On this page, you can find out more about data protection within Your Healthcare CIC. This includes how and why we use your information, your rights, regulatory information, and our published Data Protection Impact Assessments. If there is data protection information you are unable to find here, or that you think should also be displayed, please email DPO@yourhealthcare.org
This privacy notice explains what information we collect about you, how we store this information, how we share this information and how we keep it safe and confidential. We want you to be confident that your information is kept safe and secure, and for you to understand how and why we use it to support your care and treatment.
GDPR: General Data Protection Regulation
GDPR: Any information relating to an identifiable individual such as your name, NHS number, contact details. It can also be location data or an online identifier.
Special categories of personal data: Information about ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, biometrics (where used for identification) information concerning your health, sex life or sexual orientation.
Your Healthcare Community Interest Company is a not for profit social enterprise delivering community health and social care services in South West London, including NHS commissioned health services.
As your registered health and social care provider, we are the controller for any personal information we hold about you.
For more information, please visit our website: http://www.yourhealthcare.org/en-gb/who-we-are/about-us/
We are a Community Interest Company registered in England and Wales, company number: 06762290. Our Registered Office is: Hollyfield House, 22 Hollyfield Road, Surbiton, KT5 9AL.
If you have given us consent to send you specific newsletters or information, you can unsubscribe from these at any time by contacting us at contact@yourhealthcare.org
If you have any concerns about how we collect and use data on our website contact our Data Protection Officer at DPO@yourhealthcare.org
The staff caring for your need to collect information about your health, treatment and care, and social circumstances so that we can:
Personal information about you is collected in a number of ways, for example from referral letters and forms, from your GP or directly from you.
Your information may include:
In addition we may hold more sensitive personal data called 'special category data' which could include:
A record of your personal information may be written down or held electronically on computer. This is then known as your social and health care or medical record.
Your records are used:
We may also use your information for other purposes, such as:
In order for Your Healthcare CIC to legally process your information a ‘lawful basis’ needs to be identified. Data Protection Legislation recognises the difference between personal data and that of a more sensitive nature known as special categories of data; such as ethnic origin, political opinions, religious beliefs, trade union activities and physical or mental health.
Our legal bases for processing your personal data fall under article 6 of the GDPR:
6(b)the processing is necessary to meet contractual obligations entered into by you
6(c)the processing is necessary to comply with legal obligations to which we are subject
6(d)the processing is necessary to protect the vital interests of you (protect your life)
6(e)the processing is necessary for us to perform specific tasks in the public interest or for our official functions, and the task or function has a clear basis in law
Our legal bases for processing special category data fall under article 9 of the GDPR:
9(2)(h)for the purposes of preventative or occupational medicine
9(2)(h)for us to provide a medical diagnosis
9(2)(h)for the provision of health or social care treatment or management of health or social care systems and services, carried out by, or under the supervision of health professional or social work professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law. This includes us processing to receive payment for work undertaken as part of a service commissioned with public money.
9(2)(c)to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
Therefore, Your Healthcare CIC does not require your consent to process your personal data however, you do have the right to say ‘no’ to some of our uses of your information but this could have an impact on our ability to provide you with care and treatment. See section 9 below about opting out of sharing information.
We share information about you with others directly involved in your care; and also share more limited information for indirect care purposes:
Direct care purposes
You may be receiving care from other people working for other organisations, for example Social Care Services. We may need to share some information about you with them so we can all work together for your benefit. We will only do this when there is a genuine need for it or we have your permission. For example if you require attention from a health professional such as A&E, Minor Injury Unit or Out Of Hours service, the professionals treating you are more able to provide safe and effective care if relevant information from your electronic record held by Your Healthcare CIC is available to them.
Your Healthcare CIC is part of ‘Connecting Your Care’, a platform which allows professionals across South West London to share some of your health information. Your information is only accessed and used by authorised health and social care professionals in locally based organisations who are involved in providing or supporting your direct care. You can find out more at https://www.swlondon.nhs.uk/ourwork/connectingyourcare/connecting-your-care-sharing-information/
In all cases, your information is only accessed and used by authorised health and social care professionals in locally based organisations who are involved in providing or supporting your direct care. We will always endeavour to share the minimum amount of personal information required, anonymising where necessary.
Indirect care purposes
We also use information we hold about you to:
Nationally there are strict controls on how your information is used for these purposes. These control whether your information has to be anonymised first and with whom we may share identifiable information. You can find out more about these purposes, which are also known as secondary uses, on the NHS England and Health and Social Care Information Centre’s websites: https://www.england.nhs.uk/contact-us/privacy-notice/how-the-nhs-and-care-services-use-your-information-the-national-opt-out/ and http://www.hscic.gov.uk/
Details of information sharing for indirect purposes:
Clinical Research - If we receive requests from organisations to use health information for research purposes - we will always ask your permission before releasing any information for this purpose.
National Registries - National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.
Risk Stratification - is a process for identifying and managing service users who have or may be at-risk of health conditions (such as diabetes) or who are most likely to need healthcare services (such as people with frailty). Risk stratification tools used in the NHS help determine a person’s risk of suffering a particular condition and enable us to focus on preventing ill health before it develops. Information about you is collected from a number of sources including NHS Trusts, GP Federations and your GP Practice. A risk score is then arrived at through an analysis of your de-identified information. This can help us identify and offer you additional services to improve your health.
Risk-stratification data may also be used to improve local services and commission new services, where there is an identified need. In this area, risk stratification may be commissioned by the. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for risk stratification purposes. Further information about risk stratification is available from: https://www.england.nhs.uk/ig/risk-stratification/
If you do not wish information about you to be included in any risk stratification programmes, please let us know. We can add a code to your records that will stop your information from being used for this purpose. Please be aware that this may limit the ability of healthcare professionals to identify if you have or are at risk of developing certain serious health conditions.
Safeguarding - To ensure that adult and children’s safeguarding matters are managed appropriately, access to identifiable information will be shared in circumstances where it’s legally required for the safety of the individuals concerned.
Supporting Locally Commissioned Services - CCGs audit anonymised data to monitor locally commissioned services, measure prevalence and support data quality. The data does not include identifiable information and is used to support care and ensure providers are correctly paid for the services they provide.
Invoice Validation - Invoice validation enables us to identify which CCG is responsible for paying for your treatment. Section 251 of the NHS Act 2006 provides a statutory legal basis to process data for invoice validation purposes and uses your NHS number to validate payment. We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.
The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”.
There may be occasions when it is not possible to exercise your right to opt out, such as when we have an obligation by law or for the purposes of safeguarding adults and children.
Connecting your Care
You can object to your personal information being shared with other healthcare providers via a system called ‘Connecting your Care’ however, you should be aware that this may, in some instances, affect your care as important information about your health might not be available to healthcare staff in other organisations. If this limits the treatment that you can receive then this will be explained to you at the time you object.
If you wish to opt out of ‘Connecting Your Care’ please complete the form at https://www.swlondon.nhs.uk/wp-content/uploads/2019/02/Connecting-your-Care-Opt-Out-Request-Form-v3.0_FINAL_CLEAN-1.pdf or contact Connecting your Care at by calling 020 3668 3100 or via email connectingyourcare@swlondon.nhs.uk
If you do choose to opt-out your confidential information will still be used to support your individual care.
National Data Opt-out
Your personal data can be used to help with research and planning.
You can choose to stop your confidential personal data being used for this purpose. You can also make a choice for someone else like your children under the age of 13.
To find out more visit https://www.nhs.uk/your-nhs-data-matters/
You do not need to do anything if you are happy for your confidential personal information to be used for research and planning purposes. You can change your choice at any time.
We take the security of your personal data very seriously. We have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:
Training: Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of personal data; this includes their mandatory annual training in data security and confidentiality to demonstrate they understand and are complying with Your Healthcare policies on confidentiality.
Access Controls: Any member of staff who has access to personal confidential data will have a username and unique password. This will reduce the risk of unauthorised access to your personal data and all access is auditable.
Technical measures: We complete due diligence and impose contractual obligations on our trusted providers and persons working under our instruction.
We have a duty to
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it.
We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
Your Healthcare CIC has a Caldicott Guardian who is responsible for ensuring the organisation satisfies the highest practical standards for handling person-identifiable information.
Your personal information is held in both paper and electronic forms for specified periods of time as the NHS Records Management Code of Practice for Health & Social Care 2016 and National Archives requires.
We usually retain health records for children from discharge / service user last seen until their 25th birthday (or if the service user was 17 at the conclusion of the treatment, until their 26th birthday). Care records with non-standard retention periods could be kept up to 30 years depending on the record type. Please consult the for more details.
These are the minimum times for which we keep information; we may keep it for longer if we believe doing so will be of benefit to you or we are not able to delete it due to a technical issue.
We have a duty to:
Please note that the independent inquiry into Child Sexual Abuse (IICSA) has requested that large parts of the health and social care sector to not destroy any records that are, or may fall into, the remit of the inquiry. Therefore Your Healthcare CIC is currently not destroying any children’s records until further notice (please consult the website www.iicsa.org.uk for more details).
When you contact us through social media such as Facebook and Twitter or via our website at www.youhealthcare.org, we hold your information and reason for contact to enable us to easily access and manage our engagement with you. This may result in us sharing your information with other parties within the organisation e.g. individuals involved in your care, managing your complaint etc.
When you visit our websites we collect standard internet log information and details of visitor behaviours. This is statistical data only which we collect in order to find out the numbers of visitors to the site and the pages visited. The information is collected in such a way that does not identify individuals and we do not make any attempts to identify visitors this way.
Where we do collect personal information on our website, this will be made clear to you through the relevant pages.
If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you and ask for your explicit consent.
Under the Data Protection Act 2018 you have the following rights:
The right to be informed - As a data controller, we are obliged to provide understandable and transparent information about the way we process your data. This is provided within this privacy notice, additional information on our website and ‘Your Health Information’ leaflet.
The right of access - You are entitled to request a copy of the personal data we hold about you - see section 14 below.
The right to rectification – You can request data found to be factually inaccurate or incorrect be corrected.
The right to erasure - Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data. Please note that this right does not apply to health or care records.
The right to restrict processing - Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.
You have the right to restrict the processing of your data if:
The right to data portability - Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation however this right does not apply to NHS funded service users
The right to object to processing - You have the right to object to our processing of your data where
Please note that the above rights may not apply in all circumstances.
GDPR gives you a right to access the information we hold about you, unless an exemption applies. To obtain a copy of your records contact:
Health Records Team
Your Healthcare CIC
Hollyfield House
22 Hollyfield Road
Telephone: 0208 339 8146
In most cases this service is free of charge and once we have confirmed your identity, we will aim to respond within one calendar month unless it is extremely complex or there are factors outside of our control. If we need longer we will let you know that this is the case as soon as we become aware.
The data controller responsible for keeping your information confidential is:
Your Healthcare CIC
Hollyfield House
22 Hollyfield Road
The Data Protection Officer is responsible for ensuring Your Healthcare CIC is complaint with the GDPR and data protection legislation is:
Data Protection Officer
Your Healthcare CIC
Hollyfield House
22 Hollyfield Road
The Data Protection Officer is also the main contact should you have any concerns or queries, however in the first instance we would request you contact our Information Governance Coordinator on 020 8339 8092.
If you are not happy about the way your information is handled, or you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioners Office (ICO):
Information Commissioner’s Office
Wycliffe House
Water Lane
0303 123 1113
Email: casework@ico.org.uk
Details of our registration with the ICO’s data protection register can be found here: https://ico.org.uk/ESDWebPages/Entry/Z2313029
In the event of contracts between Your Healthcare CIC with Kingston & Richmond CCG coming to an end, all relevant documentation and records will be transferred to the new provider.
The transfer of records will be conducted in accordance with the current UK Data Protection Law.
We will review this privacy notice annually or sooner where new guidance or legislation is introduced or if we plan to use personal data for a new purpose.
Last reviewed: November 2021
We are required by law to protect the public funds we administer. We may share information provided with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud. The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to determine the extent of the match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud – see guidance https://www.gov.uk/guidance/taking-part-in-national-fraud-initiative. We want you to know that we take privacy very seriously. Please be assured that we will always manage your data securely and responsibly. See private notice guidance which sets out how we will use your personal data as part of the Cabinet Office’s National Fraud Initiative (NFI) data matching exercise to aid in the prevention and detection of fraud Privacy notice - GOV.UK (www.gov.uk).
The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under data protection legislation or the General Data Protection Regulation (GDPR). For further information on how we will use your personal data, and your rights, see National Fraud Initiative privacy notice - GOV.UK (www.gov.uk). For further information on the reasons why it matches particular information, see Code of Data Matching Practice for the National Fraud Initiative - GOV.UK (www.gov.uk)
For further information on data matching at South West London and St George’s Mental Health Trust please contact your Local Counter Fraud Specialists. Kitty Gibb, by emailing kitty.gibb@rsmuk.com or Kasia Gruszka, by emailing kasia.gruszka@rsmuk.com. Further information on how the NFI has assisted the NHS and other public sector organisations can also be found at National Fraud Initiative case studies - GOV.UK (www.gov.uk)
Useful resources:
Your organisation’s privacy notice
National Fraud Initiative privacy notice - GOV.UK (www.gov.uk)
Right to be informed | ICO
A guide to the data protection exemptions | ICO
Getting copies of your information (SAR) | ICO
Your Healthcare is committed to protecting your privacy when you visit or contact us via our website. This privacy statement discloses the privacy practices for www.yourhealthcare.org the website of Your Healthcare CIC.
It applies solely to website users browsing this website; links within this site to other websites are not covered by this privacy statement. You may also wish to read the privacy statements of websites that are closely associated with our website.
For details about how we use your information as a patient or service user of Your Healthcare CIC, South West London Child Health Information Service, or Your Care, visit the section on ‘How we use your information’
In this notice ‘we’ and ‘our’ means Your Healthcare CIC, owners of the website, and Zinc Digital Creative Marketing Ltd who operate the website platform.
If you contact us using the Feedback Form or the Customer Complaints Form on our website the personal data you consent to share with us includes your name, address, email address and telephone numbers. This information is used so that we can contact you to respond to your enquiry or feedback.
If you contact us using the Membership Form on our website you consent to share with us includes your name, address, email address and telephone numbers. This information is used to register you as a member of Your Healthcare CIC.
If you sign up for our newsletter you consent to share with us your name and email address. This information is used to send you copies of the Community Newsletter.
Information about visitors to our website is collected using technology such as cookies, IP addresses and location data. This can include information about your location, the type of device you are using and your online browsing history.
Cookies are a technology which can be used to provide you with tailored information from a website. A cookie is an element of data that a website can send to your browser, which may then be stored on your system.
A list of the all the cookies collected by our website can be found at then end of this statement. This includes a ‘collect’ Cookie used by Google Analytics to collect data about your device and behaviour and track you across devices and marketing channels. This is a session cookie and lasts only for the duration of your visit.
Your Healthcare CIC does not directly make use of cookies however your data may be used to help us with personalisation of content and services, analytical purposes, such as understanding who our website viewers are and how they browse our website.
You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether or not to accept it however if you turn cookies off, some of the features that make your site experience more efficient may not function properly.
All information collected from, or disclosed to us via the website is held in confidence by Your Healthcare CIC and Zinc Ltd for an indefinite period. Our lawful basis for collecting your information is consent.
Your information will not be sold and will not be shared with third parties other than Zinc Digital Creative Marketing Ltd, without your consent, unless the information you have volunteered to share with us gives us reasonable grounds to believe that a criminal offence has been committed. Our lawful basis for sharing this information would be to comply with a legal obligation.
Our website is not a secure website and is not scanned for security holes and known vulnerabilities therefore any information you send us via the online forms is not encrypted via Secure Socket Layer (SSL) technology and we advise that people completing forms do not include any sensitive or confidential information and to contact us using other means.
Information submitted via the website is stored on secure servers held by Zinc Digital Creative Marketing Ltd and Your Healthcare CIC.
If you have given us consent to send you specific newsletters or information, you can unsubscribe from these at any time by contacting us at contact@yourhealthcare.org
If you have any concerns about how we collect and use data on our website contact our Data Protection Officer at DPO@yourhealthcare.org
Care has been taken in the creation of our website to ensure that information is accurate and up-to-date. Information supplied to us from other organisations and used on our website has been given in good faith and although the contributing organisations make every effort to ensure that the information is correct, Your Healthcare CIC accepts no responsibility for any loss or damage which may occur from the use of the information.
The website contains links to websites maintained by other organisations. These links are provided for your convenience and do not imply that we endorse or support those organisations, the information on their pages, or their products and services in any way and we accept no responsibility for the content of these pages and accept no liability for any losses that may occur from the use of them.
We reserve the right to amend this privacy statement without notice. It is the responsibility of users to check this privacy statement regularly.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Cookie Name |
Provider |
Type |
Expiry |
yourhealthcare.org |
Session |
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Cookie Name |
Provider |
Type |
Expiry |
_ga |
yourhealthcare.org |
2 years |
_gat |
yourhealthcare.org |
1 day |
_gid |
yourhealthcare.org |
1 day |
collect |
google-analytics.com |
Pixel |
Session |
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.
Cookie Name |
Provider |
Type |
Expiry |
atuvc |
yourhealthcare.org |
1 year |
atuvs |
yourhealthcare.org |
1 day |
_at.cww |
yourhealthcare.org |
Persistent |
at-lojson-cache-# |
yourhealthcare.org |
Persistent |
at-rand |
yourhealthcare.org |
Persistent |
youtube.com |
1 day |
doubleclick.net |
1 year |
loc |
addthis.com |
1 year |
test_cookie |
doubleclick.net |
1 day |
uvc |
addthis.com |
1 year |
youtube.com |
179 days |
xtc |
addthis.com |
1 year |
youtube.com |
Session |
yt-remote-cast-installed |
youtube.com |
Session |
yt-remote-connected-devices |
youtube.com |
Persistent |
yt-remote-device-id |
youtube.com |
Persistent |
yt-remote-fast-check-period |
youtube.com |
Session |
youtube.com |
Session |
yt-remote-session-name |
youtube.com |
Session |
Unclassified cookies are cookies that have not been classified.
Cookie Name |
Provider |
Type |
Expiry |
st_horizontal1 |
yourhealthcare.org |
Session |
[insert current list]
[insert current list]
[insert current list]
Download the leaflet here.
To download a copy, please click here.