ad or Advertiser on Our Site)];
13.2.8 is intended or otherwise likely to infringe (or threaten to infringe) another person’s right to privacy or otherwise uses their personal data in a way that you do not have a right to;
13.2.9 misleadingly impersonates any person or otherwise misrepresents your identity or affiliation in a way that is calculated to deceive (obvious parodies are not included within this definition provided that they do not fall within any of the other provisions of this sub-Clause 13.2);
13.2.10 implies any form of affiliation with Us where none exists;
13.2.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, patents, trademarks and database rights) of any other party; or
13.2.12 is in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
13.3 [Free Ads for the following types of items and/or services may not be posted:
13.4 We reserve the right to suspend or terminate your access to Our Site if you materially breach the provisions of this Clause 13 or any of the other provisions of these Terms of Use. Specifically, We may take one or more of the following actions:
13.4.1 [suspend or remove your Free Ad;] 13.4.2 [suspend or remove any Paid Ad(s) you may have (Please refer to our Terms of Sale);] 13.4.3 issue you with a written warning;
13.4.4 take legal proceedings against you for reimbursement of any and all relevant costs on an indemnity basis resulting from your breach;
13.4.5 take further legal action against you as appropriate;
13.4.6 disclose such information to law enforcement authorities as required or as We deem reasonably necessary; and/or
13.4.7 any other actions which We deem reasonably appropriate (and lawful).
13.5 We hereby exclude any and all liability arising out of any actions (including, but not limited to those set out above) that We may take in response to breaches of these Terms of Use.

14. Privacy and Cookies
Use of Our Site is also governed by Our Cookie and Privacy Policies, available from Cookie Policy and Privacy Policy. These policies are incorporated into these Terms of Use by this reference.

15. Changes to these Terms of Use
15.1 We may alter these Terms of Use at any time. [If We do so, details of the changes will be highlighted at the top of this page.] Any such changes will become binding on you upon your first use of Our Site after the changes have been implemented. You are therefore advised to check this page from time to time.
15.2 In the event of any conflict between the current version of these Terms of Use and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.

16. Contacting Us
To contact Us, please email Us via email address or using any of the methods provided on Our Contact Us page.

17. Communications from Us
17.1 If We have your contact details (if, for example, you have an Account) We may from time to time send you important notices by email. Such notices may relate to matters including, but not limited to, service changes, changes to these Terms of Use, Our Terms of Sale, and changes to your Account.
17.2 We will never send you marketing emails of any kind without your express consent. If you do give such consent, you may opt out at any time. Any and all marketing emails sent by Us include an unsubscribe link. [Email marketing options can also be changed in My Dashboard.] If you opt out of receiving emails from us at any time, it may take up to 3 business days for Us to comply with your request. During that time, you may continue to receive emails from Us.
17.3 For questions or complaints about communications from Us (including, but not limited to marketing emails), please contact Us via email.

18. How We Use Your Personal Information (Data Protection)
18.1 All personal information that We may use will be collected, processed, and held in accordance with the provisions of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and your rights under the GDPR.
18.2 For complete details of Our collection, processing, storage, and retention of personal data including, but not limited to, the purpose(s) for which personal data is used, the legal basis or bases for using it, details of your rights and how to exercise them, and personal data sharing (where applicable), please refer to Our Privacy Policy [and Cookie Policy].

19. Law and Jurisdiction
19.1 These Terms and Conditions, and the relationship between you and Us (whether contractual or otherwise) shall be governed by, and construed in accordance with the law of [England & Wales] [Northern Ireland] [Scotland].
19.2 If you are a consumer, you will benefit from any mandatory provisions of the law in your country of residence. Nothing in Sub-Clause 19.1 above takes away or reduces your rights as a consumer to rely on those provisions.
19.3 If you are a consumer, any dispute, controversy, proceedings or claim between you and Us relating to these Terms and Conditions, or the relationship between you and Us (whether contractual or otherwise) shall be subject to the jurisdiction of the courts of England, Wales, Scotland, or Northern Ireland, as determined by your residency.
19.4 If you are a business, any disputes concerning these Terms and Conditions, the relationship between you and Us, or any matters arising therefrom or associated therewith (whether contractual or otherwise) shall be subject to the [non] exclusive jurisdiction of the courts of [England & Wales] [Northern Ireland] [Scotland].

1. Data Protection Clause
1.1 All personal data that ‘the Company’ may use will be collected, processed, and held in accordance with the provisions of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and ‘Your’ rights under the GDPR.
1.2 For complete details of ‘the Company’ collection, processing, storage, and retention of personal data including, but not limited to, the purpose(s) for which personal data is used, the legal basis or bases for using it, details of ‘Your’ rights and how to exercise them, and personal data sharing (where applicable), please refer to ‘Our’ Privacy Notice.
Data Processing Clause – Agreement Version
“Data Protection Legislation”
means 1) unless and until EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time), in the UK and subsequently 2) any legislation which succeeds the GDPR.

1. Data Processing
1.1 In this Clause X, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in Article 4, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
1.2 [All personal data to be processed by ‘the Service Provider’ on behalf of ‘the user’ under this Agreement shall be processed in accordance with the terms of the Data Processing Agreement entered into by the Parties on 18 October 2018 [pursuant to this Agreement].] OR
• [The Parties hereby agree that they shall both comply with all applicable data protection requirements set out in the Data Protection Legislation. This Clause X shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.
1.3 For the purposes of the Data Protection Legislation and for this Clause X, ‘the user’ is the “Data Controller” and ‘the Service Provider’ is the “Data Processor”.
1.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing are set out in Schedule X.
1.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in this Agreement.
1.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under this Agreement:
1.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.
1.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken are set out in Schedule X.
1.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; and
1.6.4 Not transfer any personal data outside of the European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied:
1.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;
1.6.4.2 Affected data subjects have enforceable rights and effective legal remedies;
1.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and
1.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.
1.6.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);
1.6.6 Notify the Data Controller without undue delay of a personal data breach;
1.6.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of this Agreement unless it is required to retain any of the personal data by law; and
1.6.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with this Clause X and to allow for audits by the Data Controller and/or any party designated by the Data Controller.
1.7 [The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under this Clause X.] OR
• [The Data Processor shall not sub-contract any of its obligations to a sub-processor with respect to the processing of personal data under this Clause X without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-processor, the Data Processor shall:
1.7.1 Enter into a written agreement with the sub-processor, which shall impose upon the sub-processor the same obligations as are imposed upon the Data Processor by this Clause X and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and
1.7.2 Ensure that the sub-processor complies fully with its obligations under that agreement and the Data Protection Legislation.] 1.8 Either Party may, at any time, and on at least 30 calendar days notice, alter this Clause X, replacing it with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply and replace this Clause X by attachment to this Agreement.]

SCHEDULE X
1. Data Processing
Scope
<<Insert description of the scope of the processing to be carried out>>.
Nature
<<Insert description of the nature of the processing to be carried out>>.
Purpose
<<Insert description of the purpose(s) for which the processing is to be carried out>>.

Duration
<<Insert details of the duration of the processing>>.
1. Types of Personal Data
<<List the types of personal data to be processed>>.
1. Categories of Data Subject
<<List the categories of data subject>>.
1. Organisational and Technical Data Protection Measures
<<Describe the organisational and technical measures to be implemented as referenced in X.6.2>>.
Data Processing Clause – Terms and Conditions Version
“Data Protection Legislation”
means 1) unless and until EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) is no longer directly applicable in the UK, the GDPR and any national implementing laws, regulations, and secondary legislation (as amended from time to time), in the UK and subsequently 2) any legislation which succeeds the GDPR.

2. Data Processing
2.1 In this Clause X and in the Agreement, “personal data”, “data subject”, “data controller”, “data processor”, and “personal data breach” shall have the meaning defined in Article 4, EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
2.2 [All personal data to be processed by ‘the Service Provider’ on behalf of ‘the user’, subject to [these Terms and Conditions] AND/OR [the Agreement], shall be processed in accordance with the terms of a Data Processing Agreement into which the Parties shall enter before any personal data is processed.] OR
• [Both Parties shall comply with all applicable data protection requirements set out in the Data Protection Legislation. [This Clause X] AND/OR [the Agreement] shall not relieve either Party of any obligations set out in the Data Protection Legislation and does not remove or replace any of those obligations.
2.3 For the purposes of the Data Protection Legislation and for this Clause X and the Agreement, the user is the “Data Controller” and ‘the Service Provider’ is the “Data Processor”.
2.4 The type(s) of personal data, the scope, nature and purpose of the processing, and the duration of the processing shall be set out in England, in schedule to the agreement.
2.5 The Data Controller shall ensure that it has in place all necessary consents and notices required to enable the lawful transfer of personal data to the Data Processor for the purposes described in [these Terms and Conditions] AND/OR [the Agreement] [and the schedule of the Agreement].
2.6 The Data Processor shall, with respect to any personal data processed by it in relation to its performance of any of its obligations under [these Terms and Conditions] AND/OR [the Agreement]:
2.6.1 Process the personal data only on the written instructions of the Data Controller unless the Data Processor is otherwise required to process such personal data by law. The Data Processor shall promptly notify the Data Controller of such processing unless prohibited from doing so by law.
2.6.2 Ensure that it has in place suitable technical and organisational measures (as approved by the Data Controller) to protect the personal data from unauthorised or unlawful processing, accidental loss, damage or destruction. Such measures shall be proportionate to the potential harm resulting from such events, taking into account the current state of the art in technology and the cost of implementing those measures. Measures to be taken shall be agreed between the Data Controller and the Data Processor and set out in England, in a schedule to the Agreement.
2.6.3 Ensure that any and all staff with access to the personal data (whether for processing purposes or otherwise) are contractually obliged to keep that personal data confidential; and
2.6.4 Not transfer any personal data outside of the European Economic Area without the prior written consent of the Data Controller and only if the following conditions are satisfied:
2.6.4.1 The Data Controller and/or the Data Processor has/have provided suitable safeguards for the transfer of personal data;
2.6.4.2 Affected data subjects have enforceable rights and effective legal remedies;
2.6.4.3 The Data Processor complies with its obligations under the Data Protection Legislation, providing an adequate level of protection to any and all personal data so transferred; and
2.6.4.4 The Data Processor complies with all reasonable instructions given in advance by the Data Controller with respect to the processing of the personal data.
2.6.5 Assist the Data Controller at the Data Controller’s cost, in responding to any and all requests from data subjects in ensuring its compliance with the Data Protection Legislation with respect to security, breach notifications, impact assessments, and consultations with supervisory authorities or regulators (including, but not limited to, the Information Commissioner’s Office);
2.6.6 Notify the Data Controller without undue delay of a personal data breach;
2.6.7 On the Data Controller’s written instruction, delete (or otherwise dispose of) or return all personal data and any and all copies thereof to the Data Controller on termination of the Agreement unless it is required to retain any of the personal data by law; and
2.6.8 Maintain complete and accurate records of all processing activities and technical and organisational measures implemented necessary to demonstrate compliance with [this Clause X] AND/OR [the Agreement] and to allow for audits by the Data Controller and/or any party designated by the Data Controller.
2.7 [The Data Processor shall not sub-contract any of its obligations with respect to the processing of personal data under [this Clause X] AND/OR [the Agreement].] OR
• [The Data Processor shall not sub-contract any of its obligations to a sub-processor with respect to the processing of personal data under [this Clause X] AND/OR [the Agreement] without the prior written consent of the Data Controller (such consent not to be unreasonably withheld). In the event that the Data Processor appoints a sub-processor, the Data Processor shall:
2.7.1 Enter into a written agreement with the sub-processor, which shall impose upon the sub-processor the same obligations as are imposed upon the Data Processor by this [Clause X] AND/OR [the Agreement] and which shall permit both the Data Processor and the Data Controller to enforce those obligations; and
2.7.2 Ensure that the sub-processor complies fully with its obligations under that agreement and the Data Protection Legislation.] 2.8 Either Party may, at any time, and on at least 30 calendar days notice, alter the data protection provisions of the Agreement, replacing them with any applicable data processing clauses or similar terms that form part of an applicable certification scheme. Such terms shall apply and replace these provisions by attachment to the Agreement.]

This website and its content is copyright of Rance Healthcare Services Ltd – © rancehealthcareservices.co.uk 2019. All rights reserved.
Any redistribution or reproduction of part or all of the contents in any form is prohibited other than the following:
• You may print or download to a local hard disk extracts for your personal and non-commercial use only
• If needed, you may copy the content to individual third parties for their personal use, but only if you acknowledge the website as the source of the material
You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system.

BACKGROUND:
These Terms of Use, together with any and all other documents referred to herein, set out the terms of use under which you may use this website, rancehealthcareservices.co.uk (“Our Site”). Please read these Terms of Use carefully and ensure that you understand them. [Your agreement to comply with and be bound by these Terms of Use is deemed to occur upon your first use of Our Site] AND/OR [You will be required to read and accept these Terms of Use when signing up for an Account]. If you do not agree to comply with and be bound by these Terms of Use, you must stop using Our Site immediately. Please also refer to Our Terms for Sellers or Terms for Bidders for more information.

1. Definitions and Interpretation
1.1 In these Terms of Use, unless the context otherwise requires, the following expressions have the following meanings:
“Account” means an account required to access and/or use certain areas of Our Site, as detailed in Clause 4;
“Auction” means an auction that takes place on Our Site;
“Bidder” means a User who bids on an item in an Auction;
“Content” means any and all text, images, audio, video, scripts, code, software, databases, and any other form of information capable of being stored on a computer that appears on, or forms part of, Our Site;
“Seller” means a User who offers an item for sale in an Auction;
[“Third Party Advertising” means advertising displayed on Our Site, provided by third parties;] [“Third Party Advertiser” means a party responsible for Third Party Advertising displayed on Our Site;] “User” means a user of Our Site;
“User Content” means any Content added to Our Site by a User; and
“We/Us/Our” means Rance Healthcare Services [, a limited company registered in England under company number 12154188, whose registered address is 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR, and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.

2. Information About Us
2.1 Our Site is [owned and] operated by Rance Healthcare Services [, a limited company registered in England under company number company number 12154188, whose registered address is 3rd & 4th Floors, 84 Salop Street, Wolverhampton, WV3 0RS and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR.
2.2 [Our VAT number is <<insert VAT number>>.] 2.3 [We are regulated by CQC.] 2.4 [We are a member of <<insert name(s) of association(s) etc.>>.] 2.5 [<<insert further information as required>>.]

3. Access to Our Site
3.1 Access to Our Site is free of charge.
3.2 It is your responsibility to make any and all arrangements necessary in order to access Our Site.
3.3 Access to Our Site is provided “as is” and on an “as available” basis. We may alter, suspend, or discontinue Our Site (or any part of it) at any time and without notice. Subject to the remainder of these Terms of Use, Our Terms for Bidders, and Our Terms for Sellers, We will not be liable to you in any way if Our Site (or any part of it) is unavailable at any time and for any period.

4. Accounts
4.1 Certain parts of Our Site (including the ability to participate in Auctions) require an Account in order to use them.
4.2 You may not create an Account if you are under 18 years of age. [If you are under 18 years of age but over 16 years of age, your parent or guardian should create the Account for you and you must only use the Account with their supervision.] 4.3 When creating an Account, the information you provide must be accurate and complete. If any of your information changes at a later date, it is your responsibility to ensure that your Account is kept up-to-date.
4.4 We [require] OR [recommend] that you choose a strong password for your Account, consisting of “a combination of lowercase and uppercase letters, numbers, and symbols”.
4.5 It is your responsibility to keep your password safe. [You must not share your Account with anyone else.] 4.6 If you believe your Account is being used without your permission, please contact Us immediately via email. We will not be liable for any unauthorised use of your Account.
4.7 You must not use anyone else’s Account [without the express permission of the User to whom the Account belongs].
4.8 All personal information provided in your Account will be collected, used, and held in accordance with your rights and Our obligations under the law, as set out in Clause 15.
4.9 If you wish to [suspend] AND/OR [delete] your Account, subject to the provisions of Our Terms for Sellers and Terms for Bidders, you may do so at any time via My Dashboard . If you delete your Account, We will remove your information from Our systems [and will remove your User Content from Our Site (where applicable)]. [If you suspend your Account, nothing will be deleted, but you [and your User Content] will cease to be visible to other Users on Our Site]. Deleting your Account will also remove access to any areas of Our Site requiring an Account for access. [A user’s data and/or content will also be deleted.]

5. Intellectual Property Rights and Use of Our Site
5.1 With the exception of User Content, all Content included on Our Site and the copyright and other intellectual property rights in that Content, unless specifically labelled otherwise, belongs to or has been licensed by Us. All Content, including User Content, is protected by applicable United Kingdom and international intellectual property laws and treaties.
5.2 Subject to sub-Clause[s] 5.3 [and 5.6], you may not reproduce, copy, distribute, sell, rent, sub-licence, store, or in any other manner re-use Content (including User Content) from Our Site unless given express written permission to do so by Us or the relevant User.
5.3 You may:
5.3.1 access, view, and use Our Site in any web browser (including, but not limited to, in-app web browsers);
5.3.2 download Our Site (or any part of it) for caching;
5.3.3 print [one copy of any] pages from Our Site;
5.3.4 download extracts from pages on Our Site; and
5.3.5 save pages from Our Site for later and/or offline viewing.
5.4 The owner and author of any Content (including User Content) must always be acknowledged when re-using that Content.
5.5 You may not use any Content (including User Content) printed, saved, or downloaded from Our Site for commercial purposes without first obtaining a licence from Us (or Our licensors, or the relevant User, as appropriate) to do so. This does not prohibit the normal access, viewing, and use of Our Site for general purposes whether by business users or consumers.
5.6 [Nothing in these Terms of Use limits or excludes the fair dealing provisions of Chapter III of the Copyright, Designs and Patents Act 1988 ‘Acts Permitted in Relation to Copyright Works’, covering in particular the making of temporary copies; research and private study; the making of copies for text and data analysis for non-commercial research; criticism, review, quotation and news reporting; caricature, parody, or pastiche; and the incidental inclusion of copyright material.]

6. User Content
6.1 User Content on Our Site includes (but is not limited to) auction listings.
6.2 You agree that you will be solely responsible for your User Content. Specifically, you agree, represent, and warrant that you have the right to submit the User Content and that it will comply with Our Acceptable Usage Policy.
6.3 You agree that you will be liable to Us and will, to the fullest extent permissible by law, indemnify Us for any breach of the warranties given by you under sub-Clause 6.2. You will be responsible for any loss or damage suffered by Us as a result of such breach.
6.4 You (or the licensors who own the Content in question, as appropriate) retain the ownership of the User Content that you submit to Our Site and all the intellectual property rights in that User Content. By submitting User Content to Our Site, you grant Us an [irrevocable,] unconditional, non-exclusive, fully transferable, royalty-free, perpetual, worldwide licence to use, store, archive, syndicate, publish, transmit, adapt, edit, reproduce, distribute, prepare derivative works from, display, perform, and sub-licence your User Content for the purposes of operating [and promoting] Our Site.
6.5 If you wish to remove User Content, you may do so by following the instructions provided <<insert location(s)>>. We will use reasonable efforts to remove the User Content from Our Site. [Removing User Content also revokes the licence granted to Us to use that User Content under sub-Clause 6.4.] Please note that caching or references to your User Content may not be made unavailable immediately (or may not be made unavailable at all where they are outside of Our reasonable control).
6.6 We may reject, reclassify, or remove any User Content from Our Site where it violates Our Acceptable Usage Policy, or if We receive a complaint from a third party about it and determine that it should be removed in response to that complaint. If any of your User Content is removed, you will be informed of the removal and the reasons for the removal in writing.

7. Links to Our Site
7.1 You may link to Our Site provided that:
7.1.1 you do so in a fair and legal way;
7.1.2 you do not do so in a way that suggests any form of association, endorsement, or approval on Our part where none exists;
7.1.3 you do not use any logos or trademarks displayed on Our Site without Our express written permission; and
7.1.4 you do not do so in a way that is intended to damage Our reputation or to take unfair advantage of it.
7.2 [You may link to any page on Our Site.] OR [You may not link to any page other than the homepage of Our Site, https://rancehealthcareservices.co.uk/. Linking to other pages (known as “deep linking”) requires Our express written permission. Please contact Us at Customer Services for further information.] 7.3 [Framing or embedding of Our Site on other websites requires Our express written permission. Please contact Us for further information.] 7.4 You may not link to Our Site from any other site where that site’s main content (i.e. the site’s primary purpose and content, not comments or similar from other users) contains material that:
7.4.1 [is sexually explicit];
7.4.2 is obscene, deliberately offensive, hateful, or otherwise inflammatory;
7.4.3 promotes violence;
7.4.4 promotes or assists in any form of unlawful activity;
7.4.5 discriminates against, or is in any way defamatory of, any person, group, or class of persons; race; gender; religion; nationality; disability; sexual orientation; or age;
7.4.6 is intended or is otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
7.4.7 is calculated or is otherwise likely to deceive another person;
7.4.8 is intended or is otherwise likely to infringe (or to threaten to infringe) another person’s privacy;
7.4.9 misleadingly impersonates any person or otherwise misrepresents the identity or affiliation of a particular person in a way that is calculated to deceive (obvious parodies are not included in this definition provided that they do not fall within any of the other provisions of this sub-Clause 7.4);
7.4.10 implies any form of affiliation with Us where none exists;
7.4.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, trademarks, patents, and database rights) of any other party; or
7.4.12 is made in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.

8. Links to Other Sites
Links to other sites may be included on Our Site. Unless expressly stated, these sites are not under Our control. We neither assume nor accept responsibility or liability for the content of third party sites. The inclusion of a link to another site on Our Site is for information only and does not imply any endorsement of the sites themselves or of those in control of them.

9. [Third Party Advertising
9.1 We may feature Third Party Advertising on Our Site.
9.2 You agree that you will not attempt to remove or hide any Third Party Advertising using HTML/CSS or by any other method.
9.3 We are not responsible for any Third Party Advertising on Our Site. [Rance Healthcare Services Ltd is responsible for all Third Party Advertising] OR [Each Third Party Advertiser is responsible for the content of their own Third Party Advertising]. We will not be responsible for any Third Party Advertising on Our Site including, but not limited to, any errors, inaccuracies, or omissions.]

10. Disclaimers and Legal Rights
10.1 Nothing on Our Site constitutes advice on which you should rely. Information and other materials on Our Site are provided for general information purposes only. [Professional or specialist advice should always be sought before taking any action on the basis of any information provided on Our Site.] 10.2 Insofar as is permitted by law, We make no representation, warranty, or guarantee that Our Site will meet your requirements, that it will not infringe the rights of third parties, that it will be compatible with all software and hardware, or that it will be secure. If, as a result of Our failure to exercise reasonable care and skill, any digital content from Our Site damages your device or other digital content belonging to you (if you are a consumer) you may be entitled to certain legal remedies. For more details concerning your rights and remedies as a consumer, please contact your local Citizens Advice Bureau or Trading Standards Office.
10.3 We make reasonable efforts to ensure that Our Content on Our Site is complete, accurate, and up-to-date. We do not, however, make any representations, warranties, or guarantees (whether express or implied) that the Content is complete, accurate, or up-to-date.
10.4 We are not responsible for the content or accuracy of any User Content, nor for any opinions, views, or values expressed in any User Content. Any such opinions, views, or values are those of the relevant User and do not reflect Our opinions, views, or values in any way.

11. Our Liability
11.1 Please note that the provisions of this Clause 11 are subject to Our Terms for Bidders and Terms for Sellers.
11.2 To the fullest extent permissible by law, We accept no liability to any User for any loss or damage, whether foreseeable or otherwise, in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising out of or in connection with the use of (or inability to use) Our Site, or the content of, use of, or reliance upon any Content (including User Content) included on Our Site.
11.3 To the fullest extent permissible by law, We exclude all representations, warranties, and guarantees (whether express or implied) that may apply to Our Site or to any Content (including User Content) included on Our Site.
11.4 If you are a business (i.e. a User using Our Site in the course of business and/or for commercial reasons), We accept no liability for loss of profits, sales, business, or revenue; loss of business opportunity, goodwill, or reputation; loss of anticipated savings; business interruption; or for any indirect or consequential loss or damage.
11.5 We use all reasonable skill and care to ensure that Our Site is free from viruses and other malware. Subject to sub-Clause 10.2, however, We accept no liability for any loss or damage resulting from a virus or other malware, a distributed denial of service attack, or other harmful material or event that may adversely affect your hardware, software, data, or other material that occurs as a result of your use of Our Site or any other site referred to on Our Site.
11.6 We neither assume nor accept responsibility or liability arising out of any disruption or non-availability of Our Site resulting from external causes including, but not limited to, ISP equipment failure, host equipment failure, communications network failure, natural events, acts of war, or legal restrictions and censorship.
11.7 Nothing in these Terms of Use seeks to exclude or restrict Our liability for fraud or fraudulent misrepresentation, for death or personal injury resulting from negligence, or for any other forms of liability that cannot be excluded or restricted by law. For full details of consumers’ legal rights, please contact your local Citizens Advice Bureau or Trading Standards Office.

12. Viruses, Malware, and Security
12.1 We exercise all reasonable skill and care to ensure that Our Site is secure and free from viruses and other malware [including, but not limited to, the scanning of all User Content uploaded by Users for viruses and malware as it is uploaded]. [We do not, however, guarantee that Our Site is secure or free from viruses or other malware and accept no liability in respect of the same, as detailed in sub-Clause 11.5, subject to sub-Clause 10.2.] 12.2 You are responsible for protecting your hardware, software, data, and other material from viruses, malware, and other internet security risks.
12.3 You must not deliberately introduce viruses or other malware, or any other material which is malicious or technologically harmful either to or via Our Site.
12.4 You must not attempt to gain unauthorised access to any part of Our Site, the server on which Our Site is stored, or any other server, computer, or database connected to Our Site.
12.5 You must not attack Our Site by means of a denial of service attack, a distributed denial of service attack, or by any other means.
12.6 By breaching the provisions of sub-Clauses 12.3 to 12.5, you may be committing a criminal offence under the Computer Misuse Act 1990. Any and all such breaches will be reported to the relevant law enforcement authorities and We will cooperate fully with those authorities by disclosing your identity to them. Your right to use Our Site will cease immediately in the event of such a breach.

13. Acceptable Usage Policy
13.1 You may only use Our Site in a manner that is lawful and that complies with the provisions of this Clause 13. Specifically:
13.1.1 you must ensure that you comply fully with any and all local, national, or international laws, and/or regulations;
13.1.2 you must not use Our Site in any way, or for any purpose, that is unlawful or fraudulent;
13.1.3 you must not use Our Site to knowingly send, upload, or in any other way transmit data that contains any form of virus or other malware, or any other code designed to adversely affect computer hardware, software, or data of any kind; and
13.1.4 you must not use Our Site in any way, or for any purpose, that is intended to harm any person or persons in any way.
13.2 When using Our Site, you must not communicate or otherwise do anything that:
13.2.1 is sexually explicit;
13.2.2 is obscene, deliberately offensive, hateful, or otherwise inflammatory;
13.2.3 promotes violence;
13.2.4 promotes or assists in any form of unlawful activity;
13.2.5 discriminates against, or is in any way defamatory of, any person, group, or class of persons; race; gender; religion; nationality; disability; sexual orientation; or age;
13.2.6 is intended or otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
13.2.7 is calculated or is otherwise likely to deceive;
13.2.8 is intended or otherwise likely to infringe (or threaten to infringe) another person’s right to privacy or otherwise uses their personal data in a way that you do not have a right to;
13.2.9 misleadingly impersonates any person or otherwise misrepresents your identity or affiliation in a way that is calculated to deceive (obvious parodies are not included within this definition provided that they do not fall within any of the other provisions of this sub-Clause 13.2);
13.2.10 implies any form of affiliation with Us where none exists;
13.2.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, trademarks, patents, and database rights) of any other party; or
13.2.12 is in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
13.3 We reserve the right to suspend or terminate your access to Our Site if you materially breach the provisions of this Clause 13 or any of the other provisions of these Terms of Use. Further actions We may take include, but are not limited to:
13.3.1 removing your User Content from Our Site;
13.3.2 issuing you with a written warning;
13.3.3 legal proceedings against you for reimbursement of any and all relevant costs resulting from your breach on an indemnity basis;
13.3.4 further legal action against you as appropriate;
13.3.5 disclosing such information to law enforcement authorities as required or as We deem reasonably necessary; and/or
13.3.6 any other actions which We deem reasonably necessary, appropriate, and lawful.
13.4 We hereby exclude any and all liability arising out of any actions that We may take in response to breaches of these Terms of Use.

14. Privacy and Cookies
Use of Our Site is also governed by Our Privacy Policy and Cookie Policy,

15. How We Use Your Personal Information (Data Protection)
15.1 All personal information that We may use will be collected, processed, and held in accordance with the provisions of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and your rights under the GDPR.
15.2 For complete details of Our collection, processing, storage, and retention of personal data including, but not limited to, the purpose(s) for which personal data is used, the legal basis or bases for using it, details of your rights and how to exercise them, and personal data sharing (where applicable), please refer to Our Privacy Policy [and Cookie Policy ].

16. Communications from Us
16.1 If We have your contact details, We may send you important notices by email. Such notices will only relate to important matters including, but not limited to, service changes; changes to these Terms of Use; Our Terms for Sellers, Terms for Bidders, Privacy Policy, or Cookie Policy; and changes to your Account.
16.2 We will never send you marketing emails of any kind without your express permission. If you do give Us permission, you may opt-out at any time. Any and all marketing emails sent by Us include an unsubscribe link. [Email marketing preferences can also be changed in My Dashboard.] If you opt out of receiving emails from Us, it may take up to 3 days for Us to comply with your request. During that time, you may continue to receive emails from Us.

17. Contacting Us
To contact Us, please email Us directly or using any of the options provided on Our contact page.

18. Changes to these Terms of Use
18.1 We may alter these Terms of Use at any time. [If We do so, details of the changes will be highlighted at the top of this page [and We will email you with details of the changes].] Any such changes will become binding on you upon your first use of Our Site after the changes have been made. You are therefore advised to check this page from time to time.
18.2 In the event of any conflict between the current version of these Terms of Use and any previous version(s), the current version shall prevail unless it is specifically stated otherwise.

19. Law and Jurisdiction
19.1 These Terms and Conditions, and the relationship between you and Us (whether contractual or otherwise) shall be governed by, and construed in accordance with the law of [England & Wales] [Northern Ireland] [Scotland].
19.2 If you are a consumer, you will benefit from any mandatory provisions of the law in your country of residence. Nothing in Sub-Clause 19.1 above takes away or reduces your rights as a consumer to rely on those provisions.
19.3 If you are a consumer, any dispute, controversy, proceedings or claim between you and Us relating to these Terms and Conditions, or the relationship between you and Us (whether contractual or otherwise) shall be subject to the jurisdiction of the courts of England, Wales, Scotland, or Northern Ireland, as determined by your residency.
19.4 If you are a business, any disputes concerning these Terms and Conditions, the relationship between you and Us, or any matters arising therefrom or associated therewith (whether contractual or otherwise) shall be subject to the [non] exclusive jurisdiction of the courts of [England & Wales] [Northern Ireland] [Scotland].

BACKGROUND:
These User Reviews, together with any and all other documents referred to herein, set out the terms of use under which you may use this website, rancehealthcareservices.co.uk (“Our Site”). Please read these Terms and Conditions carefully and ensure that you understand them. [Your agreement to comply with and be bound by these Terms and Conditions is deemed to occur upon your first use of Our Site] AND/OR [You will be required to read and accept these Terms and Conditions when signing up for an Account]. If you do not agree to comply with and be bound by these Terms and Conditions, you must stop using Our Site immediately.

1. Definitions and Interpretation
1.1 In these User Reviews Terms and Conditions, unless the context otherwise requires, the following expressions have the following meanings:
“Account” means an account required for a User to access and/or use certain areas of Our Site, as detailed in Clause 4;
“Content” means any and all text, images, audio, video, scripts, code, software, databases and any other form of information capable of being stored on a computer that appears on, or forms part of, Our Site;
“Expert Review” means a review posted on Our Site by one of Our employees or associates;
“User” means a user of Our Site;
“User Review” means a review posted on Our Site by a User; and
“We/Us/Our” means Rance Healthcare Services Ltd [, a company registered in England under company number 12154188, whose registered address is <<insert registered address>> and whose main trading address is] OR [of] <<insert address>>.

2. Information About Us
2.1 Our Site, rancehealthcareservices.co.uk, is [owned and] operated by Rance Healthcare Services [, a limited company registered in England under company number 12154188, whose registered address is 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR and whose main trading address is] OR [of] 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR. [Our VAT number is <<insert VAT number>>.] 2.2 [We are regulated by CQC.] 2.3 [We are a member of <<insert name(s) of association(s) etc.>>.] 2.4 [<<insert further information as required>>.]

3. Access to Our Site
3.1 Access to Our Site is free of charge.
3.2 It is your responsibility to make any and all arrangements necessary in order to access Our Site.
3.3 Access to Our Site is provided “as is” and on an “as available” basis. We may alter, suspend or discontinue Our Site (or any part of it) at any time and without notice. We will not be liable to you in any way if Our Site (or any part of it) is unavailable at any time and for any period.

4. Accounts
4.1 Certain parts and features of Our Site (including the ability to submit User Reviews) may require an Account in order to access them.
4.2 You may not create an Account if you are under 18 years of age. [If you are under 18 years of age and wish to use the parts of Our Site that require an Account, your parent or guardian should create the Account for you and you must only use the Account with their supervision.] 4.3 When creating an Account, the information you provide must be accurate and complete. If any of your information changes at a later date, it is your responsibility to ensure that your Account is kept up-to-date.
4.4 We [require] OR [recommend] that you choose a strong password for your Account, consisting of “a combination of lowercase and uppercase letters, numbers, and symbols”. It is your responsibility to keep your password safe. [You must not share your Account with anyone else.] If you believe your Account is being used without your permission, please contact Us immediately via email. We will not be liable for any unauthorised use of your Account.
4.5 You must not use anyone else’s Account [without the express permission of the User to whom the Account belongs].
4.6 Any personal information provided in your Account will be collected, used, and held in accordance with your rights and Our obligations under the law, as set out in Clause 15.
4.7 If you wish to close your Account, you may do so at any time. Closing your Account will result in the removal of your information. Closing your Account will also remove access to any areas of Our Site requiring an Account for access. [A user’s data and/or content will also be deleted.] 4.8 If you close and delete your Account, any User Reviews that you have submitted to Our Site will [also be deleted] OR [be anonymised by “removing your username and avatar”].

5. Intellectual Property Rights
5.1 With the exception of User Reviews (see Clause 6), all Content included on Our Site and the copyright and other intellectual property rights subsisting in that Content, unless specifically labelled otherwise, belongs to or has been licensed by Us. All Content (including User Reviews) is protected by applicable United Kingdom and international intellectual property laws and treaties.
5.2 Subject to sub-Clause[s] 5.3 [and 5.6] you may not reproduce, copy, distribute, sell, rent, sub-licence, store, or in any other manner re-use Content from Our Site unless given express written permission to do so by Us.
5.3 You may:
5.3.1 Access, view and use Our Site in a web browser (including any web browsing capability built into other types of software or app);
5.3.2 Download Our Site (or any part of it) for caching;
5.3.3 Print [one copy of any] page(s) from Our Site;
5.3.4 Download extracts from pages on Our Site; and
5.3.5 Save pages from Our Site for later and/or offline viewing.
5.4 Our status as the owner and author of the Content on Our Site (or that of identified Users and/or licensors, as appropriate) must always be acknowledged.
5.5 You may not use any Content printed, saved or downloaded from Our Site for commercial purposes without first obtaining a licence from Us (or our licensors, as appropriate) to do so. [This does not prohibit the normal access, viewing and use of Our Site for general information purposes whether by business users or consumers.] 5.6 [Nothing in these Terms of Use limits or excludes the provisions of Chapter III of the Copyrights, Designs and Patents Act 1988 ‘Acts Permitted in Relation to Copyright Works’, covering in particular the making of temporary copies; research and private study; the making of copies for text and data analysis for non-commercial research; criticism, review, quotation and news reporting; caricature, parody or pastiche; and the incidental inclusion of copyright material.]

6. User Reviews
6.1 An Account is required if you wish to submit User Reviews. Please refer to Clause 4 for more information.
6.2 You agree that you will be solely responsible for your User Reviews. Specifically, you agree, represent and warrant that you have the right to submit the User Reviews, that any facts stated are accurate and true, that opinions stated are genuinely held, and that all such User Reviews will comply with Our Acceptable Usage Policy, detailed below in Clause 7.
6.3 You agree that you will be liable to Us and will, to the fullest extent permissible by law, indemnify Us for any breach of the warranties given by you under sub-Clause 6.2. You will be responsible for any loss or damage suffered by Us as a result of such breach.
6.4 You (or your licensors, as appropriate) retain ownership of your User Reviews and all intellectual property rights subsisting therein. When you submit a User Review you grant Us an unconditional, non-exclusive, fully transferrable, royalty-free, perpetual, [irrevocable,] worldwide licence to use, store, archive, syndicate, publish, transmit, adapt, edit, reproduce, distribute, prepare derivative works from, display, perform and sub-licence it for the purposes of operating and promoting Our Site. [In addition, you also grant Other Users the right to copy and quote your User Review within Our Site.] 6.5 If you wish to remove any of your User Reviews from Our Site, the User Reviews in question will be [deleted] OR [anonymised by “removing your username and avatar”]. Please note, however, that caching or references to your User Reviews may not be made immediately unavailable (or may not be made unavailable at all where they are outside of Our reasonable control).
6.6 We may pre-screen, reject, reclassify, edit, or remove any User Review(s) from Our Site including, but not limited to, circumstances where, in Our sole opinion, they violate Our Acceptable Usage Policy, or if We receive a complaint from a third party and determine that the User Review(s) in question should be removed as a result.

7. Acceptable Usage Policy
7.1 You may only use Our Site in a manner that is lawful and that complies with the provisions of this Clause 7. Specifically:
7.1.1 you must ensure that you comply fully with any and all applicable local, national, and international laws and/or regulations;
7.1.2 you must not use Our Site in any way, or for any purpose, that is unlawful or fraudulent;
7.1.3 you must not use Our Site to knowingly send, upload, or in any other way transmit data that contains any form of virus or other malware, or any other code designed to adversely affect computer hardware, software, or data of any kind; and
7.1.4 you must not use Our Site in any way, or for any purpose, that is intended to harm any person or persons in any way.
7.2 When submitting User Reviews (or communicating in any other way using Our Site), you must not submit, communicate or otherwise do anything that:
7.2.1 [is sexually explicit;] 7.2.2 is obscene, deliberately offensive, hateful or otherwise inflammatory;
7.2.3 promotes violence;
7.2.4 promotes or assists in any form of unlawful activity;
7.2.5 discriminates against, or is in any way defamatory of, any person, group or class of persons, race, sex, religion, nationality, disability, sexual orientation or age;
7.2.6 is intended or otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person (this does not prohibit negative User Reviews, however);
7.2.7 is calculated or is otherwise likely to deceive;
7.2.8 is intended or otherwise likely to infringe (or threaten to infringe) another person’s right to privacy or otherwise uses their personal data in a way that you do not have a right to;
7.2.9 misleadingly impersonates any person or otherwise misrepresents your identity or affiliation in a way that is calculated to deceive;
7.2.10 implies any form of affiliation with Us where none exists;
7.2.11 is intended to advertise or market any product or service (including, but not limited to that which is being reviewed), or is of an advertising or marketing nature;
7.2.12 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, patents, trademarks and database rights) of any other party; or
7.2.13 is in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
7.3 [The following types of products and/or services may not be reviewed on Our Site:
7.3.1 <<insert product / service type>>;
7.3.2 <<add more as required>>.] 7.4 We reserve the right to suspend or terminate your Account and/or your access to Our Site if you materially breach the provisions of this Clause 7 or any of the other provisions of these Terms and Conditions. Specifically, We may take one or more of the following actions:
7.4.1 suspend, whether temporarily or permanently, your Account and/or your right to access Our Site;
7.4.2 remove any User Review(s) submitted by you that violate(s) this Acceptable Usage Policy;
7.4.3 issue you with a written warning;
7.4.4 take legal proceedings against you for reimbursement of any and all relevant costs on an indemnity basis resulting from your breach;
7.4.5 take further legal action against you as appropriate;
7.4.6 disclose such information to law enforcement authorities as required or as We deem reasonably necessary; and/or
7.4.7 any other actions that We deem reasonably appropriate (and lawful).
7.5 We hereby exclude any and all liability arising out of any actions (including, but not limited to those set out above) that We may take in response to breaches of these Terms and Conditions.

8. Links to Our Site
8.1 You may link to Our Site provided that:
8.1.1 You do so in a fair and legal manner;
8.1.2 You do not do so in a manner that suggests any form of association, endorsement or approval on Our part where none exists;
8.1.3 You do not use any logos or trademarks displayed on Our Site without Our express written permission; and
8.1.4 You do not do so in a way that is calculated to damage Our reputation or to take unfair advantage of it.
8.2 [You may link to any page of Our Site.] OR
8.2 [You may not link to any page other than the homepage of Our Site, rancehealthcareservices.co.uk. Deep-linking to other pages requires Our express written permission.] 8.3 [Framing or embedding of Our Site on other websites is not permitted without Our express written permission. Please contact Us via email for further information.] 8.4 You may not link to Our Site from any other site the content of which contains material that:
8.4.1 [is sexually explicit;] 8.4.2 is obscene, deliberately offensive, hateful or otherwise inflammatory;
8.4.3 promotes violence;
8.4.4 promotes or assists in any form of unlawful activity;
8.4.5 discriminates against, or is in any way defamatory of, any person, group or class of persons, race, sex, religion, nationality, disability, sexual orientation, or age;
8.4.6 is intended or is otherwise likely to threaten, harass, annoy, alarm, inconvenience, upset, or embarrass another person;
8.4.7 is calculated or is otherwise likely to deceive another person;
8.4.8 is intended or is otherwise likely to infringe (or to threaten to infringe) another person’s privacy;
8.4.9 misleadingly impersonates any person or otherwise misrepresents the identity or affiliation of a particular person in a way that is calculated to deceive (obvious parodies are not included in this definition provided that they do not fall within any of the other provisions of this sub-Clause 8.4);
8.4.10 implies any form of affiliation with Us where none exists;
8.4.11 infringes, or assists in the infringement of, the intellectual property rights (including, but not limited to, copyright, trademarks and database rights) of any other party; or
8.4.12 is made in breach of any legal duty owed to a third party including, but not limited to, contractual duties and duties of confidence.
8.5 [The content restrictions in sub-Clause 8.4 do not apply to content submitted to sites by other users provided that the primary purpose of the site accords with the provisions of sub-Clause 8.4. You are not, for example, prohibited from posting links on general-purpose social networking sites merely because another user may post such content. You are, however, prohibited from posting links on websites which focus on or encourage the submission of such content from users.]

9. Links to Other Sites
Links to other sites may be included on Our Site. Unless expressly stated, these sites are not under Our control. We neither assume nor accept responsibility or liability for the content of third party sites. The inclusion of a link to another site on Our Site is for information only and does not imply any endorsement of the sites themselves or of those in control of them.

10. [Advertising
We may feature advertising on Our Site. We are not responsible for the content of any advertising on Our Site. [Rance Healthcare Services Ltd is responsible for the content of advertising material] OR [Each advertiser is responsible for the content of their own advertising material]. We will not be responsible for any advertising on Our Site including, but not limited to, any errors, inaccuracies, or omissions.]

11. Disclaimers and Legal Rights
11.1 Nothing on Our Site, including but not limited to User Reviews and Expert Reviews, constitutes advice on which you should rely. It is provided for general information purposes only. [Professional or specialist advice should always be sought before taking any action relating to selling or bidding.] 11.2 Insofar as is permitted by law, We make no representation, warranty, or guarantee that Our Site will meet your requirements, that it will not infringe the rights of third parties, that it will be compatible with all software and hardware, or that it will be secure.
11.3 If, as a result of Our failure to exercise reasonable care and skill, any digital content from Our Site damages your device or other digital content belonging to you, as a consumer you may be entitled to certain legal remedies. For more details concerning your rights and remedies as a consumer, please contact your local Citizens Advice Bureau or Trading Standards Office.
11.4 We make reasonable efforts to ensure that the Content on Our Site is complete, accurate, and up-to-date. We do not, however, make any representations, warranties or guarantees (whether express or implied) that the Content is complete, accurate, or up-to-date.
11.5 The opinions, views, and values expressed in Content on Our Site, including but not limited to User Reviews and Expert Reviews, are those of the authors of that Content and do not represent Our opinions, views, or values.

12. Our Liability
12.1 To the fullest extent permissible by law, We accept no liability to any user for any loss or damage, whether foreseeable or otherwise, in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising out of or in connection with the use of (or inability to use) Our Site or the use of or reliance upon any Content included on Our Site.
12.2 To the fullest extent permissible by law, We exclude all representations, warranties, and guarantees (whether express or implied) that may apply to Our Site or any Content included on Our Site.
12.3 [Our Site is intended for non-commercial use only.] If you are a business user, We accept no liability for loss of profits, sales, business or revenue; loss of business opportunity, goodwill or reputation; loss of anticipated savings; business interruption; or for any indirect or consequential loss or damage.
12.4 We exercise all reasonable skill and care to ensure that Our Site is free from viruses and other malware, however, subject to sub-Clause 11.3, We accept no liability for any loss or damage resulting from a virus or other malware, a distributed denial of service attack, or other harmful material or event that may adversely affect your hardware, software, data or other material that occurs as a result of your use of Our Site (including the downloading of any Content from it) or any other site referred to on Our Site.
12.5 We neither assume nor accept responsibility or liability arising out of any disruption or non-availability of Our Site resulting from external causes including, but not limited to, ISP equipment failure, host equipment failure, communications network failure, natural events, acts of war, or legal restrictions and censorship.
12.6 Nothing in these Terms and Conditions excludes or restricts Our liability for fraud or fraudulent misrepresentation, for death or personal injury resulting from negligence, or for any other forms of liability which cannot be excluded or restricted by law. For full details of consumers’ legal rights, including those relating to digital content, please contact your local Citizens’ Advice Bureau or Trading Standards Office.

13. Viruses, Malware and Security
13.1 We exercise all reasonable skill and care to ensure that Our Site is secure and free from viruses and other malware.
13.2 You are responsible for protecting your hardware, software, data and other material from viruses, malware, and other internet security risks.
13.3 You must not deliberately introduce viruses or other malware, or any other material which is malicious or technologically harmful either to or via Our Site.
13.4 You must not attempt to gain unauthorised access to any part of Our Site, the server on which Our Site is stored, or any other server, computer, or database connected to Our Site.
13.5 You must not attack Our Site by means of a denial of service attack, a distributed denial of service attack, or by any other means.
13.6 By breaching the provisions of sub-Clauses 13.3 to 13.5 you may be committing a criminal offence under the Computer Misuse Act 1990. Any and all such breaches will be reported to the relevant law enforcement authorities and We will cooperate fully with those authorities by disclosing your identity to them. Your right to use Our Site will cease immediately in the event of such a breach.

14. Privacy and Cookies
Use of Our Site is also governed by Our Cookie and Privacy Policies, available from our Cookie Policy and Privacy Policy. These policies are incorporated into these Terms and Conditions by this reference.

15. Data Protection
15.1 All personal information that We may use will be collected, processed, and held in accordance with the provisions of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and your rights under the GDPR.
15.2 For complete details of Our collection, processing, storage, and retention of personal data including, but not limited to, the purpose(s) for which personal data is used, the legal basis or bases for using it, details of your rights and how to exercise them, and personal data sharing (where applicable), please refer to Our Privacy Policy [and Cookie Policy].

16. [Communications from Us
16.1 If We have your contact details, We may from time to time send you important notices by email. Such notices may relate to matters including, but not limited to, service changes and changes to these Terms and Conditions.
16.2 We will never send you marketing emails of any kind without your express consent. If you do give such consent, you may opt out at any time. Any and all marketing emails sent by Us include an unsubscribe link. If you opt out of receiving emails from Us at any time, it may take up to 3 business days for your new preferences to take effect.
16.3 For questions or complaints about communications from Us (including, but not limited to marketing emails), please contact Us via email or via Contact us page.]

17. Changes to these Terms and Conditions
17.1 We may alter these Terms and Conditions at any time. [If We do so, details of the changes will be highlighted at the top of this page.] Any such changes will become binding on you upon your first use of Our Site after the changes have been implemented. You are therefore advised to check this page from time to time.
17.2 In the event of any conflict between the current version of these Terms and Conditions and any previous version(s), the provisions current and in effect shall prevail unless it is expressly stated otherwise.

18. Contacting Us
To contact Us, please email Us or using any of the methods provided on Our Contact us page.

19. Law and Jurisdiction
19.1 These Terms and Conditions, and the relationship between you and Us (whether contractual or otherwise) shall be governed by, and construed in accordance with the law of [England & Wales] [Northern Ireland] [Scotland].
19.2 If you are a consumer, you will benefit from any mandatory provisions of the law in your country of residence. Nothing in Sub-Clause 19.1 above takes away or reduces your rights as a consumer to rely on those provisions.
19.3 If you are a consumer, any dispute, controversy, proceedings or claim between you and Us relating to these Terms and Conditions, or the relationship between you and Us (whether contractual or otherwise) shall be subject to the jurisdiction of the courts of England, Wales, Scotland, or Northern Ireland, as determined by your residency.
19.4 If you are a business, any disputes concerning these Terms and Conditions, the relationship between you and Us, or any matters arising therefrom or associated therewith (whether contractual or otherwise) shall be subject to the [non] exclusive jurisdiction of the courts of [England & Wales] [Northern Ireland] [Scotland].

Rance Healthcare Services Ltd
Data Retention Policy
29 December 2020

1. Introduction
This Policy sets out the obligations of Rance Healthcare Services Ltd, a company registered in England under company registration number 12154188, whose registered office is at 3rd & 4th Floors, 84 Salop Street, Wolverhampton, WV3 0RS (“the Company”) regarding retention of personal data collected, held, and processed by the Company in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR also addresses “special category” personal data (also known as “sensitive” personal data). Such data includes, but is not necessarily limited to, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation.
Under the GDPR, personal data shall be kept in a form which permits the identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. In certain cases, personal data may be stored for longer periods where that data is to be processed for archiving purposes that are in the public interest, for scientific or historical research, or for statistical purposes (subject to the implementation of the appropriate technical and organisational measures required by the GDPR to protect that data).
In addition, the GDPR includes the right to erasure or “the right to be forgotten”. Data subjects have the right to have their personal data erased (and to prevent the processing of that personal data) in the following circumstances:
a) Where the personal data is no longer required for the purpose for which it was originally collected or processed (see above);
b) When the data subject withdraws their consent;
c) When the data subject objects to the processing of their personal data and the Company has no overriding legitimate interest;
d) When the personal data is processed unlawfully (i.e. in breach of the GDPR);
e) When the personal data has to be erased to comply with a legal obligation; or
f) Where the personal data is processed for the provision of information society services to a child.
This Policy sets out the type(s) of personal data held by the Company for monitoring purpose(s) AND/OR [by Rance Healthcare Services Ltd], the period(s) for which that personal data is to be retained, the criteria for establishing and reviewing such period(s), and when and how it is to be deleted or otherwise disposed of.
For further information on other aspects of data protection and compliance with the GDPR, please refer to the Company’s Data Protection Policy.

2. Aims and Objectives
2.1 The primary aim of this Policy is to set out limits for the retention of personal data and to ensure that those limits, as well as further data subject rights to erasure, are complied with. By extension, this Policy aims to ensure that the Company complies fully with its obligations and the rights of data subjects under the GDPR.
2.2 In addition to safeguarding the rights of data subjects under the GDPR, by ensuring that excessive amounts of data are not retained by the Company, this Policy also aims to improve the speed and efficiency of managing data.

3. Scope
3.1 This Policy applies to all personal data held [by the Company] OR [by the Security Department of the Company] AND/OR [for monitoring purpose(s)] [and by third-party data processors processing personal data on the Company’s behalf].
3.2 Personal data, as held by [the Company] OR [the above] is stored in the following ways and in the following locations:
a) [The Company’s servers, located in the USA;] b) [Third-party servers, operated by USA and located in USA;] c) [Computers permanently located in the Company’s premises in England, UK;] d) [Laptop computers [and other mobile devices] provided by the Company to its employees;] e) [Computers and mobile devices owned by employees, agents, and sub-contractors [used in accordance with the Company’s Bring Your Own Device (“BYOD”) Policy];] f) [Physical records stored in England, UK;] g) [<<add further storage types and locations as required>>.]

4. Data Subject Rights and Data Integrity
All personal data held by the Company is held in accordance with the requirements of the GDPR and data subjects’ rights thereunder, as set out in the Company’s Data Protection Policy.
4.1 Data subjects are kept fully informed of their rights, of what personal data the Company holds about them, how that personal data is used [as set out in Parts 12 and 13 of the Company’s Data Protection Policy], and how long the Company will hold that personal data (or, if no fixed retention period can be determined, the criteria by which the retention of the data will be determined).
4.2 Data subjects are given control over their personal data held by the Company including the right to have incorrect data rectified, the right to request that their personal data be deleted or otherwise disposed of (notwithstanding the retention periods otherwise set by this Data Retention Policy), the right to restrict the Company’s use of their personal data, [the right to data portability,] and further rights relating to automated decision-making and profiling [, as set out in Parts 14 to 20 of the Company’s Data Protection Policy].

5. Technical and Organisational Data Security Measures
5.1 The following technical measures are in place within the Company to protect the security of personal data. Please refer to Parts 22 to 26 of the Company’s Data Protection Policy for further details:
a) All emails containing personal data must be encrypted;
b) All emails containing personal data must be marked “confidential”;
c) Personal data may only be transmitted over secure networks;
d) Personal data may not be transmitted over a wireless network if there is a reasonable wired alternative;
e) Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself and associated temporary files should be deleted;
f) Where personal data is to be sent by facsimile transmission the recipient should be informed in advance and should be waiting to receive it;
g) Where personal data is to be transferred in hard-copy form, it should be passed directly to the recipient [or sent using Special Delivery Service];
h) All personal data transferred physically should be transferred in a suitable container marked “confidential”;
i) No personal data may be shared informally and if access is required to any personal data, such access should be formally requested from customer services.
j) All hard-copies of personal data, along with any electronic copies stored on physical media should be stored securely;
k) No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without authorisation;
l) Personal data must be handled with care at all times and should not be left unattended or on view;
m) Computers used to view personal data must always be locked before being left unattended;
n) No personal data should be stored on any mobile device, whether such device belongs to the Company or otherwise [without the formal written approval of Rance Healthcare Services Ltd and then strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary];
o) [No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the Company’s Data Protection Policy and the GDPR;] p) All personal data stored electronically should be backed up hourly with backups stored [onsite] AND/OR [offsite]. All backups should be encrypted;
q) All electronic copies of personal data should be stored securely using passwords and encryption;
r) All passwords used to protect personal data should be changed regularly and should must be secure;
s) Under no circumstances should any passwords be written down or shared. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
t) All software should be kept up-to-date. Security-related updates should be installed [not more than 1 hour] OR [as soon as reasonably possible after] becoming available;
u) No software may be installed on any Company-owned computer or device without approval; and
v) Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Rance Healthcare Services Ltd to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.
5.2 The following organisational measures are in place within the Company to protect the security of personal data. Please refer to Part 27 of the Company’s Data Protection Policy for further details:
a) All employees and other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under the Company’s Data Protection Policy;
b) Only employees and other parties working on behalf of the Company that need access to, and use of, personal data in order to perform their work shall have access to personal data held by the Company;
c) All employees and other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
d) All employees and other parties working on behalf of the Company handling personal data will be appropriately supervised;
e) All employees and other parties working on behalf of the Company handling personal data should exercise care and caution when discussing any work relating to personal data at all times;
f) Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
g) The performance of those employees and other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
h) All employees and other parties working on behalf of the Company handling personal data will be bound by contract to comply with the GDPR and the Company’s Data Protection Policy;
i) All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all relevant employees are held to the same conditions as those relevant employees of the Company arising out of the GDPR and the Company’s Data Protection Policy;
j) Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under the GDPR and/or the Company’s Data Protection Policy, that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

6. Data Disposal
Upon the expiry of the data retention periods set out below in Part 7 of this Policy, or when a data subject exercises their right to have their personal data erased, personal data shall be deleted, destroyed, or otherwise disposed of as follows:
6.1 Personal data stored electronically (including any and all backups thereof) shall be deleted [securely using the [using data clearing or data wiping method of deletion];
6.2 [Special category personal data stored electronically (including any and all backups thereof) shall be deleted [securely using the [using data clearing or data wiping method of deletion];] 6.3 Personal data stored in hard-copy form shall be shredded [to at least level 2 or standard] and [recycled] OR [[using data clearing or data wiping method of deletion];
6.4 [Special category personal data stored in hard-copy form shall be shredded [to at least level 2 or standard] and [recycled] OR [[using data clearing or data wiping method of deletion.]

7. Data Retention
7.1 As stated above, and as required by law, the Company shall not retain any personal data for any longer than is necessary in light of the purpose(s) for which that data is collected, held, and processed.
7.2 Different types of personal data, used for different purposes, will necessarily be retained for different periods (and its retention periodically reviewed), as set out below.
7.3 When establishing and/or reviewing retention periods, the following shall be taken into account:
a) The objectives and requirements of the Company;
b) The type of personal data in question;
c) The purpose(s) for which the data in question is collected, held, and processed;
d) The Company’s legal basis for collecting, holding, and processing that data;
e) The category or categories of data subjects to whom the data relates;
7.4 If a precise retention period cannot be fixed for a particular type of data, criteria shall be established by which the retention of the data will be determined, thereby ensuring that the data in question, and the retention of that data, can be regularly reviewed against those criteria.
7.5 Notwithstanding the following defined retention periods, certain personal data may be deleted or otherwise disposed of prior to the expiry of its defined retention period where a decision is made within the Company to do so (whether in response to a request by a data subject or otherwise).
7.6 [In limited circumstances, it may also be necessary to retain personal data for longer periods where such retention is for archiving purposes that are in the public interest, for scientific or historical research purposes, or for statistical purposes. All such retention will be subject to the implementation of appropriate technical and organisational measures to protect the rights and freedoms of data subjects, as required by the GDPR.]

Rance Healthcare Services Ltd
Data Security Policy
28 December 2020

1. Introduction
This document sets out the measures to be taken by all employees of Rance Healthcare Services Ltd (the “Company”) and by the Company as a whole in order to protect data (electronic and otherwise) collected, held, and processed by the Company, and to protect the Company’s computer systems, devices, infrastructure, computing environment, and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.
For the purposes of this Policy, “data” shall refer to the following type(s) of data:
a) Cookies;
b) <<add further items as required>>.
For the purposes of this Policy, “personal data” shall carry the meaning defined in Article 4 of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”): any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Key Principles
2.1 All IT Systems and data are to be protected against unauthorised access.
2.2 All IT Systems and data are to be used only in compliance with relevant Company Policies.
2.3 All personal data must be used only in compliance with the GDPR and the Company’s Data Protection Policy.
2.4 All employees of the Company and any and all third parties authorised to use the IT Systems and data collected, held, and processed by the Company including, but not limited to, contractors and sub-contractors (collectively, “Users”), must ensure that they are familiar with this Policy and must adhere to and comply with it at all times.
2.5 All line managers must ensure that all Users under their control and direction must adhere to and comply with this Policy at all times as required under paragraph 2.4.
2.6 All data must be managed securely in compliance with all relevant parts of the GDPR and all other laws governing data protection whether now or in the future in force.
2.7 All data must be classified appropriately (including, but not limited to, personal data, sensitive personal data, and confidential information) [with reference to <<insert classifcation system/procedure etc. if appropriate>>]. All data so classified must be handled appropriately in accordance with its classification.
2.8 All data, whether stored on IT Systems or in hard-copy format, shall be available only to those Users with a legitimate need for access.
2.9 All data, whether stored on IT Systems or in hard-copy format, shall be protected against unauthorised access and/or processing.
2.10 All data, whether stored on IT Systems or in hard-copy format, shall be protected against loss and/or corruption.
2.11 All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by Rancers Pro (the “IT Department”) or by such third party/parties as the IT Department may from time to time authorise.
2.12 The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the IT Department unless expressly stated otherwise.
2.13 The responsibility for the security and integrity of data that is not stored on the IT Systems lies with [the Data Protection Officer, Rancers Pro] AND/OR [Dorcas.] 2.14 All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the IT Department. [Any breach which is either known or suspected to involve personal data shall be reported to the Data Protection Officer, Rance Healthcare Services Ltd.] 2.15 All breaches of security pertaining to data that is not stored on the IT Systems shall be reported and subsequently investigated by [the Data Protection Officer, Rance Healthcare Services Ltd] AND/OR [Dorcas.] [Any breach which is either known or suspected to involve personal data shall be reported to the Data Protection Officer, Rance Healthcare Services Ltd.] 2.16 All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the IT Department. [If any such concerns relate in any way to personal data, such concerns must [also] OR [instead] be reported to the Data Protection Officer.] 2.17 All Users must report any and all security concerns relating to data that is not stored on the IT Systems immediately to [the Data Protection Officer, Dorcas] AND/OR [Rance Healthcare Services Ltd.] [If any such concerns relate in any way to personal data, such concerns must [also] OR [instead] be reported to the Data Protection Officer.]

3. Department Responsibilities
3.1 The IT Manager, Rance Healthcare Services Ltd, shall be responsible for the following:
a) ensuring that all IT Systems are assessed and deemed suitable for compliance with the Company’s security requirements;
b) ensuring that IT security standards within the Company are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management [and Data Protection Officer, as appropriate,] and reporting the outcome of such reviews to the Company’s senior management;
c) ensuring that all Users are kept aware of the IT-related requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR and the Computer Misuse Act 1990.
3.2 [The Data Protection Officer, ] AND/OR [Rance Healthcare Services Ltd] shall be responsible for the following:
a) ensuring that all other data processing systems and methods are assessed and deemed suitable for compliance with the Company’s security requirements;
b) ensuring that data security standards within the Company are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management [and Data Protection Officer, as appropriate,] and reporting the outcome of such reviews to the Company’s senior management;
c) ensuring that all Users are kept aware of the non-IT-related requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR.
3.3 The IT Staff shall be responsible for the following:
a) assisting all Users in understanding and complying with the IT-related aspects of this Policy;
b) providing all Users with appropriate support and training in IT security matters and use of IT Systems;
c) ensuring that all Users are granted levels of access to IT Systems that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;
d) receiving and handling all reports relating to IT security matters and taking appropriate action in response [including, in the event that any reports relate to personal data, informing the Data Protection Officer];
e) taking proactive action, where possible, to establish and implement IT security procedures and raise User awareness;
f) assisting the IT Manager in monitoring all IT security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future; and
g) ensuring that regular backups are taken of all data stored within the IT Systems at intervals no less than 1 hour and that such backups are stored at a suitable location [onsite] AND/OR [offsite]. All backups should be encrypted [using SSL encryption].
3.4 [The Data Protection Officer,] AND/OR [Rance Healthcare Services Ltd] shall be responsible for the following:
a) assisting all Users in understanding and complying with the non-IT-related aspects of this Policy;
b) providing all Users with appropriate support and training in data security matters;
c) ensuring that all Users are granted levels of access to data that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;
d) receiving and handling reports concerning non-IT-related data security matters and taking appropriate action in response [including, in the event that any reports relate to personal data, informing the Data Protection Officer];
e) taking proactive action, where possible, to establish and implement security procedures and raise User awareness; and
f) assisting [Department Heads] AND/OR [the Data Protection Officer] in monitoring data security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future.

4. Users’ Responsibilities
4.1 All Users must comply with all relevant parts of this Policy at all times when using the IT Systems and data.
4.2 All Users must use the IT Systems and data only within the bounds of UK law and must not use the IT Systems or data for any purpose or activity which is likely to contravene any UK law whether now or in the future in force.
4.3 Users must immediately inform the IT Department and/or [the Data Protection Officer, Rancers Pro] AND/OR [Security Department.] AND/OR [(and, where such concerns relate to personal data, the Data Protection Officer)] of any and all security concerns relating to the IT Systems or data.
4.4 Users must immediately inform the IT Department of any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems.
4.5 Any and all deliberate or negligent breaches of this Policy by Users will be handled as appropriate under the Company’s disciplinary procedures.

5. Software Security Measures
5.1 All software in use on the IT Systems (including, but not limited to, operating systems, individual software applications, and firmware) will be kept up-to-date and any and all relevant software updates, patches, fixes, and other intermediate releases will be applied at the sole discretion of the IT Department. This provision does not extend to upgrading software to new ‘major releases’ (e.g. from version 1.0 to version 2.0), only to updates within a particular major release (e.g. from version 1.0 to version 1.0.1 etc.). Unless a software update is available free of charge it will be classed as a major release, falling within the remit of new software procurement and outside the scope of this provision.
5.2 Where any security flaw is identified in any software that flaw will be either fixed immediately or the software may be withdrawn from the IT Systems until such time as the security flaw can be effectively remedied. [If the security flaw affects, is likely to affect, or is suspected to affect any personal data, the Data Protection Officer shall be informed immediately.] 5.3 No Users may install any software of their own, whether that software is supplied on physical media or whether it is downloaded, without the approval of the IT Manager. Any software belonging to Users must be approved by the IT Manager and may only be installed where that installation poses no security risk to the IT Systems and where the installation would not breach any licence agreements to which that software may be subject.
5.4 All software will be installed onto the IT Systems by the IT Department unless an individual User is given written permission to do so by the IT Manager. Such written permission must clearly state which software may be installed and onto which computer(s) or device(s) it may be installed.

6. Anti-Virus Security Measures
6.1 Most IT Systems (including all computers and servers) will be protected with suitable anti-virus, firewall, and other suitable internet security software. All such software will be kept up-to-date with the latest software updates and definitions.
6.2 All IT Systems protected by anti-virus software will be subject to a full system scan at least hourly.
6.3 All physical media (e.g. USB memory sticks or disks of any kind) used by Users for transferring files must be virus-scanned before any files may be transferred. Such virus scans shall be performed [automatically upon connection / insertion of media] OR [by the User] OR [by the IT Staff / Manager].
6.4 Users shall be permitted to transfer files using cloud storage systems only with the approval of the IT Manager. [All files downloaded from any cloud storage system must be scanned for viruses during the download process.] 6.5 Any files being sent to third parties outside the Company, whether by email, on physical media, or by other means (e.g. shared cloud storage) must be scanned for viruses before being sent or as part of the sending process, as appropriate. [All email attachments are scanned automatically upon sending.] 6.6 Where any virus is detected by a User this must be reported immediately to the IT Department (this rule shall apply even where the anti-virus software automatically fixes the problem). The IT Department shall promptly take any and all necessary action to remedy the problem. In limited circumstances this may involve the temporary removal of the affected computer or device. Wherever possible a suitable replacement computer or device will be provided [immediately] OR [within 1 hour] to limit disruption to the User.
6.7 [If any virus or other malware affects, is likely to affect, or is suspected to affect any personal data, in addition to the above, the issue must be reported immediately to the Data Protection Officer.] 6.8 Where any User deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.

7. Hardware Security Measures
7.1 Wherever practical, IT Systems will be located in rooms which may be securely locked when not in use or, in appropriate cases, at all times whether in use or not (with authorised Users being granted access by means of a key, smart card, door code or similar). Where access to such locations is restricted, Users must not allow any unauthorised access to such locations for any reason.
7.2 All IT Systems not intended for normal use by Users (including, but not limited to, servers, networking equipment, and network infrastructure) shall be located, wherever possible and practical, in secured, climate-controlled rooms and/or in locked cabinets which may be accessed only by designated members of the IT Department.
7.3 No Users shall have access to any IT Systems not intended for normal use by Users (including such devices mentioned above) without the express permission of the IT Manager. Under normal circumstances, whenever a problem with such IT Systems is identified by a User, that problem must be reported to the IT Department. Under no circumstances should a User attempt to rectify any such problems without the express permission (and, in most cases, instruction and/or supervision) of the IT Manager.
7.4 All non-mobile devices (including, but not limited to, desktop computers, workstations, and monitors) shall, wherever possible and practical, be physically secured in place with a suitable locking mechanism. Where the design of the hardware allows, computer cases shall be locked to prevent tampering with or theft of internal components.
7.5 All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company should always be transported securely and handled with care. In circumstances where such mobile devices are to be left unattended they should be placed inside a lockable case or other suitable container. Users should make all reasonable efforts to avoid such mobile devices from being left unattended at any location [other than their private homes or Company premises]. If any such mobile device is to be left in a vehicle it must be stored out of sight and, where possible, in a locked compartment.
7.6 The IT Department shall maintain a complete asset register of all IT Systems. All IT Systems shall be labelled, and the corresponding data shall be kept on the asset register.

8. Organisational Security
8.1 All Users handling data (and in particular, personal data) personal data will be appropriately trained to do so.
8.2 All Users handling data (and in particular, personal data) will be appropriately supervised.
8.3 All Users handling data (and in particular, personal data) shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to such data, whether in the workplace or otherwise.
8.4 Methods of collecting, holding, and processing data (and in particular, personal data) shall be regularly evaluated and reviewed.
8.5 All personal [and non-personal] data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy.
8.6 The performance of those Users handling personal data shall be regularly evaluated and reviewed.
8.7 All Users handling personal data will be bound to do so in accordance with the principles of the GDPR and the applicable Company Policies by contract.
8.8 No data, personal or otherwise, may be shared informally and if a User requires access to any data, personal or otherwise, that they do not already have access to, such access should be formally requested from Rance Healthcare Services Ltd.
8.9 No data, personal or otherwise, may be transferred to any unauthorised User without the authorisation of Rance Healthcare Services Ltd.
8.10 All data must be handled with care at all times and should not be left unattended or on view to unauthorised Users or other parties at any time.

9. Access Security
9.1 Access privileges for all IT Systems and data shall be determined on the basis of Users’ levels of authority within the Company and the requirements of their job roles. Users shall not be granted access to any IT Systems or data which are not reasonably required for the fulfilment of their job roles.
9.2 All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets, and smartphones) shall be protected with a secure password or passcode, or such other form of secure log-in system as the IT Department may deem appropriate and approve. Not all forms of biometric log-in are considered secure. Only those methods approved by the IT Department may be used.
9.3 All passwords must, where the software, computer, or device allows:
a) be at least 8 characters long;
b) contain a combination of upper and lower case letters / numbers / spaces / symbols etc.;
c) be changed at least every 30 days;
d) be different from the previous password;
e) not be obvious or easily guessed (e.g. birthdays or other memorable dates, memorable names, events, or places etc.); and
f) be created by individual Users.
9.4 Passwords should be kept secret by each User. Under no circumstances should a User share their password with anyone, including the IT Manager and the IT Staff. No User will be legitimately asked for their password by anyone at any time and any such request should be refused. If a User has reason to believe that another individual has obtained their password, they should change their password immediately [and report the suspected breach of security to the IT Department [and, where personal data could be accessed by an unauthorised individual, the Data Protection Officer]].
9.5 If a User forgets their password, this should be reported to the IT Department. The IT Department will take the necessary steps to restore the User’s access to the IT Systems which may include the issuing of a temporary password which may be fully or partially known to the member of the IT Staff responsible for resolving the issue. A new password must be set up by the User immediately upon the restoration of access to the IT Systems.
9.6 Users should not write down passwords if it is possible to remember them. If a user cannot remember a password, it should be stored securely (e.g. in a locked drawer or in a secure password database) and under no circumstances should passwords be left on display for others to see (e.g. by attaching a note to a computer display).
9.7 All IT Systems with displays and user input devices (e.g. mouse, keyboard, touchscreen etc.) shall be protected, where possible, with a password protected screensaver that will activate after 30 minutes of inactivity. This time period cannot be changed by Users and Users may not disable the screensaver. Activation of the screensaver will not interrupt or disrupt any other activities taking place on the computer (e.g. data processing).
9.8 All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company shall be set to lock, sleep, or similar, after 30 minutes of inactivity, requiring a password, passcode, or other form of log-in to unlock, wake, or similar. Users may not alter this time period.
9.9 Users may not use any software which may allow outside parties to access the IT Systems without the express consent of the IT Manager. Any such software must be reasonably required by the User for the performance of their job role and must be fully inspected and cleared by the IT Manager [and, where such access renders personal data accessible by the outside party, the Data Protection Officer].
9.10 [Users may connect their own devices (including, but not limited to, laptops, tablets, and smartphones) to the [Rance Healthcare Services Ltd] Company network[s] subject to the approval of the IT Department. Any and all instructions and requirements provided by the IT Department governing the use of Users’ own devices when connected to the Company network must be followed at all times. Users’ use of their own devices shall be subject to, and governed by, all relevant Company Policies (including, but not limited to, this Policy) while those devices are connected to the Company network or to any other part of the IT Systems. The IT Department shall reserve the right to request the immediate disconnection of any such devices without notice.]

10. Data Storage Security
10.1 All data stored in electronic form, and in particular personal data, should be stored securely using passwords and [SSL] data encryption.
10.2 All data stored in hard-copy format or electronically on removable physical media, and in particular personal data, should be stored securely in a locked box, drawer, cabinet, or similar.
10.3 No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise [without the formal written approval of the Data Protection Officer and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary].
10.4 No data, and in particular personal data, should be transferred to any computer or device personally belonging to a User unless the User in question is a contractor or sub-contractor working on behalf of the Company and that User has agreed to comply fully with the Company’s Data Protection Policy and the GDPR.

11. Data Protection
11.1 All personal data (as defined in the GDPR) collected, held, and processed by the Company will be collected, held, and processed strictly in accordance with the principles of the GDPR, the provisions of the GDPR and the Company’s Data Protection Policy.
11.2 All Users handling data for and on behalf of the Company shall be subject to, and must comply with, the provisions of the Company’s Data Protection Policy at all times. In particular, the following shall apply:
a) All emails containing personal data and/or other data covered by this Policy must be encrypted [using SSL];
b) All emails containing personal data and/or other data covered by this Policy must be marked “confidential”;
c) Personal data and/or other data covered by this Policy may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances;
d) Personal data and/or other data covered by this Policy may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
e) Personal data and/or other data covered by this Policy contained in the body of an email, whether sent or received, should be copied directly from the body of that email, and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted [using data clearing or data wiping method of deletion];
f) All personal data and/or other data covered by this Policy to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked “confidential”.
g) Where any personal data and/or other data covered by this Policy is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
11.3 Any questions relating to data protection should be referred to [the Data Protection Officer,] Dorcas.

12. Deletion and Disposal of Data
12.1 When any data, and in particular personal data, is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it must be securely deleted and/or disposed of [using data clearing or data wiping method of deletion].
12.2 For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.

13. Internet and Email Use
13.1 All Users shall be subject to, and must comply with, the provisions of the Company’s Communications, Email and Internet Policy when using the IT Systems.
13.2 Where provisions in this Policy require any additional steps to be taken to ensure security when using the internet or email over and above the requirements imposed by the Communications, Email and Internet Policy, Users must take such steps as required.

14. Reporting Security Breaches
14.1 Subject to paragraph 14.3, all concerns, questions, suspected breaches, or known breaches that relate to the IT Systems shall be referred immediately to [Rance Healthcare Services Ltd] OR [the IT Department] OR [the IT Manager] OR [a member of the IT Staff].
14.2 Subject to paragraph 14.3, all concerns, questions, suspected breaches, or known breaches that relate to other data covered by this Policy shall be referred immediately to [Rance Healthcare Services Ltd] OR [The Data Protection Officer] AND/OR [Security Department].
14.3 All concerns, questions, suspected breaches, or known breaches that involve personal data shall be referred immediately to the [The Data Protection Officer] OR [Rance Healthcare Services Ltd] who shall handle the matter in accordance with the Company’s Data Protection Policy.
14.4 Upon receiving a question or notification of a breach, the individual or department responsible shall, within 1 hour, assess the issue including, but not limited to, the level of risk associated therewith, and shall take any and all such steps deemed necessary to respond to the issue.
14.5 Under no circumstances should a User attempt to resolve a security breach on their own without first consulting the relevant individual or department [(or the Data Protection Officer, as appropriate)]. Users may only attempt to resolve security breaches under the instruction of, and with the express permission of, the Rance Healthcare Services Ltd, as appropriate.
14.6 All security breaches, howsoever remedied, shall be fully documented.

15. Policy Review
The Company shall review this Policy not less than 30 days and otherwise as required in order to ensure that it remains up-to-date and fit for purpose. All questions, concerns, and other feedback relating to this Policy should be communicated to the Rance Healthcare Services Ltd, as appropriate [, and/or the Data Protection Officer, Rance Healthcare Services Ltd].

16. Implementation of Policy
This Policy shall be deemed effective as of 28 December 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:
Name: Edwin Rance
Position: Director
Date: 28 December 2020
Due for Review by: 28 December 2021
Signature: Rance Healthcare Services Ltd

Rance Healthcare Services Ltd
Data Breach Policy
28 December 2020

1. Introduction
This Policy sets out the obligations of Rance Healthcare Services Ltd, a company registered in England under company registration number 12154188, whose registered office is at 3rd & 4th Floors, 84 Salop Street, Wolverhampton, WV3 0RS (“the Company”) regarding the handling and reporting of data breaches and personal data breaches in accordance with EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
The GDPR defines a “personal data breach” as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
The Company is under a duty to report certain types of personal data breach directly to the UK’s supervisory authority, the Information Commissioner’s Office (“ICO”). The Company is also required to inform individual data subjects in the case of breaches that present a high risk of adversely affecting their rights and freedoms.
All personal data collected, held, and processed by the Company will be handled in accordance with the Company’s Data Protection Policy.
The Company has in place procedures for the detection, investigation, and reporting of data breaches. This Policy applies to all data breaches (including personal data breaches) within the Company and is designed to assist in both the handling of such breaches and in determining whether or not they must be reported to the ICO and/or to data subjects.
[The Company’s Data Protection Officer] OR [Director, OR [Security Department] [is] OR [are] responsible for the implementation of this Policy, for overseeing the handling of all data breaches, and for ensuring that this policy is adhered to by all staff.

2. Scope of Policy
2.1 This Policy relates to all formats of data (including personal data and sensitive personal data (known as “special category” under the GDPR)) collected, held, and processed by the Company.
2.2 This Policy applies to all staff of the Company, including but not limited to employees, agents, contractors, consultants, temporary staff, casual or agency staff, or other suppliers or data processors working for or on behalf of the Company.
2.3 This Policy applies to all data breaches, whether suspected or confirmed.

3. Data Breaches
3.1 For the purposes of this Policy, a data breach means any event or action (accidental or deliberate) which presents a threat to the security, integrity, confidentiality, or availability of data.
3.2 Incidents to which this Policy applies may include, but not be limited to:
a) the loss or theft of a physical data record;
b) the loss or theft of computer equipment (e.g. laptop), mobile devices (e.g. smartphone or tablet), portable data storage devices (e.g. USB drive), or other data storage devices;
c) equipment failure;
d) unauthorised access to, use of, or modification of data (or inadequate access controls allowing unauthorised access, use, or modification);
e) unauthorised disclosure of data;
f) human error (e.g. sending data to the wrong recipient);
g) unforeseen circumstances such as fire or flood;
h) hacking, phishing, and other ‘blagging” offences whereby information is obtained by deception;

4. Internal Reporting
4.1 If a data breach is discovered or suspected, members of staff should complete a Data Breach Report Form (available from Rance Healthcare Services Ltd) and send the completed form to [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department].
4.2 A completed Data Breach Report Form should include full and accurate details about the incident including, but not limited to (where applicable):
a) the time and date of the breach;
b) the time and date the breach was discovered;
c) the type(s) of data involved;
d) where the breach involves personal data, the categories(s) of data subjects to which the personal data relates (e.g. customers, employees etc.);
e) whether or not any sensitive personal data is involved;
f) how many data subjects are likely to be affected (if known);
4.3 Where appropriate, members of staff should liaise with their Security Manager when completing a Data Breach Report Form.
4.4 If a data breach occurs or is discovered outside of normal working hours, it should be reported as soon as is reasonably practicable.
4.5 Unless and until instructed to by [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department], members of staff should not take any further action with respect to a data breach. In particular, individual members of staff should not take it upon themselves to notify affected data subjects, the ICO, or any other individuals or organisations.

5. Initial Management and Recording
5.1 Upon receipt of a Data Breach Report Form (or upon being notified of a data breach in any other way), [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall begin by determining whether the data breach is still occurring. If this is the case, appropriate steps shall be taken immediately to minimise the effects of the data breach and to stop it.
5.2 Having established the above, the following steps shall then be taken with respect to the data breach:
a) undertake an initial assessment of the data breach, liaising with the relevant staff and departments where appropriate, to establish the severity of the data breach;
b) contain the data breach and, to the extent reasonably practicable, recover, amend, or restrict the availability of (e.g. by changing or revoking access permissions or by temporarily making the data unavailable electronically) the affected data;
c) determine whether anything further can be done to recover the data and/or other losses, and to limit the damage caused by the breach;
d) establish who needs to be notified initially (including, if physical records or equipment have been lost or stolen, the police) as part of the initial containment;
e) determine, in liaison with the relevant staff and departments, the best course of action to resolve and remedy the data breach; and
f) record the breach and the initial steps taken above in the Company’s Data Breach Register.
5.3 Having completed the initial steps described above, [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall proceed with investigating and assessing the data breach as described in Part 6, below.

6. Investigation and Assessment
6.1 [The Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall begin an investigation of a data breach as soon as is reasonably possible after receiving a Data Breach Report Form (or being notified in any other way) and, in any event, within 24 hours of the data breach being discovered and/or reported.
6.2 Investigations and assessments must take the following into account:
a) the type(s) of data involved (and, in particular, whether the data is personal data or sensitive personal data);
b) the sensitivity of the data (both commercially and personally);
c) what the data breach involved;
d) what organisational and technical measures were in place to protect the data;
e) what might be done with the data as a result of a breach (including unlawful or otherwise inappropriate misuse);
f) where personal data is involved, what that personal data could tell a third party about the data subjects to whom the data relates;
g) the category or categories of data subject to whom any personal data relates;
h) the number of data subjects (or approximate number if calculating an exact number is not reasonably practicable) likely to be affected by the data breach;
i) the potential effects on the data subjects involved;
j) the potential consequences for the Company;
k) the broader consequences of the data breach, both for data subjects and for the Company;
6.3 The results of the investigation and assessment described above must be recorded in the Company’s Data Breach Register.
6.4 Having completed the investigation and assessment described above, [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall determine the parties to be notified of the breach as described in Part 7, below.

7. Notification
7.1 [The Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall determine whether to notify one or more of the following parties of the breach:
a) affected data subjects;
b) the ICO;
c) the police;
d) the Company’s insurers;
e) affected commercial partners;
7.2 When considering whether (and how) to notify individual data subjects in the event of a personal data breach, the following should be considered:
a) the likelihood that data subjects’ rights and freedoms as set out in the GDPR (and the Company’s Data Protection Policy) will be adversely affected;
b) whether there is a legal or contractual requirement to notify;
c) whether measures in place to protect the affected personal data (e.g. pseudonymisation or encryption) have been applied, thereby rendering the data unusable to any unauthorised parties;
d) whether measures have been taken following the data breach that will ensure that a high risk to the rights and freedoms of affected data subjects is no longer likely to occur;
e) the benefits to data subjects’ of being notified (e.g. giving them the opportunity to mitigate the risks posed by the data breach);
f) whether notifying individuals will involve disproportionate effort (in which case a public communication or other widely available notice may suffice, provided that affected data subjects will still be informed effectively);
g) the best way of notifying data subjects, taking into account the urgency of the situation and the security of the possible methods;
h) any special considerations applicable to certain categories of data subject (e.g. children or vulnerable people);
i) the information that should be provided to affected data subjects;
j) how to make it easy for affected data subjects to contact the Company to find out more about the data breach;
k) further assistance that the Company should provide to the affected data subjects, where appropriate;
l) the risks of over-notifying – not all data breaches require notification and excessive notification may result in disproportionate work and numbers of enquiries from individuals;
7.3 When individual data subjects are to be informed of a data breach, those individuals must be informed of the breach without undue delay. Individuals shall be provided with the following information:
a) a user-friendly description of the data breach, including how and when it occurred, the personal data involved, and the likely consequences;
b) clear and specific advice, where relevant, on the steps individuals can take to protect themselves;
c) a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects;
d) contact details for [the Company’s Data Protection Officer] OR [an individual or department within the Company] from whom affected individuals can obtain further information about the data breach.
7.4 When considering whether (and how) to notify the ICO of a data breach, the following should be considered:
a) the risk and potential harm to data subjects, their rights, and freedoms – harm can include (but is not limited to) financial harm, physical harm, loss of control over personal data, discrimination, identity theft or fraud, damage to reputation, and emotional distress;
b) the volume of personal data involved – the ICO should be notified if a large volume of data is involved and there is a real risk of data subjects suffering harm as a result, however it may also be appropriate to notify the ICO if a smaller amount of high-risk data is involved;
c) the sensitivity of the data involved – the more sensitive the personal data is, the less the volume of it is relevant and if the data breach presents a significant risk of data subjects suffering substantial detriment or distress, the ICO should be notified.
7.5 If the ICO is to be notified of a data breach, this must be done within 72 hours of becoming aware of the breach, where feasible. This time limit applies even if complete details of the data breach are not yet available. The ICO must be provided with the following information:
a) the category or categories and the approximate number of data subject whose personal data is affected by the data breach;
b) the category or categories and the approximate number of personal data records involved;
c) the name and contact details of [the Company’s Data Protection Officer] OR [the individual or department within the Company] from which the ICO can obtain further information about the data breach;
d) a description of the likely consequences of the data breach; and
e) a description of the measures taken (or proposed to be taken) to address the data breach including, where relevant, measures taken to mitigate any possible adverse effects.
7.6 The police may have been contacted at an earlier point in the data breach procedure (see 5.2), however further investigation may reveal that the data breach resulted from a criminal act, in which case the police should be further informed.
7.7 Records must be kept of all data breaches, regardless of whether notification is required. The decision-making process surrounding notification should be documented and recorded in the Company’s Data Breach Register.

8. Evaluation and Response
8.1 When the steps set out above have been completed, the data breach has been contained, and all necessary parties notified, [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall conduct a complete review of the causes of the data breach, the effectiveness of the measures taken in response, and whether any systems, policies, or procedures can be changed to prevent data breaches from occurring in the future.
8.2 Such reviews shall, in particular, consider the following with respect to data (and in particular, personal data) collected, held, and processed by the Company:
a) where and how data is held and stored;
b) the current organisational and technical security measures in place to protect data and the risks and possible weaknesses of those measures;
c) the methods of data transmission for both physical and electronic data and whether or not such methods are secure;
d) the level of data sharing that takes place and whether or not that level is necessary;
e) whether any data protection impact assessments need to be conducted or updated;
f) staff awareness and training concerning data protection;
8.3 Where possible improvements and/or other changes are identified, [the Company’s Data Protection Officer] OR [Rance Healthcare Services Ltd] OR [Security Department] shall liaise with [Security Manager] OR [Security Department] OR [the relevant staff [and/or departments]] with respect to the implementation of such improvements and/or changes.

9. Policy Review and Implementation
9.1 This Policy will be updated as necessary to reflect current best practice, official guidance, and in line with current legislation.
9.2 This Policy shall be deemed effective as of 28 December 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:
Name: Edwin Rance
Position: Director
Date: 28 December 2020
Due for Review by: 28 December 2021
Signature: Rance Healthcare Services Ltd

Rance Healthcare Services Ltd
IT Security Policy
28 December 2020

1. Introduction
This document sets out the measures to be taken by all employees of Rance Healthcare Services Ltd (the “Company”) and by the Company as a whole in order to protect the Company’s computer systems, devices, infrastructure, computing environment and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.

2. Key Principles
2.1 All IT Systems are to be protected against unauthorised access.
2.2 All IT Systems are to be used only in compliance with relevant Company Policies.
2.3 All employees of the Company and any and all third parties authorised to use the IT Systems including, but not limited to, contractors and sub-contractors (collectively, “Users”), must ensure that they are familiar with this Policy and must adhere to and comply with it at all times.
2.4 All line managers must ensure that all Users under their control and direction must adhere to and comply with this Policy at all times as required under paragraph 2.3.
2.5 All data stored on IT Systems are to be managed securely in compliance with all relevant parts of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”) and all other laws governing data protection whether now or in the future in force.
2.6 All data stored on IT Systems are to be classified appropriately (including, but not limited to, personal data, sensitive personal data, and confidential information) [with reference to auction data security]. All data so classified must be handled appropriately in accordance with its classification.
2.7 All data stored on IT Systems shall be available only to those Users with a legitimate need for access.
2.8 All data stored on IT Systems shall be protected against unauthorised access and/or processing.
2.9 All data stored on IT Systems shall be protected against loss and/or corruption.
2.10 All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by Rancers Pro (the “IT Department”) or by such third party/parties as the IT Department may from time to time authorise.
2.11 The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the IT Department unless expressly stated otherwise.
2.12 All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the IT Department. [Any breach which is either known or suspected to involve personal data shall be reported to the Data Protection Officer, Rance Healthcare Services Ltd.] 2.13 All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the IT Department. [If any such concerns relate in any way to personal data, such concerns must [also] OR [instead] be reported to the Data Protection Officer.]

3. IT Department Responsibilities
3.1 The IT Manager, Rance Healthcare Services Ltd, shall be responsible for the following:
a) ensuring that all IT Systems are assessed and deemed suitable for compliance with the Company’s security requirements;
b) ensuring that IT security standards within the Company are effectively implemented and regularly reviewed, working in consultation with the Company’s senior management [and Data Protection Officer, as appropriate,] and reporting the outcome of such reviews to the Company’s senior management;
c) ensuring that all Users are kept aware of the requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR and the Computer Misuse Act 1990.
3.2 The IT Staff shall be responsible for the following:
a) assisting all Users in understanding and complying with this Policy;
b) providing all Users with appropriate support and training in IT security matters and use of IT Systems;
c) ensuring that all Users are granted levels of access to IT Systems that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;
d) receiving and handling all reports relating to IT security matters and taking appropriate action in response [including, in the event that any reports relate to personal data, informing the Data Protection Officer];
e) taking proactive action, where possible, to establish and implement IT security procedures and raise User awareness;
f) assisting the IT Manager in monitoring all IT security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future; and
g) ensuring that regular backups are taken of all data stored within the IT Systems at intervals no less than 1 hour and that such backups are stored at a suitable location [onsite] AND/OR [offsite]. All backups should be encrypted [using SSL encryption].

4. Users’ Responsibilities
4.1 All Users must comply with all relevant parts of this Policy at all times when using the IT Systems.
4.2 All Users must use the IT Systems only within the bounds of UK law and must not use the IT Systems for any purpose or activity which is likely to contravene any UK law whether now or in the future in force.
4.3 Users must immediately inform the IT Department [(and, where such concerns relate to personal data, the Data Protection Officer)] of any and all security concerns relating to the IT Systems.
4.4 Users must immediately inform the IT Department of any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems.
4.5 Any and all deliberate or negligent breaches of this Policy by Users will be handled as appropriate under the Company’s disciplinary procedures.

5. Software Security Measures
5.1 All software in use on the IT Systems (including, but not limited to, operating systems, individual software applications, and firmware) will be kept up-to-date and any and all relevant software updates, patches, fixes, and other intermediate releases will be applied at the sole discretion of the IT Department. This provision does not extend to upgrading software to new ‘major releases’ (e.g. from version 1.0 to version 2.0), only to updates within a particular major release (e.g. from version 1.0 to version 1.0.1 etc.). Unless a software update is available free of charge it will be classed as a major release, falling within the remit of new software procurement and outside the scope of this provision.
5.2 Where any security flaw is identified in any software that flaw will be either fixed immediately or the software may be withdrawn from the IT Systems until such time as the security flaw can be effectively remedied. [If the security flaw affects, is likely to affect, or is suspected to affect any personal data, the Data Protection Officer shall be informed immediately.] 5.3 No Users may install any software of their own, whether that software is supplied on physical media or whether it is downloaded, without the approval of the IT Manager. Any software belonging to Users must be approved by the IT Manager and may only be installed where that installation poses no security risk to the IT Systems and where the installation would not breach any licence agreements to which that software may be subject.
5.4 All software will be installed onto the IT Systems by the IT Department unless an individual User is given written permission to do so by the IT Manager. Such written permission must clearly state which software may be installed and onto which computer(s) or device(s) it may be installed.

6. Anti-Virus Security Measures
6.1 Most IT Systems (including all computers and servers) will be protected with suitable anti-virus, firewall, and other suitable internet security software. All such software will be kept up-to-date with the latest software updates and definitions.
6.2 All IT Systems protected by anti-virus software will be subject to a full system scan at least every hour.
6.3 All physical media (e.g. USB memory sticks or disks of any kind) used by Users for transferring files must be virus-scanned before any files may be transferred. Such virus scans shall be performed [automatically upon connection / insertion of media] OR [by the User] OR [by the IT Staff / Manager].
6.4 Users shall be permitted to transfer files using cloud storage systems only with the approval of the IT Manager. [All files downloaded from any cloud storage system must be scanned for viruses during the download process.] 6.5 Any files being sent to third parties outside the Company, whether by email, on physical media, or by other means (e.g. shared cloud storage) must be scanned for viruses before being sent or as part of the sending process, as appropriate. [All email attachments are scanned automatically upon sending.] 6.6 Where any virus is detected by a User this must be reported immediately to the IT Department (this rule shall apply even where the anti-virus software automatically fixes the problem). The IT Department shall promptly take any and all necessary action to remedy the problem. In limited circumstances this may involve the temporary removal of the affected computer or device. Wherever possible a suitable replacement computer or device will be provided [immediately] OR [within one hour] to limit disruption to the User.
6.7 [If any virus or other malware affects, is likely to affect, or is suspected to affect any personal data, in addition to the above, the issue must be reported immediately to the Data Protection Officer.] 6.8 Where any User deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.

7. Hardware Security Measures
7.1 Wherever practical, IT Systems will be located in rooms which may be securely locked when not in use or, in appropriate cases, at all times whether in use or not (with authorised Users being granted access by means of a key, smart card, door code or similar). Where access to such locations is restricted, Users must not allow any unauthorised access to such locations for any reason.
7.2 All IT Systems not intended for normal use by Users (including, but not limited to, servers, networking equipment, and network infrastructure) shall be located, wherever possible and practical, in secured, climate-controlled rooms and/or in locked cabinets which may be accessed only by designated members of the IT Department.
7.3 No Users shall have access to any IT Systems not intended for normal use by Users (including such devices mentioned above) without the express permission of the IT Manager. Under normal circumstances, whenever a problem with such IT Systems is identified by a User, that problem must be reported to the IT Department. Under no circumstances should a User attempt to rectify any such problems without the express permission (and, in most cases, instruction and/or supervision) of the IT Manager.
7.4 All non-mobile devices (including, but not limited to, desktop computers, workstations, and monitors) shall, wherever possible and practical, be physically secured in place with a suitable locking mechanism. Where the design of the hardware allows, computer cases shall be locked to prevent tampering with or theft of internal components.
7.5 All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company should always be transported securely and handled with care. In circumstances where such mobile devices are to be left unattended they should be placed inside a lockable case or other suitable container. Users should make all reasonable efforts to avoid such mobile devices from being left unattended at any location [other than their private homes or Company premises]. If any such mobile device is to be left in a vehicle it must be stored out of sight and, where possible, in a locked compartment.
7.6 The IT Department shall maintain a complete asset register of all IT Systems. All IT Systems shall be labelled, and the corresponding data shall be kept on the asset register.

8. Access Security
8.1 Access privileges for all IT Systems shall be determined on the basis of Users’ levels of authority within the Company and the requirements of their job roles. Users shall not be granted access to any IT Systems or electronic data which are not reasonably required for the fulfilment of their job roles.
8.2 All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets, and smartphones) shall be protected with a secure password or passcode, or such other form of secure log-in system as the IT Department may deem appropriate and approve. Not all forms of biometric log-in are considered secure. Only those methods approved by the IT Department may be used.
8.3 All passwords must, where the software, computer, or device allows:
a) be at least 8 characters long;
b) contain a combination of upper and lower case letters / numbers / spaces / symbols etc.;
c) be changed at least every 30 days;
d) be different from the previous password;
e) not be obvious or easily guessed (e.g. birthdays or other memorable dates, memorable names, events, or places etc.); and
f) be created by individual Users.
8.4 Passwords should be kept secret by each User. Under no circumstances should a User share their password with anyone, including the IT Manager and the IT Staff. No User will be legitimately asked for their password by anyone at any time and any such request should be refused. If a User has reason to believe that another individual has obtained their password, they should change their password immediately [and report the suspected breach of security to the IT Department [and, where personal data could be accessed by an unauthorised individual, the Data Protection Officer]].
8.5 If a User forgets their password, this should be reported to the IT Department. The IT Department will take the necessary steps to restore the User’s access to the IT Systems which may include the issuing of a temporary password which may be fully or partially known to the member of the IT Staff responsible for resolving the issue. A new password must be set up by the User immediately upon the restoration of access to the IT Systems.
8.6 Users should not write down passwords if it is possible to remember them. If a User cannot remember a password, it should be stored securely (e.g. in a locked drawer or in a secure password database) and under no circumstances should passwords be left on display for others to see (e.g. by attaching a note to a computer display).
8.7 All IT Systems with displays and user input devices (e.g. mouse, keyboard, touchscreen etc.) shall be protected, where possible, with a password protected screensaver that will activate after 30 minutes of inactivity. This time period cannot be changed by Users and Users may not disable the screensaver. Activation of the screensaver will not interrupt or disrupt any other activities taking place on the computer (e.g. data processing).
8.8 All mobile devices (including, but not limited to, laptops, tablets, and smartphones) provided by the Company shall be set to lock, sleep, or similar, after 30 minutes of inactivity, requiring a password, passcode, or other form of log-in to unlock, wake, or similar. Users may not alter this time period.
8.9 Users may not use any software which may allow outside parties to access the IT Systems without the express consent of the IT Manager. Any such software must be reasonably required by the User for the performance of their job role and must be fully inspected and cleared by the IT Manager [and, where such access renders personal data accessible by the outside party, the Data Protection Officer].
8.10 [Users may connect their own devices (including, but not limited to, laptops, tablets, and smartphones) to the [Rance Healthcare Services Ltd] Company network[s] subject to the approval of the IT Department. Any and all instructions and requirements provided by the IT Department governing the use of Users’ own devices when connected to the Company network must be followed at all times. Users’ use of their own devices shall be subject to, and governed by, all relevant Company Policies (including, but not limited to, this Policy) while those devices are connected to the Company network or to any other part of the IT Systems. The IT Department shall reserve the right to request the immediate disconnection of any such devices without notice.]

9. Data Storage Security
9.1 All data, and in particular personal data, should be stored securely using passwords and [SSL] data encryption.
9.2 All data stored electronically on physical media, and in particular personal data, should be stored securely in a locked box, drawer, cabinet, or similar.
9.3 No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise [without the formal written approval of the Data Protection Officer and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary].
9.4 No data, and in particular personal data, should be transferred to any computer or device personally belonging to a User unless the User in question is a contractor or sub-contractor working on behalf of the Company and that User has agreed to comply fully with the Company’s Data Protection Policy and the GDPR.

10. Data Protection
10.1 All personal data (as defined in the GDPR) collected, held, and processed by the Company will be collected, held, and processed strictly in accordance with the principles of the GDPR, the provisions of the GDPR and the Company’s Data Protection Policy.
10.2 All Users handling data for and on behalf of the Company shall be subject to, and must comply with, the provisions of the Company’s Data Protection Policy at all times. In particular, the following shall apply:
a) All emails containing personal data must be encrypted [using SSL encryption];
b) All emails containing personal data must be marked “confidential”;
c) Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances;
d) Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
e) Personal data contained in the body of an email, whether sent or received, should be copied directly from the body of that email, and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted [using data clearing or data wiping method of deletion];
f) All personal data to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked “confidential”.
g) Where any confidential or personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
10.3 Any questions relating to data protection should be referred to [the Data Protection Officer,] Rance Healthcare Services Ltd.

11. Internet and Email Use
11.1 All Users shall be subject to, and must comply with, the provisions of the Company’s Communications, Email and Internet Policy when using the IT Systems.
11.2 Where provisions in this Policy require any additional steps to be taken to ensure IT security when using the internet or email over and above the requirements imposed by the Communications, Email and Internet Policy, Users must take such steps as required.

12. Reporting IT Security Breaches
12.1 Subject to paragraph 12.2, all concerns, questions, suspected breaches, or known breaches shall be referred immediately to [Rance Healthcare Services Ltd] OR [the IT Department] OR [the IT Manager] OR [a member of the IT Staff].
12.2 [All concerns, questions, suspected breaches, or known breaches that involve personal data shall be referred immediately to the Data Protection Officer who shall handle the matter in accordance with the Company’s Data Protection Policy.] 12.3 Upon receiving a question or notification of a breach, the IT Department shall, within one hour, assess the issue including, but not limited to, the level of risk associated therewith, and shall take any and all such steps as the IT Department deems necessary to respond to the issue.
12.4 Under no circumstances should a User attempt to resolve an IT security breach on their own without first consulting the IT Department [(or the Data Protection Officer, as appropriate)]. Users may only attempt to resolve IT security breaches under the instruction of, and with the express permission of, the IT Department.
12.5 All IT security breaches, whether remedied by the IT Department or by a User under the IT Department’s direction, shall be fully documented.

13. Policy Review
The Company shall review this Policy not less than 30 days and otherwise as required in order to ensure that it remains up-to-date and fit for purpose. All questions, concerns, and other feedback relating to this Policy should be communicated to the IT Manager, Rance Healthcare Services Ltd[and/or the Data Protection Officer, Security Manager].

14. Implementation of Policy
This Policy shall be deemed effective as of 16 October 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:
Name: Edwin Rance
Position: Director
Date: 28 December 2020
Due for Review by: 28 December 2021
Signature: Rance Healthcare Services Ltd.

Rance Healthcare Services Ltd
Data Protection Policy
28 December 2020

1. Introduction
This Policy sets out the obligations of Rance Healthcare Services Ltd, a company registered in England under number  company registration number 12154188, whose registered office is at 3^rd & 4^th Floors, 84 Salop Street, Wolverhampton, West Midlands, WV3 0SR (“the Company”) regarding data protection and the rights of customers, business contacts (“data subjects”) in respect of their personal data under EU Regulation 2016/679 General Data Protection Regulation (“GDPR”).
The GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data. The procedures and principles set out herein must be followed at all times by the Company, its employees, agents, contractors, or other parties working on behalf of the Company.
The Company is committed not only to the letter of the law, but also to the spirit of the law and places high importance on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.

2. The Data Protection Principles
This Policy aims to ensure compliance with the GDPR. The GDPR sets out the following principles with which any party handling personal data must comply. All personal data must be:
2.1 Processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2.2 Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
2.3 Adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
2.4 Accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay.
2.5 Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
2.6 Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

3. The Rights of Data Subjects
The GDPR sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):
3.1 The right to be informed (Part 12).
3.2 The right of access (Part 13);
3.3 The right to rectification (Part 14);
3.4 The right to erasure (also known as the ‘right to be forgotten’) (Part 15);
3.5 The right to restrict processing (Part 16);
3.6 The right to data portability (Part 17);
3.7 The right to object (Part 18); and
3.8 Rights with respect to automated decision-making and profiling (Parts 19 and 20).

4. Lawful, Fair, and Transparent Data Processing
4.1 The GDPR seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The GDPR states that processing of personal data shall be lawful if at least one of the following applies:
4.1.1 The data subject has given consent to the processing of their personal data for one or more specific purposes;
4.1.2 The processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract with them;
4.1.3 The processing is necessary for compliance with a legal obligation to which the data controller is subject;
4.1.4 The processing is necessary to protect the vital interests of the data subject or of another natural person;
4.1.5 The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller; or
4.1.6 The processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
4.2 [If the personal data in question is “special category data” (also known as “sensitive personal data”) (for example, data concerning the data subject’s race, ethnicity, politics, religion, trade union membership, genetics, biometrics (if used for ID purposes), health, sex life, or sexual orientation), at least one of the following conditions must be met:
4.2.1 The data subject has given their explicit consent to the processing of such data for one or more specified purposes (unless EU or EU Member State law prohibits them from doing so);
4.2.2 The processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data controller or of the data subject in the field of employment, social security, and social protection law (insofar as it is authorised by EU or EU Member State law or a collective agreement pursuant to EU Member State law which provides for appropriate safeguards for the fundamental rights and interests of the data subject);
4.2.3 The processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
4.2.4 The data controller is a foundation, association, or other non-profit body with a political, philosophical, religious, or trade union aim, and the processing is carried out in the course of its legitimate activities, provided that the processing relates solely to the members or former members of that body or to persons who have regular contact with it in connection with its purposes and that the personal data is not disclosed outside the body without the consent of the data subjects;
4.2.5 The processing relates to personal data which is clearly made public by the data subject;
4.2.6 The processing is necessary for the conduct of legal claims or whenever courts are acting in their judicial capacity;
4.2.7 The processing is necessary for substantial public interest reasons, on the basis of EU or EU Member State law which shall be proportionate to the aim pursued, shall respect the essence of the right to data protection, and shall provide for suitable and specific measures to safeguard the fundamental rights and interests of the data subject;
4.2.8 The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of an employee, for medical diagnosis, for the provision of health or social care or treatment, or the management of health or social care systems or services on the basis of EU or EU Member State law or pursuant to a contract with a health professional, subject to the conditions and safeguards referred to in Article 9(3) of the GDPR;
4.2.9 The processing is necessary for public interest reasons in the area of public health, for example, protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of EU or EU Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject (in particular, professional secrecy); or
4.2.10 The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1) of the GDPR based on EU or EU Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection, and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.]

5. Specified, Explicit, and Legitimate Purposes
5.1 The Company collects and processes the personal data set out in Part 21 of this Policy. This includes:
5.1.1 Personal data collected directly from data subjects[.] OR [; and] 5.1.2 [Personal data obtained from third parties.] 5.2 The Company only collects, processes, and holds personal data for the specific purposes set out in Part 21 of this Policy (or for other purposes expressly permitted by the GDPR).
5.3 Data subjects are kept informed at all times of the purpose or purposes for which the Company uses their personal data. Please refer to Part 12 for more information on keeping data subjects informed.
6. Adequate, Relevant, and Limited Data Processing
The Company will only collect and process personal data for and to the extent necessary for the specific purpose or purposes of which data subjects have been informed (or will be informed) as under Part 5, above, and as set out in Part 21, below.

7. Accuracy of Data and Keeping Data Up-to-Date
7.1 The Company shall ensure that all personal data collected, processed, and held by it is kept accurate and up-to-date. This includes, but is not limited to, the rectification of personal data at the request of a data subject, as set out in Part 14, below.
7.2 The accuracy of personal data shall be checked when it is collected and at [regular] OR [<<insert interval>>] intervals thereafter. If any personal data is found to be inaccurate or out-of-date, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.

8. Data Retention
8.1 The Company shall not keep personal data for any longer than is necessary in light of the purpose or purposes for which that personal data was originally collected, held, and processed.
8.2 When personal data is no longer required, all reasonable steps will be taken to erase or otherwise dispose of it without delay.
8.3 For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by the Company, please refer to our Data Retention Policy.

9. Secure Processing
The Company shall ensure that all personal data collected, held, and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the technical and organisational measures which shall be taken are provided in Parts 22 to 27 of this Policy.

10. Accountability and Record-Keeping
10.1 The Company’s Data Protection Officer is …….., and you can contact her via email.
10.2 The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy, the Company’s other data protection-related policies, and with the GDPR and other applicable data protection legislation.
10.3 The Company shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
10.3.1 The name and details of the Company, its Data Protection Officer, and any applicable third-party data processors;
10.3.2 The purposes for which the Company collects, holds, and processes personal data;
10.3.3 Details of the categories of personal data collected, held, and processed by the Company, and the categories of data subject to which that personal data relates;
10.3.4 Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards;
10.3.5 Details of how long personal data will be retained by the Company (please refer to the Company’s Data Retention Policy); and
10.3.6 Detailed descriptions of all technical and organisational measures taken by the Company to ensure the security of personal data.

11. Data Protection Impact Assessments
11.1 The Company shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data [which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the GDPR].
11.2 Data Protection Impact Assessments shall be overseen by the Data Protection Officer and shall address the following:
11.2.1 The type(s) of personal data that will be collected, held, and processed;
11.2.2 The purpose(s) for which personal data is to be used;
11.2.3 The Company’s objectives;
11.2.4 How personal data is to be used;
11.2.5 The parties (internal and/or external) who are to be consulted;
11.2.6 The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
11.2.7 Risks posed to data subjects;
11.2.8 Risks posed both within and to the Company; and
11.2.9 Proposed measures to minimise and handle identified risks.

12. Keeping Data Subjects Informed
12.1 The Company shall provide the information set out in Part 12.2 to every data subject:
12.1.1 Where personal data is collected directly from data subjects, those data subjects will be informed of its purpose at the time of collection; and
12.1.2 Where personal data is obtained from a third party, the relevant data subjects will be informed of its purpose:
a) if the personal data is used to communicate with the data subject, when the first communication is made; or
b) if the personal data is to be transferred to another party, before that transfer is made; or
c) as soon as reasonably possible and in any event not more than one month after the personal data is obtained.
12.2 The following information shall be provided:
12.2.1 Details of the Company including, but not limited to, the identity of its Data Protection Officer;
12.2.2 The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 21 of this Policy) and the legal basis justifying that collection and processing;
12.2.3 Where applicable, the legitimate interests upon which the Company is justifying its collection and processing of the personal data;
12.2.4 Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
12.2.5 Where the personal data is to be transferred to one or more third parties, details of those parties;
12.2.6 Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 28 of this Policy for further details);
12.2.7 Details of data retention;
12.2.8 Details of the data subject’s rights under the GDPR;
12.2.9 Details of the data subject’s right to withdraw their consent to the Company’s processing of their personal data at any time;
12.2.10 Details of the data subject’s right to complain to the Information Commissioner’s Office (the “supervisory authority” under the GDPR);
12.2.11 Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it; and
12.2.12 Details of any automated decision-making or profiling that will take place using the personal data, including information on how decisions will be made, the significance of those decisions, and any consequences.

13. Data Subject Access
13.1 Data subjects may make subject access requests (“SARs”) at any time to find out more about the personal data which the Company holds about them, what it is doing with that personal data, and why.
13.2 Employees wishing to make a SAR should do using a Subject Access Request Form, sending the form to the Company’s Data Protection Officer at <<insert contact details>>.
13.3 Responses to SARs shall normally be made within one month of receipt, however this may be extended by up to two months if the SAR is complex and/or numerous requests are made. If such additional time is required, the data subject shall be informed.
13.4 All SARs received shall be handled by the Company’s Data Protection Officer.
13.5 The Company does not charge a fee for the handling of normal SARs. The Company reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.

14. Rectification of Personal Data
14.1 Data subjects have the right to require the Company to rectify any of their personal data that is inaccurate or incomplete.
14.2 The Company shall rectify the personal data in question, and inform the data subject of that rectification, within one month of the data subject informing the Company of the issue. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
14.3 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification that must be made to that personal data.

15. Erasure of Personal Data
15.1 Data subjects have the right to request that the Company erases the personal data it holds about them in the following circumstances:
15.1.1 It is no longer necessary for the Company to hold that personal data with respect to the purpose(s) for which it was originally collected or processed;
15.1.2 The data subject wishes to withdraw their consent to the Company holding and processing their personal data;
15.1.3 The data subject objects to the Company holding and processing their personal data (and there is no overriding legitimate interest to allow the Company to continue doing so) (see Part 18 of this Policy for further details concerning the right to object);
15.1.4 The personal data has been processed unlawfully;
15.1.5 The personal data needs to be erased in order for the Company to comply with a particular legal obligation[;] OR [.] 15.1.6 [The personal data is being held and processed for the purpose of providing information society services to a child.] 15.2 Unless the Company has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request. The period can be extended by up to two months in the case of complex requests. If such additional time is required, the data subject shall be informed.
15.3 In the event that any personal data that is to be erased in response to a data subject’s request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).

16. Restriction of Personal Data Processing
16.1 Data subjects may request that the Company ceases processing the personal data it holds about them. If a data subject makes such a request, the Company shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.
16.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).

17. [Data Portability
17.1 The Company processes personal data using automated means. <<Insert details of automated processing>>.
17.2 Where data subjects have given their consent to the Company to process their personal data in such a manner, or the processing is otherwise required for the performance of a contract between the Company and the data subject, data subjects have the right, under the GDPR, to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers).
17.3 To facilitate the right of data portability, the Company shall make available all applicable personal data to data subjects in the following format[s]:
17.3.1 <<list format(s) to be used>>;
17.3.2 <<add further formats as required>>.
17.4 Where technically feasible, if requested by a data subject, personal data shall be sent directly to the required data controller.
17.5 All requests for copies of personal data shall be complied with within one month of the data subject’s request. The period can be extended by up to two months in the case of complex or numerous requests. If such additional time is required, the data subject shall be informed.]

18. Objections to Personal Data Processing
18.1 Data subjects have the right to object to the Company processing their personal data based on legitimate interests, direct marketing (including profiling), [and processing for scientific and/or historical research and statistics purposes].
18.2 Where a data subject objects to the Company processing their personal data based on its legitimate interests, the Company shall cease such processing immediately, unless it can be demonstrated that the Company’s legitimate grounds for such processing override the data subject’s interests, rights, and freedoms, or that the processing is necessary for the conduct of legal claims.
18.3 Where a data subject objects to the Company processing their personal data for direct marketing purposes, the Company shall cease such processing immediately.
18.4 [Where a data subject objects to the Company processing their personal data for scientific and/or historical research and statistics purposes, the data subject must, under the GDPR, “demonstrate grounds relating to his or her particular situation”. The Company is not required to comply if the research is necessary for the performance of a task carried out for reasons of public interest.]

19. [Automated Decision-Making
19.1 The Company uses personal data in automated decision-making processes. <<Insert details of automated decision-making>>.
19.2 Where such decisions have a legal (or similarly significant effect) on data subjects, those data subjects have the right to challenge to such decisions under the GDPR, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from the Company.
19.3 The right described in Part 19.2 does not apply in the following circumstances:
19.3.1 The decision is necessary for the entry into, or performance of, a contract between the Company and the data subject;
19.3.2 The decision is authorised by law; or
19.3.3 The data subject has given their explicit consent.]

20. [Profiling
20.1 The Company uses personal data for profiling purposes. <<Insert details of profiling activities>>.
20.2 When personal data is used for profiling purposes, the following shall apply:
20.2.1 Clear information explaining the profiling shall be provided to data subjects, including the significance and likely consequences of the profiling;
20.2.2 Appropriate mathematical or statistical procedures shall be used;
20.2.3 Technical and organisational measures shall be implemented to minimise the risk of errors. If errors occur, such measures must enable them to be easily corrected; and
20.2.4 All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 22 to 26 of this Policy for more details on data security).]

21. Personal Data Collected, Held, and Processed
The following personal data is collected, held, and processed by the Company (for details of data retention, please refer to the Company’s Data Retention Policy):
Data Ref. Type of Data Purpose of Data
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
<<insert ref>>
<<insert data type>>
<<describe purpose of data>>
22. Data Security – Transferring Personal Data and Communications
The Company shall ensure that the following measures are taken with respect to all communications and other transfers involving personal data:
22.1 All emails containing personal data must be encrypted [using SSL encryption];
22.2 All emails containing personal data must be marked “confidential”;
22.3 Personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted in any circumstances;
22.4 Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
22.5 Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted manually];
22.6 Where personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
22.7 Where personal data is to be transferred in hard-copy form it should be passed directly to the recipient [or sent using Special delivery]; and
22.8 All personal data to be transferred physically, whether in hard-copy form or on removable electronic media shall be transferred in a suitable container marked “confidential”.

23. Data Security – Storage
The Company shall ensure that the following measures are taken with respect to the storage of personal data:
23.1 All electronic copies of personal data should be stored securely using passwords and [SSL] data encryption;
23.2 All hard-copies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in a locked box, drawer, cabinet, or similar;
23.3 All personal data stored electronically should be backed up every hour with backups stored [onsite] AND/OR [offsite]. All backups should be encrypted [using SSL encryption];
23.4 No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise [without the formal written approval of Rance Healthcare Services Ltd and, in the event of such approval, strictly in accordance with all instructions and limitations described at the time the approval is given, and for no longer than is absolutely necessary]; and
23.5 No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of the Company where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the GDPR (which may include demonstrating to the Company that all suitable technical and organisational measures have been taken).

24. Data Security – Disposal
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to the Company’s Data Retention Policy.

25. Data Security – Use of Personal Data
The Company shall ensure that the following measures are taken with respect to the use of personal data:
25.1 No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of the Company requires access to any personal data that they do not already have access to, such access should be formally requested from Rance Healthcare Services Ltd Manager (s) and/or Rance Healthcare Services Ltd Data Security Department;
25.2 No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of the Company or not, without the authorisation of Rance Healthcare Services Ltd Manager (s) and/or Rance Healthcare Services Ltd Data Security Department;
25.3 Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;
25.4 If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and
25.5 Where personal data held by the Company is used for marketing purposes, it shall be the responsibility of Rance Healthcare Services Ltd to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service such as the TPS.

26. Data Security – IT Security
The Company shall ensure that the following measures are taken with respect to IT and information security:
26.1 All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols. [All software used by the Company is designed to require such passwords.];
26.2 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of the Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords;
26.3 All software (including, but not limited to, applications and operating systems) shall be kept up-to-date. The Company’s IT staff shall be responsible for installing any and all security-related updates [not more than 1 hour after the updates are made available by the publisher or manufacturer] OR [as soon as reasonably and practically possible] [, unless there are valid technical reasons not to do so]; and
26.4 No software may be installed on any Company-owned computer or device without the prior approval of the Rance Healthcare Services Ltd Security Department.

27. Organisational Measures
The Company shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
27.1 All employees, agents, contractors, or other parties working on behalf of the Company shall be made fully aware of both their individual responsibilities and the Company’s responsibilities under the GDPR and under this Policy, and shall be provided with a copy of this Policy;
27.2 Only employees, agents, sub-contractors, or other parties working on behalf of the Company that need access to, and use of, personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Company;
27.3 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately trained to do so;
27.4 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be appropriately supervised;
27.5 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be required and encouraged to exercise care, caution, and discretion when discussing work-related matters that relate to personal data, whether in the workplace or otherwise;
27.6 Methods of collecting, holding, and processing personal data shall be regularly evaluated and reviewed;
27.7 All personal data held by the Company shall be reviewed periodically, as set out in the Company’s Data Retention Policy;
27.8 The performance of those employees, agents, contractors, or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed;
27.9 All employees, agents, contractors, or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the GDPR and this Policy by contract;
27.10 All agents, contractors, or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the GDPR; and
27.11 Where any agent, contractor or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

28. Transferring Personal Data to a Country Outside the EEA
28.1 The Company may from time to time transfer (‘transfer’ includes making available remotely) personal data to countries outside of the EEA.
28.2 The transfer of personal data to a country outside of the EEA shall take place only if one or more of the following applies:
28.2.1 The transfer is to a country, territory, or one or more specific sectors in that country (or an international organisation), that the European Commission has determined ensures an adequate level of protection for personal data;
28.2.2 The transfer is to a country (or international organisation) which provides appropriate safeguards in the form of a legally binding agreement between public authorities or bodies; binding corporate rules; standard data protection clauses adopted by the European Commission; compliance with an approved code of conduct approved by a supervisory authority (e.g. the Information Commissioner’s Office); certification under an approved certification mechanism (as provided for in the GDPR); contractual clauses agreed and authorised by the competent supervisory authority; or provisions inserted into administrative arrangements between public authorities or bodies authorised by the competent supervisory authority;
28.2.3 The transfer is made with the informed consent of the relevant data subject(s);
28.2.4 The transfer is necessary for the performance of a contract between the data subject and the Company (or for pre-contractual steps taken at the request of the data subject);
28.2.5 The transfer is necessary for important public interest reasons;
28.2.6 The transfer is necessary for the conduct of legal claims;
28.2.7 The transfer is necessary to protect the vital interests of the data subject or other individuals where the data subject is physically or legally unable to give their consent; or
28.2.8 The transfer is made from a register that, under UK or EU law, is intended to provide information to the public and which is open for access by the public in general or otherwise to those who are able to show a legitimate interest in accessing the register.

29. Data Breach Notification
29.1 All personal data breaches must be reported immediately to the Company’s Data Protection Officer.
29.2 If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
29.3 In the event that a personal data breach is likely to result in a high risk (that is, a higher risk than that described under Part 29.2) to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
29.4 Data breach notifications shall include the following information:
29.4.1 The categories and approximate number of data subjects concerned;
29.4.2 The categories and approximate number of personal data records concerned;
29.4.3 The name and contact details of the Company’s data protection officer (or other contact point where more information can be obtained);
29.4.4 The likely consequences of the breach;
29.4.5 Details of the measures taken, or proposed to be taken, by the Company to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

30. Implementation of Policy
This Policy shall be deemed effective as of 18 October 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:
Name: Edwin Rance
Position: Director
Date: 28 December 2020
Due for Review by: 28 December 2021
Signature: E Rance