How we use your personal data.

Continuity Care Staffing (“CCS”, “we”, “our”) is a trading name of Lumen Intelligence Ltd, a company registered in England and Wales (company number 16681240) with its registered office at 128 City Road, London, EC1V 2NX.

Lumen Intelligence Ltd is the data controller for the personal data we process in connection with CCS's operations, and is registered with the Information Commissioner's Office (ICO).

For any data protection enquiry, contact our data controller at info@continuitycarestaffing.co.uk.

Our processing activities involve four distinct categories of data subject. The information that follows is organised by these categories so you can see what applies to you specifically.

• Website visitors — anyone visiting continuitycarestaffing.co.uk, including those who submit an enquiry through our website form.
• Workers and Worker applicants — individuals who apply to join our bank-worker pool, and Workers we have onboarded.
• Local Authority and Provider contacts — placement co-ordinators, Emergency Duty Team managers, commissioners, registered managers, FOI officers and other professionals at organisations we engage with on a B2B basis.
• Children and young people in placements — see Section 8: we do not maintain a parallel record of care activity. Where Workers handle child-level information during a shift, that information stays with the Provider's system.

When you visit our website we process the minimum data required to operate the site and respond to enquiries you choose to send us.

Data we collect

• Server log data — IP address, user agent string, request timestamp, pages requested. Collected by our hosting provider (Vercel) for security, performance and abuse prevention purposes. Retained for a maximum of 30 days.
• Web fonts — our pages reference Google Fonts for typography. When your browser fetches a font file, your IP address is briefly disclosed to Google. We do not pass any other identifying data to Google.
• Enquiry form submissions — if you complete the enquiry form, we collect: organisation type, your full name, role, organisation, work email, phone (optional), the staffing need you have indicated, and the description of the requirement.

Lawful basis

Legitimate interests (UK GDPR Article 6(1)(f)) for server logs and font delivery — operating and securing the website. Legitimate interests for enquiry-form data — responding to a B2B enquiry the data subject has voluntarily initiated. Where we hold personal contact data after the enquiry concludes, we rely on legitimate interests with a documented Legitimate Interests Assessment (LIA).

Cookies and tracking

At present this website does not use cookies for analytics, advertising, or behavioural tracking. We do not deploy Google Analytics, Meta Pixel, Hotjar, or similar tools. If we introduce any non-essential cookies in future, we will publish an updated cookie policy and ask for your consent before any cookies are set.

Joining our bank-worker pool requires CCS to verify your fitness and suitability under the Children's Homes (England) Regulations 2015 (Schedule 2). The data we hold is proportionate to that statutory framework and ring-fenced from the rest of our operations.

Data we collect

• Identity and right to work — passport, driving licence or other photo ID; share-code or right-to-work evidence.
• Vetting — Enhanced DBS certificate (children's workforce, with relevant barred-list checks); DBS Update Service subscription details; references; full employment history.
• Special category data (UK GDPR Article 9) — DBS output (criminal records data); occupational health self-declaration; outcomes of any reasonable adjustments discussion.
• Qualifications and training — Level 3 Diploma for Residential Childcare or equivalent; in-date completion of our 27-module mandatory training framework (Flourish e-learning, accredited face-to-face courses including Paediatric First Aid, Team Teach and Crisis De-escalation).
• Operational — National Insurance number, bank details for payroll, contracted address, emergency contact details.
• Assignment records — shifts worked, hours, Provider, location, post-shift confirmations.

Lawful basis

• Contract (Article 6(1)(b)) — to perform our contract with you (Casual Worker Agreement or Salaried Block Contract) and to take steps prior to entering it.
• Legal obligation (Article 6(1)(c)) — Schedule 2 fitness evidence under CHR 2015; Conduct of Employment Agencies and Employment Businesses Regulations 2003; PAYE and tax obligations; safeguarding obligations under Working Together to Safeguard Children (2026).
• Legitimate interests (Article 6(1)(f)) — the continuous suitability monitoring of the deployable pool.
• Special category Article 9 condition — processing necessary for the purposes of carrying out obligations and exercising specific rights in the field of employment, social security and social protection law (Article 9(2)(b)) and for the establishment, exercise or defence of legal claims (Article 9(2)(f)).
• Criminal records data — processed under Schedule 1 Part 2 paragraph 6 of the Data Protection Act 2018 (statutory and government purposes — safeguarding of children and individuals at risk).

We hold business contact data for professionals at Local Authorities and registered Provider organisations we engage with on a B2B basis. This data is held for the operational purposes of CCS's employment-business activity.

Data we collect

• Name, role/job title, employer (LA or Provider), work email, work phone, function (e.g. Placement Co-ordinator, Commissioner, Registered Manager).
• Activity log: meetings, calls, emails, documents shared.

Lawful basis and purpose limitation

Legitimate interests (Article 6(1)(f)) under a documented Legitimate Interests Assessment, distinguishing two processing purposes:

• B2B Outreach — establishing and maintaining a commercial relationship with placement decision-makers and commissioning leads.
• FOI Submission — submitting Freedom of Information requests under FOIA 2000 to Local Authority FOI officers, where the data subject is the FOI officer in their statutory capacity.

Under Article 5(1)(b) (purpose limitation), data held for FOI submission is not used for B2B Outreach, and vice versa. This boundary is enforced operationally and documented in our internal records.

You can object to our processing at any time by emailing info@continuitycarestaffing.co.uk. Where you opt out, your contact will be flagged as do-not-contact and removed from any further outreach.

• To respond to enquiries you submit through our website.
• To assess applications to join the bank-worker pool and to carry out Schedule 2 fitness vetting.
• To allocate Workers to Assignments at Local Authority and Provider Clients, and to deliver written Assignment-start suitability confirmation to those Clients.
• To pay Workers (PAYE).
• To maintain a defensible audit trail of compliance, refusals, escalations and Worker activity, available to Clients, Ofsted or the Employment Agency Standards Inspectorate on request.
• To establish and maintain commercial relationships with Local Authority and Provider Clients on a B2B basis.
• To submit Freedom of Information requests to Local Authority FOI officers under FOIA 2000.
• To meet our regulatory, accounting, and legal obligations, including responses to lawful requests from the police, regulators, and Local Authority Designated Officer (LADO) processes.

We share personal data only where there is a clear lawful basis and a documented purpose. Our processors and sub-processors are listed below. Each processor is subject to a written Data Processing Agreement under Article 28.

• Microsoft Ireland Operations Ltd — provider of our Microsoft 365 tenant (Exchange Online, SharePoint, Teams, OneDrive). UK and EU data residency.
• Vercel Inc. — hosting of this website. EU/US edge infrastructure with Standard Contractual Clauses for any onward transfers to the United States.
• Disclosure and Barring Service (DBS) and DBS Update Service — for Enhanced DBS checks and continuous monitoring.
• Accredited training providers — including the provider of our online learning module bundle and the named accredited providers for Paediatric First Aid, Team Teach, ASIST, and Crisis De-escalation.
• Payroll bureau — for processing Worker payments under PAYE.
• Accountancy and audit providers — for statutory accounts, tax filings and audit.
• Insurance brokers and insurers — for Employers' Liability, Public Liability and Professional Indemnity cover.
• Local Authority and Provider Clients — for Workers we have supplied to them, we share Schedule 2 evidence of suitability (DBS status, training currency, references, qualifications) on a need-to-know basis through our Compliance Visibility System and on request.
• Regulators and law enforcement — Ofsted, the Employment Agency Standards Inspectorate, the Information Commissioner's Office, the police, and Local Authority Designated Officers, where lawfully required.
• Legal and professional advisers — solicitors, where instructed in connection with a specific matter.

We do not sell personal data, nor do we share it with advertising or marketing networks. Worker applicants' data is not shared with any party other than those listed above.

CCS is an employment business, not a service operator. The following categories of data are not held by CCS:

• Child-level care records, behavioural logs, or any provider documentation beyond temporary structured shift notes used to enable a safe handover. Any such notes are returned to the Provider at the earliest opportunity; we retain only confirmation that recording and handover occurred.
• Worker location data outside of confirmed Assignment context.
• Any data collected through tracking technologies on this website, beyond essential server logs.

Most of our processing takes place in the United Kingdom and the European Economic Area. Where personal data is transferred outside the UK or EEA — for example, to providers with US-based edge infrastructure — we rely on the UK's International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or other appropriate safeguards under Article 46. A copy of the relevant safeguard is available on request.

• Worker clearance file — retained for the duration of the working relationship and for seven years after the final Assignment, in line with the regulatory expectation under the Conduct Regulations and CHR 2015. Retained for a longer period only where required for the establishment, exercise or defence of legal claims.
• Worker applicant data — where the application does not progress to onboarding, retained for twelve months from the date of the application decision, then deleted unless the applicant has consented to being kept on file longer.
• Payroll and tax records — retained for six full tax years plus the current year in accordance with HMRC requirements.
• Holiday pay records — retained for six years as required by the Employment Rights Act 2025.
• Local Authority and Provider contacts — reviewed every twenty-four months; out-of-date contacts are deleted; contacts confirmed as opted-out are marked do-not-contact and retained only for suppression list purposes.
• Enquiry-form submissions — retained for twelve months from the date the enquiry was resolved.
• Server logs — retained for a maximum of thirty days.
• Refusal and incident logs — retained for seven years from the date of the entry, for regulatory defensibility purposes.

Under UK GDPR you have the following rights:

• Access — to obtain a copy of the personal data we hold about you.
• Rectification — to correct inaccurate or incomplete data.
• Erasure — to request deletion in certain circumstances. Note that statutory retention obligations (notably Schedule 2 Worker clearance files and HMRC payroll records) may prevent erasure during the retention period.
• Restriction — to limit processing while a concern is being investigated.
• Objection — to object to processing based on legitimate interests, including any direct contact with you for B2B Outreach purposes.
• Portability — for data you have provided where processing is based on contract or consent.
• Withdrawal of consent — where we rely on consent, you may withdraw it at any time without affecting processing carried out before the withdrawal.

To exercise any of these rights, email us at info@continuitycarestaffing.co.uk. We will respond within one calendar month. Where a request is complex or numerous, we may extend by a further two months and will tell you at the outset.

If you have any concern about how we have handled your personal data, please contact our data controller in the first instance at info@continuitycarestaffing.co.uk and we will respond promptly.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

We will update this notice when our processing activities change. The “Last updated” date at the top of the page indicates when the current version came into force. Where the changes are material, we will publish a summary of what has changed.