It explains how we use information about you and how we protect your privacy.
The legal basis we use in Healthwatch West Sussex is personal consent. Under the General Data Protection Regulations, this consent must be explicit, meaning we must clearly ask people if they agree to us collecting personal information before we do so.
We have a Data Protection Officer to make sure we respect peoples’ rights and follow the law.
The contact details should anyone have any concerns or questions, about how we look after personal information, are:
Data Protection Officer, at firstname.lastname@example.org or by calling 0300 1113303 and asking to speak to the Data Protection Officer.
What do we mean by personal information?
Personal information can be anything that identifies and relates to a living person. This can include information, that when put together with other information, can then identify a person. For example, this could be a name and contact details.
Some personal information might be ‘special’
Some information is ‘special’ and needs more protection due to its sensitivity. It’s often information people would not want widely known and is very personal to them. This is likely to include anything that can reveal a person’s:
- sexuality and sexual health
- religious or philosophical beliefs
- physical or mental health
Why do we need peoples’ personal information?
We retain and use peoples’ personal data to help us carry out our role as the local independent champion for people who use health and social care services. We collect personal information from visitors to our website, through the use of online forms, and every time people email or phone us and provide their details.
We also collect feedback and views from people about the health and social care services that they access. In addition, we receive information about our own staff and people who apply to work for us. Personal information about people can be used for the following reasons:
- in our day to day work
- to send you our newsletter where you have requested it
- to respond to any queries you may have
- to improve the quality and safety of care
This may include any personal information that people choose to share with us. We will treat this as confidential and protect it accordingly. We will never include peoples’ personal information in survey reports.
As well as through our website, personal information may be collected with peoples’ consent through:
- Our information, signposting and advice service
- When we receive feedback by phone, outreach work or through surveys
- Enter and View activity.
Where personally identifiable information is collected, we will ensure that we have peoples’ consent to keep it and we will be clear on how we intend to use your information.
We ensure that where consent is required people give it to us freely, it is used only for agreed specific and unambiguous purposes and that people are well informed about how the information will be kept. This includes where it will be stored, details on security and for how long it will be kept. We will comply with current data protection legislation at all times.
How the law allows us to use personal information
There are a number of legal reasons why we need to collect and use personal information.
- We collect and use personal information only where a person, or their legal representative, have given consent.
- If a person is an employee, we will collect information related to their employment with us.
- If an organisation provide services for us, we will collect information related to the contract we hold with them.
If we have consented to use your personal information, you have the right to remove it at any time. If you want to remove your consent, please contact DPO@helpandcare.co.uk.
We only use what we need!
Where we can, we will only collect and use personal information if we need it to deliver a service or meet a requirement.
If we do not need personal information, we will either keep it anonymous if we already have it for something else, or we will not ask a person for it. For example: in a survey, we may not need peoples’ contact details and will only collect peoples’ survey responses.
If we use personal information for research and analysis, we will always keep the person anonymous or use a different name unless the individual has agreed that their personal information can be used for that research.
We do not sell or share personal information with anyone else.
People can ask for access to the information we hold on them
We would normally expect to share what we record about someone with them whenever we provide them with services.
However, people also have the right to ask for all the information we have about them and the services they receive from us. When we receive a request from someone in writing, we must give them access to everything we have recorded about them.
However, we cannot let people see any parts of their record which contain:
- Confidential information about other people; or
- Data, a professional thinks will cause serious harm to them or someone else’s physical or mental wellbeing.
This applies to personal information that is in both paper and electronic records. If someone asks us, we will also let others see their record (except if one of the points above applies).
If someone cannot ask for their records in writing, we will make sure there are other ways that they can.
People can ask to change the information they think is inaccurate
People can and should let us know if they disagree with something we have recorded about them.
People can ask to delete information (known as the right to be forgotten)
People can ask for their personal information to be deleted, for example:
- Where personal information is no longer needed for the reason why it was collected in the first place
- Where someone has removed their consent for us to use their information (where there is no other legal reason for us to use it)
- Where there is no legal reason for the use of their information
- Where deleting the information is a legal requirement.
Who do we share information with?
We will only share personal information where someone has given their consent for us to do so, e.g. if they would like to be referred to another organisation, for a specific service.
We may also share personal information when we feel there is a good reason that’s more important than protecting someone’s privacy. This does not happen often, but we may share information:
- to protect a child; or
- to protect adults who are thought to be at risk, for example, if they are frail, confused or cannot understand what is happening to them.
The risk must be serious before we can override someone’s right to privacy.
If we are worried about someone’s physical safety or feel we need to take action to protect them from being harmed in other ways, we will discuss this with them and, if possible, get their permission to tell others about their situation before doing so.
We may still share information if we believe the risk to others is serious enough to do so.
There may also be rare occasions when the risk to others is so great that we need to share information straight away.
If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let the individual know what we have done and why if we think it is safe to do so.
How do we protect information?
We will do what we can to make sure we hold records about people (on paper and electronically) in a secure way, and we will only make them available to those who have a right to see them. Examples of our security include:
- Encryption, meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code or what’s called a ‘cypher’. The hidden information is said to then be ‘encrypted’
- Pseudonymisation, meaning that we will use a different name so we can hide parts of personal information from view. For example, we might do this to share a story as a ‘case study’ or story.
- Controlling access to systems and networks allows us to stop people who are not allowed to view personal information from getting access to it
- Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
- Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).
You can find more details of our Information Security expectations on our Information Governance and ICT Policy.
Where in the world is personal information?
The majority of personal information is stored on our contractor’s Cloud-based CRM system which is within the European Union. Very little personal information is stored on paper files and where this does happen, storage is within locked cabinets.
How long do we keep personal information?
We will delete personal information a maximum of 3 years after the last contact we have with you. We will delete employee data after 7 years and delete recruitment information after 6 months. Finance information is held for 6 years.
Where can someone get advice?
If someone has any worries or questions about how your personal information is handled please contact our Data Protection Officer at DPO@helpandcare.co.uk or by calling 0300 1113303.
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner’s Office (ICO) at:
Information Commissioner’s Office
Cheshire SK9 5AF
Tel: 0303 123 1113 (local rate) or 01625 545 745 if someone prefers to use a national rate number.
Cookies (not the edible ones) and how people use our website
To make the Healthwatch West Sussex website easier to use, we sometimes place small text files on peoples’ device (for example iPad or laptop) called cookies. Most big websites do this too.
They improve things by:
- remembering the things someone has chosen while on our website, so they do not have to keep re-entering them whenever they visit a new page
- remembering data they have given (for example, an address) so someone does not need to keep entering it
- measuring how people use the website so we can make sure it meets their needs.
By using our website, people agree that we can place these types of cookies on their device.
Our cookies are not used to identify people personally. They are just here to make the site work better for people. People can manage and/or delete these files as they wish.
How people use our website (something called Google Analytics)
We use Google Analytics to collect information about how people use our site. We do this to make sure it’s meeting peoples’ needs and to understand how we can make the website work better.
Google Analytics stores information about what pages on our site people visit, how long they are on the site, how they got here and what they clicked on while visiting the site.
We do not collect or store any other personal information through this (e.g. peoples’ name or address) so this data cannot be used to identify someone.
We also collect data on the number of times a word is searched for and the number of failed searches. We use this information to improve access to the site and identify gaps in the content and see if it is something we should add to the site.
Unless the law allows us to, we do not:
- share any of the data we collect about someone with others, or
- use this data to identify individuals.
Other people’s cookies
We use videos from YouTube and feeds from other websites such as Facebook and Twitter. These websites place cookies on peoples’ device when watching or viewing these pages.
Below are links to their cookie policies:
Turning off cookies
People can stop cookies from being downloaded on to their computer or other devices by selecting the appropriate settings on their browser. If people do this, they may not be able to use the full functionality of our website.
There is more information about how to delete or stop using cookies on AboutCookies.org. People can also opt-out of being tracked by Google Analytics.
Further guidance on the use of personal information can be found at ico.org.uk.