General Data Protection
Patients who are treated by us can rest assured that we value your privacy and want you to understand the choices and control you have over your information with Co-Formation Group Ltd. We have created this GDPR Privacy notice to help explain those choices and give you that control.
The General Data Protection Regulation (GDPR) is European Union (EU) legislation that became directly applicable in EU Member States (e.g. the UK) on 25 May 2018.It is a regulation by which the European Parliament, the Council of the EU and the European Commission intend to strengthen and unify data protection for all individuals within the EU.
The GDPR is designed to replace the existing Data Protection Act 1998 and allow individuals to better control their personal data, as well as enable organisations to think harder about the privacy and controls they have on the data they hold and process about individuals. These modernised and unified rules will allow businesses to make the most of the opportunities and benefit from reinforced consumer trust.
At Co-Formation Group Ltd, we are committed to being transparent about how we use your data and keep it safe, and will continue to provide accessible information to individuals in line with the UK Data Protection Regulations outlined in the General Data Protection Regulation (EU) 2016/679. The most common way to provide this information is in a privacy notice.
Purpose of processing personal information
The purpose of Co-Formation Group Ltd processing your personal information/data is so we may provide you with an effective service. As a healthcare provider, Co-Formation Group Ltd delivers NHS services to you and must collect and use personal information about you.
We follow NHS good practice and will:
• Discuss and agree with you what we are going to record about you
• Give you a copy of letters we are writing about you; and
• Show you what we have recorded about you, if you ask.
The GDPR ensures that we comply with a series of data protection principles.
These principles are there to protect you and they make sure that we:
• Process all personal information lawfully, fairly and in a transparent manner.
• Collect personal information for a specified, explicit and legitimate purpose.
• Guarantee that the personal information processed is adequate, relevant and limited to the purposes for which it was collected.
• Ensure the personal information is accurate and up to date.
• Retain your personal information for no longer than is necessary for the purpose(s) for which it was collected.
• Keep your personal information securely using appropriate
• technical or organisational measures.
To make sure you receive the best possible care, your records are used to assist the care you receive. Information held about you may also be used by the NHS in interests of protecting and promoting public health. Your Information may be used within Co-Formation Group Ltd for clinical audit purposes to monitor the quality of the service provided.
The lawful basis for the process without consent
As a publically funded NHS provider working under the statutory health and social care organisations guidelines in the delivery of their functions, Co-Formation Group Ltd use the following lawful basis for processing your data:
• Article 6 Lawful processing: Article 6(1)(e) ‘…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller…’
• Article 9 condition for direct care or administrative purposes: 9(2)(h) ‘…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…’
This also includes local administrative purposes such as:
• Performance against national targets
• Activity monitoring
• Local clinical audit
• Production of datasets to submit for commissioning purposes and national collections.
• We will not share information that identifies you for any reason, unless:
• You ask us to do so
• We ask and you give us specific permission
• We have to do this by law
• We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality, for example, to prevent someone from being seriously harmed.
Categories of personal data we process
We process personal information relating to identified natural persons so we may deliver a thorough and efficient service for our patients.
NHS health records may be electronic, physical (paper) or a mixture of both. We use a combination of working practices and technology to guarantee that your information is kept confidential and secure. Records held by Co-Formation Group Ltd may include the following information about you:
• Details such as your address, carer, legal representative, emergency contact details
• Any contact the Co-Formation Group Ltd operational units have had with you, such as appointments, clinic visits, emergency appointments, telephone calls etc.
• Recordings of your telephone calls to and from our services
• Notes and reports about your health
• Details about your treatment and care
• Results of investigations such as laboratory tests, X-rays etc.
• Relevant information from other health professionals, relatives or those who care for you.
To make sure that we provide you with an efficient and effective service, we will sometimes need to share your information:
• Between teams within our organisation
• With partner organisations within the NHS that support the delivery of the service you may receive
• With organisations we have contracted to provide a direct care service to you.
National Data Opt-Out
The National Data-Opt out gives patients greater control over what purposes their health data can be used. The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own direct care and treatment and to have your objections considered”.
• Direct care is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation or suffering of an individual.
• Indirect care is defined as work within the health and social care environment which does not involve the direct treatment or support of individuals e.g. research, commissioning and much of the work done in public health.
The opt-outs do not apply to data required to support the pandemic responses.
To find out more or to register your choice to opt out, please visit
On this web page you will:
• See what is meant by confidential patient information
• Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care
• Find out more about the benefits of sharing data
• Understand more about who uses the data
• Find out how your data is protected
• Be able to access the system to view, set or change your opt-out setting
• Find the contact telephone number if you want to know any more or to set/change your opt-out by phone
• See the situations where the opt-out will not apply You can also find out more about how patient information is used at: www.hra.nhs.uk/information-about-patients/ (which covers health and care research); and www.understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made).
You can change your mind about your choice at any time.
Who are our partner organisations?
We may have to share your personal information, subject to strict agreements on how it will be used, with the following organisations:
• NHS trusts / Foundation trusts
• NHS Commissioning support units
• Independent contractors such as dentists, opticians, pharmacists
• Private sector providers
• Voluntary sector providers
• Ambulance trusts
• Clinical Commissioning Groups
• Social care services
• NHS Digital
• Local authorities
• Education services
• Fire and Rescue services
• Police and Judicial services
• Voluntary sector providers
• NHS approved private sector providers
• Intermediate care and care homes services
• Use of Data on SystmOne clinical system (TPP)
• Other ‘data processors’ which you will be informed of at the point of direct care.
We will only ever share your information for your direct care, and only when we are satisfied that our partners or suppliers have sufficient measures in place to protect your information in the same way that we do.
Before sharing information we confirm that:
• Privacy Notices are completed with our partners, if appropriate.
• Technical security such as encryption and access controls are in place to keep information secure.
• Information Sharing Agreements are completed showing the rules to be adopted by the various organisations involved in the sharing exercise.
• Data Protection Impact Assessments are completed to assess any risks or potential negative effects to you.
• Common retention periods and deletion arrangements are set for the information we process and share.
• Your access rights are catered for to support you in any request for your data. Your information will only be shared within the legal basis we have stated and we will never share your information for Co-formation Group Ltd
• any other purposes other than for your direct care.
Transfers and safeguards of your personal data to other
Your personal and sensitive data will only be stored and processed on servers based within the European Economic Area (EEA). Your data will only be processed by our staff based within the UK and not beyond the EEA region.
We will only keep your information for as long as it is required to be retained under the statutory limits. The retention period is either dictated by law or by our discretion.
Once your information is no longer needed as set out in this Privacy notice it will be securely and confidentially destroyed.
You have guaranteed rights under the GDPR which we will uphold at all times.
Your rights are:
• The right to be informed via Privacy notices such as this one.
• The right to free access to any personal information Co-Formation Group Ltd holds about you. You are entitled to receive a copy of your personal data – free of charge – and within 30 calendar days of our receipt of your subject access request, provided you have submitted the correct proof of identity details.
• The right of rectification. If you believe your details are incorrect, we are required to correct inaccurate or incomplete data within one month.
• The right to erasure. Ordinarily under GDPR you have the right to have your personal data erased and to prevent processing, however, this right does not apply to GDPR Art 9 – special category data. The processing we conduct is necessary for the purposes of preventative or occupational medicine for medical diagnosis; and for the provision of health and social care systems. Your data is processed by and under the responsibility of healthcare professionals who are subject to a legal obligation of professional secrecy.
• The right to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.
• The right to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when you request your data.
• The right to object. You can object to your personal data being used for profiling, direct marketing or research purposes.
• You have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.
To request a copy of the personal information we hold about you, you must send your request in writing to DATA ACCESS REQUEST, addressed to the Co-Formation Group Ltd site where you have received care or treatment.
To help us deal with your request as efficiently as possible, you will need to include:
• Your current name and address
• Proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address)
• As much detail as possible regarding your request so that we can identify any information we may hold about you, this may need to include your previous name and address, date of birth and what Co-Formation Group Ltd services you received.
The right to lodge a complaint
Should you have any concerns about how your information is managed by Co-Formation Group Ltd, please contact the Co-Formation Group Ltd Caldicott Guardian. By email [email protected]
If you are still unhappy following a review by our Caldicott Guardian, you can then complain to the Information Commissioners Office (ICO) via their website (www.ico.gov.uk).
Where personal data comes from
The healthcare professionals who provide you with care maintain records about your health and any treatment or care you have received previously (e.g. NHS trust, GP surgery, walk-in clinic, etc.). These records help us to provide you with the best possible healthcare.
We will not use any information about you that is available in publicly accessible sources. Any additional details we will require about you in order to carry out our duty of care, we will request directly from you.
Failure to provide personal data to Co-Formation Group Ltd
The provision of your personal data about your health and any treatment or care you have received previously is part of the UK statutory instrument:
• Health and Social Care Act 2012
• GDPR Art 9.2(h)
Failure to provide personal information and data about yourself may result in us failing to provide you the necessary healthcare services as mandated by NHS England.
If you do not wish personal data that we hold about you to be used or shared in the way that is described in this notice, please discuss the matter with us. You have the right to object, but this may affect our ability to provide you with care or advice.
Automated decision making
The transfer of your data from NHS systems such as the Summary Care Record and NHS Choices is automated in how it is received; however, no care or treatment decisions made about you are automated in any way.
How to contact us
Co-Formation Group Ltd is registered as a data controller with the Information Commissioner’s Office registration number: ZB059189
If you have any questions, comments or concerns about how we handle your personal data, then you may contact our Quality and Governance team by email to [email protected]Click this text to start editing. This block is a basic combination of a title and a paragraph. Use it to welcome visitors to your website, or explain a product or service without using an image. Try keeping the paragraph short and breaking off the text-only areas of your page to keep your website interesting to visitors.