Privacy Policy and Cookies

Who we are

Since 2006, we have provided Community health services for adults, children and families in areas across Surrey.

CSH Surrey is a Data Controller under the Data Protection Act 1998 and our ICO registration number is Z9948287. Our company registration number is 5700920.

As an organisation, we are committed to protecting your information and respecting your privacy in accordance with the Data Protection Act 1998.

This notice explains what information we collect, why we collect it and how we keep it secure.

What information do we collect

Health Care Professionals such as therapists and nurses who are involved in your care will collect and keep relevant records about your health, treatment and care to ensure you are provided with high quality and safe healthcare. These records are known as Health Records and can be held in paper format, electronic format or both. 

Your Health Record may consist of the following:

  • Your name, address, date of birth, telephone numbers
  • Details of your next of kin
  • The GP you are registered to
  • Any disability or preferred language
  • Notes about your health, clinic visits, treatments and procedures you have undergone
  • Results of any investigations such as laboratory results or imaging results
  • Information from other Health Care Professionals who are involved in your care, eg your GP.

Why do we collect this information

Your information will only be processed where we are legally permitted to do so, usually for direct medical purposes. This ensures that the Health Care Professionals who are involved in your care are able to adequately plan your care and treatment. The information we collect allows us to:

  • Identify you to ensure you are distinguished from other patients
  • Contact you in relation to appointments or clinical updates
  • Contact your named next of kin in the event of an emergency
  • Share updates with your GP in relation to your care/treatment
  • Meet any specific needs you might have
  • Ensure the care and treatment we provide is appropriate and safe.

Who will see your information and for what purpose?

Direct Care Purposes

We will only share relevant information from your Health Record with other Professionals who are supporting your care.  Sharing is on a strict need to know basis and only where the law permits.

  • Administrative staff may access your records to support our clinical staff
  • Other Health Care Professionals/organisations directly involved in your care where the sharing will facilitate your care or treatment
  • Suppliers who we instruct to support your healthcare needs for example if you require a particular piece of equipment.

Purposes beyond Direct Care

We will use the minimum data necessary for the specified purpose. Below are some examples where we might be needed to send identifiable information for non-direct care purposes:

  • Health Care Professionals for Clinical Audit purposes to ensure services are provided in line with agreed and reputable standards
  • Health Care Professionals and our Finance staff send limited information to commissioners so that we are able to receive payment for the services we provide
  • Health Care Professionals for statistical information such as length of time to be seen to analyse performance and improve our services
  • Clinical research projects to develop knowledge and improve care
  • Health Care Professionals and Commissioners to support requests for medical funding
  • Health Care Professionals and Administrative staff to allow us to fulfill our obligations to Access to Health Records Requests
  • Research studies which aim to improve the quality of services with your explicit consent.

In the majority of case, it is possible for us to use data which does not identify you where it is being used for purposes beyond direct care. Using this type of non-identifiable data is widely used across the NHS. We may use non-identifiable data for the following purposes:

  • Health Care Professionals and Quality and Governance staff and for feedback surveys
  • Health Care Professionals, Quality and Governance staff and commissioners for service monitoring to identify trends and analysis
  • Research studies which aim to improve the quality of services.

Employee Information

As an employer, we hold personal confidential information relating to individuals who apply to work at the organisation and individuals who are subsequently employed by the organisation.

The information we collect may include the following:

  • Your name, date of birth, address for identification purposes
  • A copy of your passport, visa or other immigration document to prove your right to work in the UK
  • Disclosure and Debarring Service checks to check for criminal convictions and/or cautions
  • Occupational Health and Disability records to ensure we can make reasonable adjustments and support your health needs.

How we secure your data

All NHS employees are bound by the Common Law of Confidentiality which means we have a duty to keep your information confidential and secure. Our staff are provided with training to ensure your data is handled correctly and regular assurance checks are completed.

We have a Senior Information Risk Owner who is responsible for the management of all assets which hold information and a Caldicott Guardian who will ensure your confidentiality is protected and enable appropriate information-sharing.

Finally, we carry out detailed checks on our suppliers to ensure that they are also handling your data in a legal and secure manner.

How long will we keep information for?

Information is held for specified periods of time as per the Records Management Code of Practice for Health and Social Care.

Your rights under Data Protection

The Data Protection Act provides you with certain rights as an individual. These include:

  • You can make a request for a copy of the information we hold about you.
  • You can request that we do not process information that is likely to cause or is causing unwarranted damage or distress. Sometimes there might be a legal requirement or overriding public interest which means we are compelled to share data.

Occasions on which we are completed to share data may include:

  • Safeguarding an individual or to prevent a serious crime
  • To control the outbreak of infectious diseases
  • A legal requirement such as a court order
  • Request that your data is not used for direct marketing. We will never use your data for this purpose.
  • Challenging any decisions made without human intervention (automated decision making)
  • A right in certain circumstances to have inaccurate data is rectified, blocked, erased or destroyed
  • A right to claim compensation for damages caused by a breaching Data Protection.

Queries and how to access your records

If you have any queries concerning the use of your medical information, please discuss them with the Health Care Professional who is involved in your care in the first instance.

If you would like to restrict or stop us from processing your information, please contact our Customer Liaison, Complaints and Claims Officer so that your request and available options can be considered.

Under the Data Protection Act 1998, you have the right to request a copy of the information which we hold for you. If you require your medical records, please put your request in writing to our Customer Liaison, Complaints and Claims Officer using the above details.

You can find more information at the Information Commissioner's Office website or you can write to them at:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF


Date of review: November 2017


CSH Surrey Website

This privacy policy sets out how CSH Surrey uses and protects any information that you give us when you use this website.

We are committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website; you can be assured that it will only be used in accordance with this privacy statement.

We may change this policy from with by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from August 20th 2013.

What we collect

Like most websites we may collect certain information from our users including:

  • Your name
  • Contact information including email address
  • Information about your computer type, operating system, length of visit, page views and browsing habits) and about your visits and use of the website (including your IP address, geographical location, browser)
  • Other information relevant to visitor surveys or correspondence.

What we do with the information we gather

We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

  • Internal record keeping.
  • We may use the information to improve our products and services.
  • For improving your browsing experience.
  • To enable your use of the services available on the website.
  • We may periodically send emails about information which we think you may find interesting using the email address which you have provided.
  • From time to time, we may also use your information to contact you for market research purposes. We may contact you by email or phone.


We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.


We may disclose information about you, any of our employees, suppliers or subcontractors as reasonably necessary for the purposes set out in this privacy policy.
In addition, we may disclose your personal information:

  • To the extent we are required to by law;
  • In connection with any legal proceedings;
  • In order to establish, exercise or defend our legal rights.
  • Links to other websites.

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.

Controlling your personal information

We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.

If you believe that any information we are holding on you is incorrect or incomplete, please write to or email our Customer Liaison, Complaints and Claims Officer. We will promptly correct any information found to be incorrect.


Like all websites, CSH Surrey uses cookies. A cookie is a small file, typically of letters and numbers, downloaded on to a device when the user accesses certain websites. Cookies allow a website to recognise a user’s device and respond to them as an individual. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

What Cookies are we using on our site?

Business Critical Cookies

These cookies allow CSH Surrey to count visits and traffic sources so we can measure and improve the performance of our website. They help us to know which pages are the most and least popular and see how visitors move around our site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when a visitor has come to the site, and will not be able to monitor its performance and make improvements. We use the Google Analytics service for this purpose.

Cookies used: _ga, _gat, _gat_cqc_tracker and _gid

We also use a cookie for the cookie bar to remember you've accepted cookies: CP_allowcookies

Essential Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by visitors which amount to a request for services, such as logging in or filling in forms. Visitors can set their browser to block or alert them about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Cookies used: has_js

​You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.