HCRG Care Group (Essex) 2023 – 2024
Patient Privacy Notice
We want you to be confident that your information is kept safe and secure and understand how and why we use it to support your care. This privacy notice explains:
- Who we are
- Why we collect information about you
- How your information will be used
- How we keep it safe and confidential
- Who we share your information with and for what purposes
- Your rights and how to exercise them
UK GDPR 2016: United Kingdom General Data Protection Regulation 2016.
DPA 2018: Data Protection Act 2018
Personal data: Any information relating to an identifiable individual such as your name, NHS number, contact details. It can also be location data or online identifiers.
Special categories of personal data are defined as: Racial or ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, biometrics (where used for identification) information concerning your health, sex life or sexual orientation.
2. Who are we?
The HCRG Care Group provides a range of health and care related services across several English regions. You can see a summary of this work by checking out their main web site here
HCRG Care Group is a limited company registered in England and Wales, number 07557877. Registered office: HCRG Care Group, The Heath Business and Technical Park, Runcorn, Cheshire, WA7 4QX.
This privacy notice relates specifically to the services and data management arrangements within Essex, the majority of which are provided under the umbrella of the Essex Child and Family Wellbeing Service (hereafter ECFWS) HCRG Care Group (Essex) are generally the data controller for any personal or special category information about you that is used by our services to care for you. In some cases, however, we act as a data processor working with other trusted partners to deliver services across Essex. The range of services and the partners we work with are set out in more detail in the Section 6 “who we share your information with” below.
The ECFWS brings together a range of Children’s community services. We work in partnership with Barnardo’s on behalf of Essex County Council and the NHS (West Essex Integrated Care Board (ICB)). Further information about the services we provide can be found at:
3. The information we collect and use
We will collect basic ‘personal data’ about you such as your name, date of birth, address and contact details. We may also ask you for more sensitive data, called ‘special category data’ such as your ethnicity and information about your health and outcomes of needs assessments. This information is held in written form and/or in digital form.
Healthcare professionals who provide you with care are required by law to maintain records about your health, which can include treatment or care you have received within other health or social care organisations (e.g., information from Hospitals, GP surgeries etc). These records help to provide you with the best possible healthcare and help us to plan and provide our services for you or members of your family.
In carrying out our healthcare duties, we will collect information about you which helps us respond to your queries or secure specialist services. We may collect the information from you, or other trusted parties involved in your care. This may include:
- Details about you, such as your address, NHS number, next of kin and/or carer information
- Any contact your GP surgery has had with you, such as appointments, clinic visits, emergency appointments, etc.
- Notes and reports about your health and any safeguarding concerns (if applicable)
- Details about your treatment and care, including medications
- Results of investigations, such as laboratory tests, x-rays, etc.
- Relevant information from other health professionals, relatives or those who care for you
4. How we use your information
Your records are used to:
- Provide information to make health-related decisions made by healthcare professionals with and for you
- Make sure your care is safe and effective
- Support working with others providing your care
We may also use, or share, your information for the following purposes:
- Looking after the health of the general public e.g., to help control communicable diseases
- Making sure that our services can meet patient needs in the future
- Preparing statistics on our performance and activity
- Investigating concerns, complaints, or legal claims
- Helping colleagues review the care they provide to make sure it is of the highest standards
- Training and educating staff
- For research purposes (unless specifically authorised, we will not use identifiable information for this purpose)
5. Service we provide
- Health Visiting
- School Nursing
- Support for ages 5-19
- Support for young people with special educational needs and disabilities up to the age of 25
- Parental Support
- Family Health
- Children’s Community Health Services (West Essex)
- Community Developmental Medical Services
- Designated Medical Officer for SENd
- Occupational Therapy
- Speech and Language Therapy
- Children’s Community Nursing
- Allergy Clinic
- Continence Service
The above list is not exhaustive and other services may be added or removed to reflect current activity.
At the time of this privacy notice update there are a number of specific services being offered under different service names. They are all being delivered under legally and contractually binding arrangements managed by HCRG Care Group. The list of these services includes:
- The Southend, Essex and Thurrock Keyworker Service;
- The Affinity Programme;
- The National Child Measurement Programme;
- The Electronic Red Book;
- Digital Front Door;
- Neurodevelopment Pathway Co-ordinators (North East Essex);
- Supporting Families Programme (with Essex County Council).
6. Who we share your information with
- NHS Trusts/Foundations
- Community Services such as District Nurses and Rehabilitation Services
- Urgent Care Organisations, Minor Injury Units or Out of Hours Services
- Community and Palliative Care Hospitals
- Voluntary Sector Providers
- Ambulance Trusts
- Integrated Care Boards
- NHS England (NHSE) and NHS Digital (NHSD)
- Regulatory Bodies
- Care Homes
- Mental Health Trusts
- Dentists, Opticians, Pharmacists
- Child Health Information Service Providers (including out of area)
- Multi-Agency Safeguarding Hubs
- Private Sector Providers
- Local Authorities
- Education Services
- Police and Judicial Services
- HCRG Care Group Support Teams
- Third Parties providing contracted services
We may share information about you for the following purposes:
- To support your health and care arrangements including referrals, pathology, and other results
- If it is in your best interests
- Recommendations for special arrangements at home
- To manage incidents that you have been involved in
- To deal with complaints and investigations
- Requests for information from official authorities or your representatives
- If your records relate to a service which is transferring to us under contract or if you are moving out of area
- The prevention and detection of crime
- Funding requests or payments
- Integrated care initiatives
- Legal advice or proceedings
- Responding to legal requests and court orders
- Public health notifications
Our partners and other recipients
- We work in partnership with commissioners, other health and care providers such as primary care services, local authorities, NHS trusts, pathology providers etc.
- Local Safeguarding Boards
- We may use trusted providers to host our IT, archiving, email and texting services and surveys
In two specific circumstances, HCRG Care Group are acting as data processors rather than data controllers. These are managed through respective contracts with our partners. The first of these relates to Southend, Essex and Thurrock Child, Adolescent and Mental Health Service (SET CAMHS) where the North-East London NHS Foundation Trust is the data controller. The second relates to Essex Wellbeing Service (EWS) where the data controller is Provide CIC.
Legal basis for processing your personal information
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, which includes providing and managing health and social care services to our patients, service users and clients
- It is necessary for compliance with a legal obligation
- It is necessary for reasons in the area of public health
- It is necessary for the purposes of our legitimate interests and does not prejudice your rights and freedoms
- It is necessary for the performance of a contract to which you have entered into with us
- We have your explicit consent (where none of the above bases apply)
Legal basis for processing special categories “sensitive” personal information
- We need to use the data in order to provide medical diagnosis, health and social care services to you
- Social protection law for safeguarding purposes
- Where it is necessary to protect your vital interests
- It is necessary for the establishment, exercise, or defence of a legal claim
- Processing is necessary to provide medical diagnoses, the provision of health or social care or treatment or the management of health or social care treatment and services
- Processing is necessary for archiving purposes, scientific or historical research purposes or statistical purposes
- Processing is necessary for reasons of public interest in the area of public health
- Where you (as the data subject) have already made your personal data public
- We have your explicit consent (where none of the above bases apply)
7. How long do we keep your information?
We will keep your personal and special category data in accordance with the latest national guidance which can be found here. This details the minimum retention periods for different types of records and how those records should be securely disposed of or archived. HCRG Care Group comply with this Code of Practice.
8. How we keep your information safe
Everyone working for our organisation is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised and where there is a lawful basis for its use.
The NHS Digital Code of Practice on Confidential Information applies to all our staff and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All our staff are expected to make sure information is kept confidential and receive regular training on how to do this.
The health records we create and manage will be electronic, paper or a mixture of both, and we use a combination of working practices and technology to ensure that your information is kept confidential and secure. Your records are backed up securely in line with NHS standard procedures. We ensure that the information we hold is kept in secure locations, is protected by appropriate security and access is restricted to authorised personnel.
We also make sure external data processors who support us are legally and contractually bound to operate to defined standards and provide us with proof that technical and organisational security arrangements are in place for processing data which may identify an individual. These standards and arrangements are reviewed before and during any contract that HCRG Care Group enter in to with external parties.
We are committed to protecting your privacy and will only use information collected lawfully in accordance with:
- Data Protection Act 2018
- United Kingdom General Data Protection Regulation 2016
- Human Rights Act 1998
- Common Law Duty of Confidentiality
- NHS Codes of Confidentiality, Records Management and Information Security Management
- Health and Social Care Act 2015
- And other applicable legislation (as amended)
We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it. We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.
9. How the NHS and other care services use your information
HCRG Care Group is one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending Accident & Emergency or using Community Care services, important information about you is collected in a patient record for that service.
Collecting this information helps to ensure you get the best possible care and treatment. The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services
This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.
For the majority of research and planning purposes, your data will be anonymised so that you cannot be identified.
Occasionally HCRG will conduct surveys to continually evaluate and improve its service and ensure a high standard of care.
To achieve this, we will use information given to us with your consent such as your email address and mobile phone number and request you complete surveys through our trusted partners. Information collected is not sent to any outside organisations other than the survey provider. Data used for reporting purposes will be aggregated and anonymised, will not identify you in any way and only used to improve our service.
11. Call Recordings
We may record telephone calls you make to our service for training and monitoring purposes. If this is the case, you will be informed via an automated message. The recording would include any personal information you provide to us during your call, such as your name and date of birth, as well as any information relating to your care.
Any recordings made are automatically deleted after one year.
You have the right to request a copy of the call recording under a Data Subject Access Request (DSAR).
12. Access to your information, your rights and corrections
Keeping us updated of any changes
Please let us know if you change your address or contact details etc. so that we can keep your information up to date. If you have a concern about some of the information held on your record, you can contact us about it or request a copy of your record
How to request a copy of your record
You can request a copy of your records via our Data Subject Access Requests (DSAR) portal. Our online portal supports the management of requests with regards to records and/or alterations and concerns. Your request will be directed to our Information Governance Team which will ensure that the correct service receives your request promptly.
To progress the request, you will need proof of identity as follows:
- Either a current driving licence, passport, or a witness to your signature by someone who is over 18 and not a relative, (preferably by your doctor/solicitor on their headed business paper) as proof of identity, and
- Bank statement, current utility bill or a letter on headed paper from a local authority, or similar, as proof of residence.
If you are a Representative acting on a data subject’s behalf you will need proof of your identity as well as proof that the data subject is freely giving consent to the request, or that you have the appropriate legal authority. Under the Data Protection Act 2018 we have 30 calendar days to respond to your Data Subject Access Request. This timeframe does not commence until we have received all necessary documentation to confirm your identity and/or legal authority. In exceptional circumstances we may need longer than 30 days to respond; if this is considered likely you will be notified in advance.
The Data Protection Act 2018 provides you with a number of rights:
The right of access. You are entitled to request a copy of the personal data we hold about you.
The right to rectification. You are entitled to request changes to information if it is inaccurate or incomplete.
The right to erasure. Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.
The right to restrict processing. Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data but will not process it any further.
The right to data portability. Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.
The right to object to processing. You have the right to object to our processing of your data where:
- Processing is based on legitimate interest;
- Processing is for the purpose of direct marketing;
- Processing is for the purposes of scientific or historic research;
- Processing involves automated decision-making and profiling.
Please note that the above rights may not apply in all circumstances, but we will respond within 30 days to any request. If you have any questions or concerns about the information we hold on you, please contact our Data Protection Officer using one of the following options:
Via our secure Data Subject Access Requests (DSAR) portal.
Email the central IG Team: ask.IG@hcrgcaregroup.com
Tel: 01295 302514
Data Protection Officer
HCRG Care Group
The Heath Business and Technical Park
If you are unhappy with the way your information is handled, you have the right to make a complaint to the UK’s supervisory authority, the Information Commissioners Office (ICO).
Changes to our privacy notice
We will update this privacy notice from time to time to reflect any changes to our ways of working. Please use one of the contact options above if you would like more information.
Last reviewed: June 2023