Privacy Policy and Cookies

Fair Processing Notice

This Fair Processing notice is to inform you of the type of information that CSH Surrey holds, how that information is used, who we may share that information with and how we keep it secure and confidential. It also explains your rights and our legal obligations.  We undertake information audits to establish clear lines on what personal data we hold and what we do with it.

This notice was last updated in November 2024 and will be reviewed at least annually.

Who we are

CSH Surrey (Central Surrey Health LTD) is a Data Controller and is registered with the Information Commissioner’s Office (ICO), registration number is Z9948287. Our registered address is CSH Surrey, Dukes Court, 4th Floor Block A, Duke Street, Woking GU21 5BH and our company registration number is 5700920.

What we do

CSH Surrey is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as Community Care services, important information about you is collected to help ensure that you get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, when there is a legal basis to do so, to help with planning services, improving care provided, research into developing new treatments and preventing illness - all of which help to provide better care for you, your family and future generations. Confidential personal information about your health and care is only used in this way when permitted by law and will never be used for insurance or marketing purposes without first obtaining your explicit consent.

Our Commitment to Data Privacy and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the UK General Data Protection Regulations (UKGDPR), the Common Law Duty of Confidentiality and the Human Rights Act 1998.

CSH Surrey is a Data Controller under the terms of the UKGDPR. This means we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is carried out in compliance with the 7 Data Protection Principles.

Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidentiality. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access.

Under the NHS Confidentiality Code of Conduct, all our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

In general, we would not share information that identifies you unless you have given us permission (consent). However, there are certain circumstances where we will process/share personal information without your consent, this is where we have another fair and lawful basis such as:

  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us; and/or
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you when it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. We will only use the minimum amount of information necessary about you.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice 2021.

Data types and definitions

  • Information/data can be categorised in the following way:
  • Personal: Containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth.
  • Special Categories: personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life or sexual orientation, and health, biometric or genetic data.
  • Pseudonymised: individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity.
  • Anonymised: about individuals but with all identifying details removed.
  • Aggregated: statistical information about multiple individuals that has been combined to show general trends or values without identifying individuals within the data.

Our use of data

What information do we collect?

If you are a patient, the health professionals caring for you keep records about your health, treatment and the care you receive with the NHS. The information in the record may come from you or other care providers e.g. GP, social care or hospital. These records may be written down on paper or held electronically on a computer and they include:

  • Basic personal details about you such as your name, address, date of birth, gender, telephone number, email address, preferred/emergency contact, ethnicity, disability, religion, registered GP etc
  • Contacts we have had with you such as appointment or clinic visits
  • Notes and reports about your health, treatment and care
  • Results of x-rays, scans and laboratory tests
  • Relevant information from people who care for you and know you well such as health professionals, relatives and carers.

It is essential that your details are accurate and up to date. Always check that your personal details are correct whenever you visit us and please inform us of any changes as soon as possible.

Why do we collect this information?

CSH Surrey aims to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided, or plan to provide to you. We have a legal duty to keep these records confidential, accurate and secure at all times in line with the Data Protection Act 2018 (DPA18) and the UK General Data Protection Regulation (UK GDPR).

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold on to any other third parties.

Information is held for specified periods of time as set out in this policy under your rights.

CSH Surrey is required to provide a legal basis for the processing of your information under UK GDPR.

If we need to use your personal information for any reason beyond those stated within this policy, CSH Surrey will communicate these changes before starting any new processing activity.

Our obligations

We have a duty to inform you of the legal basis for processing your information, as required under Data Protection legislation.

Our Legal Basis for Processing Personal Data

The legal basis for most of our processing are explained below:

Our Legal Basis for Processing Special Category Data

When we process special categories of data, for example data including health, racial or ethnic origin, or sexual orientation, we are required to meet an additional condition in the UK GDPR. The legal basis for most of our processing are explained below:

Specific purposes

Some specific areas in which we process data are detailed below, along with the legal basis we rely on for the processing.

Delivering Patient Care

This may be in circumstances relating to:

  • Delivery of patient care
  • When responding to complaints or concerns relating to the delivery of care
  • When monitoring patient pathways
  • To share information about a patient for their direct care (subject to both the common law duty of confidence, data protection legislation)
  • Statutory duty under section 251B of the Health and Social Care Act 2012, to manage waiting lists, performance against national targets, activity monitoring e.g. number of referrals, when undertaking local clinical audits, commission funding for treatment and/or equipment.

Individual Rights Requests (including Subject Access)

When we receive a request relating to one of the individual rights from you or a valid representative you have appointed, we need to further process the personal data we already hold about you to respond to your request. More information about this is in the ‘Your rights’ section.

Safeguarding and Looked after Children

Advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned. Because of public interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we rely on a statutory basis rather than consent to process information for this use.

Public Health

Notify officials of infectious diseases which present significant risk to human health and the wider public, set out in The Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010.

When Required to Comply with the Law

This may be in circumstances to:

  • Communicating when things go wrong: we have a duty to which is set out under The Health and Social Care Act 2008 (HSC) 2008 to report incidents, set out in the HSC 2008.
  • Support other organisations with their regulatory requirements, e.g Care Quality Commission (CQC), Information Commissioner's Office (ICO).
  • Support detection, investigation or to prevent a serious crime, monitor referral to treatment times and ensuring compliance with the NHS Constitution and the NHS Operating Framework, conduct audits to measure compliance with the law (e.g.
  • Share information relating to vulnerable individuals with emergency services in the event of an emergency (Civil Contingencies Act 2004).
  • To support court orders requiring us to share information.

Vital Interests

To protect someone’s life. This may be in circumstances to:

  • Share information to safeguard an individual and therefore prevent harm.

How we share your information

In circumstances where we need to share your personal data; we will always ensure this is conducted lawfully and document the legal justifications for doing so.

When data sharing is external to our organisation, CSH Surrey will always assess the potential benefits and risks to you and others, we will weigh the proportionality for the purpose and what we are trying to achieve by this activity. We will also consider if the objective be achieved without sharing personal data and have measures to ensure adequate security is in place to protect the data when sharing this.

The following are the types of organisations that CSH share your information with.

Currently, the external data processors CSH work with include:

International transfer of your personal data

CSH Surrey does not transfer, store or share personal data outside of the European Economic area.

Your rights

Under Data Protection legislation, you have the following rights:

The Right of Access

We have a duty to provide you with rights of access to your data when requested.  Under Data Protection Legislation, patients have the right to obtain a copy of their personal records held by us; this is called a Subject Access Request (SAR).

To obtain a copy of your medical records, please submit your request to the CSH Surrey Subject Access Request Team.  Address: CSH Surrey SAR Team, 4th Floor, Dukes Court, Woking, Surrey, GU21 5BH Email: csh.sarteam@nhs.net

You will need to provide your information (e.g. full name, address, date of birth, Hospital/NHS number) and forms of identification. If you wish for another person to submit your request on your behalf they will need to obtain your written permission to do so before we can provide copies of medical records. This ensures we are providing confidential information to authorised persons(s).

An individual may choose to nominate a representative (such as a solicitor or relative) to make a request on their behalf, however when this happens the request must be explicitly authorised by the data subject (e.g. evidenced by a signed letter of consent).

Those who hold Lasting Power of Attorney for Health and Welfare for an individual can apply for that individual’s records.

Further guidance and assistance can be obtained from the Subject Access Request Team.

The Right to be Informed

Be informed about the collection and use of your personal data. This communication is achieved through this privacy policy.

The Right to object

Data Protection legislation gives individuals the right to object to the processing of their personal data in some circumstances. This will depend on the legal basis (as described above) for processing your information. In order to object, you will need to do so verbally or in writing to CSH.DPOenquiries@nhs.net.

The Right to Restrict

Request the restriction of your personal data, however this only applies when/if you contest the accuracy of the personal data, the data has been unlawfully processed and/if you oppose erasure and requests. You can make a request for restriction verbally or in writing to CSH.DPOenquiries@nhs.net.

Rectification and Erasure

Request to have inaccurate personal data rectified or completed if it is incomplete.  The legislation states that ‘personal data is inaccurate if it is incorrect or misleading as to any matter of fact.’ You can make a request for rectification verbally or in writing to CSH.DPOenquiries@nhs.net.

Consent

When you are providing consent for the purpose of processing your personal data and activity, you will always have the freely given right to actively accept and withdraw.  CSH Surrey manages consent when processing data in the following ways:

Regularly reviewing consents to check that the relationship with the individual and the purpose for processing information has not changed. By having appropriate processes in place to refresh consent at appropriate intervals, including any parental consents. Acting on withdrawals of consent as soon as reasonably possible.

National Data Opt Out

Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety planning services

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this when permitted by law.

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.

To find out more or to register your choice to opt out, please visit www.nhs.uk/your- nhs-data-matters. On this web page you will:

  • See what is meant by confidential patient information
  • Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected
  • Be able to access the system to view, set or change your opt-out setting
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
  • See the situations where the opt-out will not apply

You can also find out more about how patient information is used at:

https://www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and

https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)

You can change your mind about your choice at any time.

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your explicit consent.

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

How long will we hold your information?

Personal data processed for any purpose will not be kept for longer than is necessary for the specific purposes. All NHS patient records are kept in line with the NHS Records Management Code of Practice 2021 and the Retention Schedule.

CSH Surrey will regularly review the length of time we keep your personal data and securely delete information that is no longer needed for the purposes it was originally intended. This process will enable clear and accurate data, keeping it up to date, available and confidential.

Notification of changes to this privacy notice

If we use your personal data for any new purposes, updates will be made to the policy information and changes communicated, where necessary in accordance with current legislation. For all queries relating to our privacy policy, please email: CSH.DPOenquiries@nhs.net

How we keep in touch:

  • Letter
  • Text message
  • Email
  • Telephone calls

Links to other publications - websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Cookie Policy

Cookies allow a website to recognise a user’s device and respond to them as an individual. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

What cookies we use and how we use them

Essential Cookies:

  • These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by visitors which amount to a request for services, such as logging in or filling in forms. Visitors can set their browser to block or alert them about these cookies; however, some parts of the site will not then work. These cookies do not store any personally identifiable information.
  • You can choose to accept or decline cookies although this may prevent you from taking full advantage of the website.

Performance Cookies:

  • Collect information about how you interact with the website (e.g., analytics). You can choose to accept or decline cookies.

Functional Cookies:

  • Allow the website to remember your preferences (e.g., language, region). You can choose to accept or decline cookies.

Targeting/Advertising Cookies:

  • Track browsing habits to display relevant ads. You can choose to accept or decline cookies.

Complaints

If you have any comments, queries or complaints about this Privacy Notice or the processing of your personal information please address these to: Data Protection Officer, Central Surrey Health, 4th floor, Dukes Court, Woking, GU21 5BH

Email: CSH.DPOenquiries@nhs.net

Alternatively, you are entitled to get in touch with the Information Commissioner’s Office (ICO). The Information Commissioner’s Office enforces and oversees the Data Protection Regulations. To find out more about the information rights in the public interest, further details can be found at: www.ico.org.uk