Privacy policy

Patient privacy notice

We want you to be confident that your information is kept safe and secure and understand how and why we use it to support your care.  This privacy policy explains:

  • Who we are
  • Why we collect information about you
  • How your information will be used
  • How we keep it safe and confidential
  1. Definitions

GDPR: General Data Protection Regulation

Personal data: Any information relating to an identifiable individual such as your name, NHS number, contact details. It can also be location data or online identifier.

Special categories of personal data are defined as: Racial or ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, biometrics (where used for identification) information concerning your health, sex life or sexual orientation.

  1. Who are we?

The Essex Child and Family Wellbeing Service is provided by HCRG Care Group.  We are the data controller for any personal information about you that is used by our services to care for you.   The Essex Child and Family Wellbeing Service brings together a range of Children’s community services.  We work in partnership with Barnardo’s on behalf of Essex County Council and the NHS (West Essex Clinical Commissioning Group (CCG)).

Further information about the services we provide can be found at:

HCRG Care Group is a limited company registered in England and Wales, number 07557877. Registered office: HCRG Care Group, The Heath Business and Technical Park, Runcorn, Cheshire, WA7 4QX.

  1. The information we collect and use

We will collect basic ‘personal data’ about you such as your name, date of birth, address and contact details.  We may also ask you for more sensitive data, called ‘special category data’ such as your ethnicity and information about your health and outcomes of needs assessments.  This information is held in written form and/or in digital form.

Health care professionals who provide you with care are required by law to maintain records about your health, which can include treatment or care you have received within other health or social care organisations (eg information from Hospitals, GP surgeries etc).  These records help to provide you with the best possible healthcare and help us to protect your safety.

In carrying out this role we will collect information about you which helps us respond to your queries or secure specialist services.  We may collect the information from you or other trusted parties involved in your care.

This may include:

  • Details about you, such as your address, NHS number, next of kin and/or carer information
  • Any contact your GP surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
  • Notes and reports about your health and safeguarding
  • Details about your treatment and care
  • Results of investigations, such as laboratory tests, x-rays, etc.
  • Relevant information from other health professionals, relatives or those who care for you
  1. How we use your information

Your records are used to:

  • Provide information to make health decisions made by care professionals with and for you
  • Make sure your care is safe and effective
  • Support working with others providing your care

We may also use, or share, your information for the following purposes:

  • Looking after the health of the general public
  • Making sure that our services can meet patient needs in the future
  • Preparing statistics on NHS performance and activity
  • Investigating concerns, complaints or legal claims
  • Helping colleagues review the care they provide to make sure it is of the highest standards
  • Training and educating staff
  • For research purposes
  1. Services we provide
  • Health Visiting
  • School Nursing
  • Support for ages 5-19
  • Support for young people with special educational needs and disabilities up to the age of 25
  • Parental Support
  • Family Health
  • Children’s Community Health Services (West Essex)
    • Community Developmental Medical Services
    • Designated Medical Officer for SENd
    • Occupational Therapy
    • Physiotherapy
    • Speech and Language Therapy
    • Children’s Community Nursing
    • Allergy Clinic
    • Continence Service
  1. Who we share your information with

We may share your information for the provision of your care, or for another lawful reason, with the following organisations and partners:

  • NHS Trusts/Foundations
  • GP’s
  • Community Services such as District Nurses and Rehabilitation Services
  • Urgent Care Organisations, Minor Injury Units or Out of Hours Services
  • Community and Palliative Care Hospitals
  • Care Homes
  • Mental Health Trusts
  • Dentists, Opticians, Pharmacists
  • Child Health Information Service providers (including out of area)
  • Multi-Agency Safeguarding Hubs
  • Private Sector Providers
  • Voluntary Sector Providers
  • Ambulance Trusts
  • Clinical Commissioning Groups
  • NHS England (NHSE) and NHS Digital (NHSD)
  • Local Authorities
  • Education Services
  • Police and Judicial Services
  • HCRG Care Group Support Teams
  • Regulatory Bodies

We may share information about you for the following purposes:

  • To support your health and care arrangements including referrals, pathology and other results
  • If it is in your best interests
  • Recommendations for special arrangements at home
  • To manage incidents that you have been involved in
  • To deal with complaints and investigations
  • Requests for information from official authorities or your representatives
  • Your records if the service is transferring to us under contract or if you are moving out of area
  • The prevention and detection of crime
  • Funding requests or payments
  • Integrated care initiatives
  • Legal advice or proceedings
  • Responding to legal requests and court orders
  • Public health notifications

Our partners and other recipients

  • We work in partnership with commissioners, other health and care providers such as primary care services, local authorities, NHS trusts, pathology providers etc.
  • Local Safeguarding Boards
  • Regulators
  • We may use trusted providers to host our IT, archiving, email and texting services and surveys

Legal basis for processing your personal information

  • It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, which includes providing and managing health and social care services to our patients, service users and clients
  • It is necessary for compliance with a legal obligation
  • It is necessary for reasons in the area of public health
  • It is necessary for the purposes of our legitimate interests and does not prejudice your rights and freedoms
  • It is necessary for the performance of a contract to which you have entered into with us
  • We have your explicit consent (where none of the above bases apply)

Legal basis for processing special categories “sensitive” personal information

  • We need to use the data in order to provide medical diagnosis, health and social care services to you
  • Social protection law for safeguarding purposes
  • Where it is necessary to protect your vital interests
  • It is necessary for the establishment, exercise or defence of a legal claim
  • Processing is necessary to protect your vital interests
  • Processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes
  • Processing is for substantial public interest reasons
  • Processing is necessary for reasons of public interest in the area of public health
  • Personal data that has manifestly been made public by the data subject
  • We have your explicit consent (where none of the above bases apply)
  1. How long do we keep your information?

We will keep your record in accordance with the national guidance: Records Management Code of Practice for Health and Social Care 2016, after which records and confidential information are securely destroyed in line with this code of practice.

  1. How we keep your information safe

Everyone working for our organisation is subject to the Common Law Duty of Confidence.  Information provided in confidence will only be used for the purposes advised and where there is a lawful basis for its use.

The NHS Digital Code of Practice on Confidential Information applies to all NHS staff and they are required to protect your information, inform you of how your information will be used, and allow you to

decide if and how your information can be shared.  All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.

The health records we have will be electronic, paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure.  Your records are backed up securely in line with NHS standard procedures.  We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.

We also make sure external data processors who support us, are legally and contractually bound to operate and provide us with proof that security arrangements are in place for processing data which may identify an individual.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018
  • General Data Protection Regulation 2016
  • Human Rights Act 1998
  • Common Law Duty of Confidentiality
  • NHS Codes of Confidentiality and Information Security
  • Health and Social Care Act 2015
  • And other applicable legislation

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it.

We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

  1. How the NHS and care services use your information

Essex Child and Family Wellbeing Service is one of many organisations working in the health and care system to improve care for patients and the public.

Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.

Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:

  • improving the quality and standards of care provided
  • research into the development of new treatments
  • preventing illness and diseases
  • monitoring safety
  • planning services

This may only take place when there is a clear legal basis to use this information.   All these uses help to provide better health care for you, your family and future generations.  Confidential patient information about your health and care is only used like this where allowed by law.

For the majority of research and planning purposes, your data will be anonymised so that you cannot be identified.

  1. Access to your information, your rights and corrections

Keeping us updated of any changes

Please let us know if you change your address or contact details etc. so that we can keep your information up to date.  If you have a concern about some of the information held on your record, you can contact us about it or request a copy of your record.

How to request a copy of your record

You can request a copy of your records via our Data Subject Access Requests (DSAR) portal.  Our online portal supports the management of requests with regards to records and/or alterations and concerns. Your request will be directed to our Privacy Team which will ensure that the correct service receives your request promptly.

To progress the request, you will need proof of identity as follows:

  • Either a current driving licence, passport or a witness to your signature by someone who is over 18 and not a relative, (preferably by your doctor/solicitor on their headed business paper) as proof of identity, and
  • Bank statement, current utility bill or a letter on headed paper from a local authority, or similar, as proof of residence.

If you are a representative acting on a data subject’s behalf you will need proof of your identity as well as proof that the data subject is freely giving consent to the request, or that you have the appropriate legal authority.

Your rights

Data Protection laws provide you with the following rights:

The right to be informed As a data controller, we are obliged to provide understandable and transparent information about the way we process your data (this is provided by our privacy policy).
The right of access You are entitled to request a copy of the personal data we hold about you.
The right to rectification You are entitled to request changes to information if it is inaccurate or incomplete
The right to erasure Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.
The right to restrict processing Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data, but will not process it any further.
The right to data portability Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.
The right to object to processing You have the right to object to our processing of your data where

·       Processing is based on legitimate interest;

·       Processing is for the purpose of direct marketing;

·       Processing is for the purposes of scientific or historic research;

·       Processing involves automated decision-making and profiling.

Please note that the above rights may not apply in all circumstances but we will respond within a month to any request.   If you have any questions or concerns about the information we hold on you, please contact our Data Protection Officer by one of the following options:

Via our secure Data Subject Access Requests (DSAR) portal

Email the central IG Team:

Tel:  01928 242942

or by Post:      FAO Sarah Murray Head of Information Governance & Data Protection Officer

The Heath Business and Technical Park




If you are unhappy with the way your information is handled, you have the right to make a complaint to the UK’s supervisory authority, the Information Commissioners Office (ICO).

Changes to our privacy notice

We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our data protection officer if you would like more information.

Click here to view our “Covid-19 and your information” supplementary privacy notice