What is a Privacy Notice?
The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.
A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.
This is ECCH’s privacy notice.
ECCH as a Data Controller
ECCH is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018. Our legal name is the East Coast Community Healthcare C.I.C. Our head office address is:
Battery Green Road
ECCH is registered with the Information Commissioners Office with the registration number Z2818019
How to contact us
Please contact us if you have any questions about our privacy notice or information we hold about you:
Contact details of our Data Protection Officer
ECCH’s Data Protection Officer is:
Risk and Information Governance Team Lead and Data Protection Officer
Our legal basis for processing personal data
ECCH is a Community Interest Company providing community health and care services. We have a number of subsidiary companies and a registered charity. The legal bases for the majority of our processing is:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is:
Article 6(1)(b) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Where we process special categories data, for example data concerning including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the GDPR. Where we are processing special categories personal data for purposes related to the provision of health services the condition is:
Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services…
Where we process special categories data for employment or safeguarding purposes the condition is:
Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…
ECCH may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or for the purpose of establishing, exercising or defending legal rights. Where we process personal data for these purposes, the legal basis for doing so is:
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject; or
Article 6(1)(f) – processing is necessary for the purposes of legitimate interests pursued by the controller.
Where we process special categories of personal data for these purposes, the legal basis for doing so is:
Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims; or
Article 9(2)(g) – processing is necessary for reasons of substantial public interest.
In ‘How We Use Your Information’ we set out most of the key ways in which we may process your personal data for the purposes of, or in connection with the services we offer.
How long do we keep information about you?
We will only hold information about you for as long as is necessary for delivery of our services to you, or as governed by statutory requirements.
The GDPR includes a number of rights that are more extensive that those in the Data Protection Act 1998. We must generally respond to requests in relation to your rights within one month, although there are some exceptions to this.
The availability of some of these rights depends on the legal basis that applies in relation to the processing of your personal data, and there are some other circumstances in which we may not uphold a request to exercise a right. Your rights and how they apply are described below.
Right to be informed
Your right to be informed is met by the provision of this privacy notice, and similar information when we communicate with you directly – at the point of contact.
Right of access
You have the right to obtain a copy of personal data that we hold about you and other information specified in the GDPR, although there are exceptions to what we are obliged to disclose.
A situation in which we may not provide all the information is where in the opinion of an appropriate health professional disclosure would be likely to cause serious harm to your, or somebody else’s physical or mental health.
Right to rectification
You have the right to ask us to rectify any inaccurate data that we hold about you.
Right to erasure (‘right to be forgotten’)
You have the right to request that we erase personal data about you that we hold. This is not an absolute right, and depending on the legal basis that applies, we may have overriding legitimate grounds to continue to process the data.
How to access your personal information or make a request in relation to other rights
Requests may be made in writing or by speaking to us. All requests will be recorded, and you may need to provide information to verify your identity and enable us to locate the information:
Full name, address, date of birth, NHS number (requests for health records only)
An indication of what information you are requesting to enable us to locate this in an efficient manner.
How We Use Your Information
Your information is used to deliver and improve the services that ECCH provides. It may be used to:
To support our functions, we may share your information for health purposes and for your benefit with other organisations such as NHS England, NHS Trusts, General Practitioners, etc. Information may also need to be shared with other non-NHS organisations.
Where information sharing is required with third parties, we will always have a relevant contractual obligation in place and will not disclose any detailed information without your explicit consent unless there are exceptional circumstances such as when the health or safety of yourself or others is at risk, where the law requires it, or to carry out a statutory function.
For some of our services we are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified professional. There are occasions when we must pass on information, such as notification of new births and infectious diseases which may endanger the safety of others, such as meningitis or measles; and where a formal court order has been issued.
We may be asked to share basic information about you, such as your name and address which does not include sensitive information where ECCH, or its subsidiary companies, holds such information. This would normally be to assist another organisation to carry out their own statutory duties.
Sharing Information with the Care Quality Commission (CQC)
The CQC has powers under the Health and Social Care Act 2008 to access and use information where they consider it necessary in order to carry out their functions as a regulator. The CQC relies on its legal powers to access information rather than consent, therefore may use its powers to access records even in cases where objections have been raised. As a health and care provider ECCH is required to comply with CQC requests for access to records.
More detail on how CQC ensure compliance with data protection law (including GDPR) and their privacy statement is available on the CQC website.
More detail of how your information is used within each of our services and subsidiary companies can be found in the specific Privacy Notices.
We have Privacy Notices available for:
Our subsidiary companies: