CareCAS is a care-home governance and compliance tool. This policy explains how the app handles personal data — including the care information staff record about residents — and the responsibilities we take seriously in handling it.
Who we are & our role
CareCAS (“the app”) is published by LEK Systems Ltd (company number 17274429), of Morris Lane, Poole, Dorset, United Kingdom (“we”, “us”). Care providers use CareCAS to record CQC-aligned audits, actions, and staff supervision.
In most deployments the care provider is the data controller of the resident and staff data recorded in CareCAS, and we act as a data processor on their behalf under a written agreement. This policy explains how the app handles data; each care provider is responsible for its own privacy notice to its residents and staff.
LEK Systems Ltd is obtaining and maintaining ICO registration where required. Care providers using CareCAS remain responsible for their own regulatory obligations and registrations as data controllers.
What data we process
CareCAS records data that staff enter as part of care governance:
Staff & user data
- Name, job role, username, and password (passwords are stored only as a secure hash, never in plain text).
- Records of which staff completed audits, were assigned actions, or were subject to supervision, including performance notes.
- Typed signatures confirming a spot-check outcome.
Resident & service-user data — special category (health/care) data
- Resident and client names, room numbers, and for domiciliary care: client address, initials, and an internal reference.
- Observations about a resident’s care, safety, dignity, medication, safeguarding, and wellbeing — this is health and care data.
Photographs
- Photos staff take to evidence issues, maintenance, or compliance checks, which may incidentally include people or a resident’s environment.
Operational data
- Audit answers, issues, actions, comments, temperatures, maintenance and kitchen records, supervision records, and governance reports.
We do not collect location data, advertising identifiers, contacts, or any analytics or behavioural tracking. CareCAS contains no advertising and no third-party tracking.
How data is collected
All data is entered manually by care staff on the tablet. Photos are captured with the device camera or chosen from the device library, with the user’s permission. There is no automatic or background collection.
Why we process it
We process this data solely to provide the care-governance service to the care provider: recording audits, generating actions and compliance evidence, and producing CQC-aligned reporting.
Lawful basis. We rely on Article 6(1)(f) — legitimate interests and, where applicable, Article 6(1)(c) — legal obligation. For special-category health and care data we rely on Article 9(2)(h) — the management of health and social care systems and services. The exact basis is also documented by the care provider as controller.
Storage & security
On the tablet: data is cached on-device to allow offline working, protected by the device’s own encryption. CareCAS is intended for provider-managed, physically controlled tablets.
Data location: all customer data is hosted and processed within the United Kingdom. Our production infrastructure is UK-based.
Security controls: access to CareCAS is controlled using account authentication, role-based permissions and encrypted communications. Passwords are stored as secure hashes and never in plain text. Communications between the app and our servers use TLS encryption, and the app does not permit unencrypted connections. Customer data is segregated by provider so one provider can never see another’s data, and photographs and uploaded evidence are stored securely within the platform. LEK Systems Ltd reviews and maintains these technical and organisational controls on an ongoing basis.
Data retention
Care records are subject to statutory retention requirements. We retain data for 7 years from the creation or closure of the record, unless contractual, legal or regulatory requirements require a longer period, after which it is deleted or returned to the provider. Administrators can erase data per module within the app.
Your rights
Under UK GDPR, individuals have rights including access, rectification, erasure, restriction, and objection. Because the care provider is usually the controller, such requests are normally directed to the provider, which we support as processor. To exercise a right, contact privacy@carecas.co.uk. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk.
Children
CareCAS is a workforce tool for care staff and is not directed at children. It is not intended for use by anyone under 18 as an end user.
Changes to this policy
We may update this policy; the effective date above will change and material updates will be communicated to care providers.
Contact
LEK Systems Ltd (company number 17274429)
Morris Lane, Poole, Dorset, United Kingdom
Privacy enquiries: privacy@carecas.co.uk
Support: support@carecas.co.uk