CDS-UK takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018.

What information do we collect from you?

Health and social care professionals working with you keep records about your health and any care and treatment you receive eg. doctors, support workers, psychologists, psychotherapists, psychiatrists, occupational therapists, social workers and other staff involved in your care.  This may include:

  • Basic details such as name, address, date of birth, phone number, and email address – where you have provided it to enable us to communicate with you by email
  • Your emergency contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Results of your tests and diagnosis
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Any contacts you have with us such as appointments or home visits
  • Information on medicines
  • Patient experience feedback and treatment outcome information you provide

It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.

Information is collected in a number of ways, such as via your healthcare professional, your Clinical Commissioning Group (CCG), referral details from your GP or directly given by you.

Why do we collect this information about you?

Your information is used to guide and record the care you receive and is vital in helping us to;

  • have all the information necessary for assessing your needs and for making decisions with you about your care
  • have details of our contact with you, such as referrals and appointments and can see the services you have received
  • to work effectively with other organisations’ who may be involved in your care.
  • assess the quality of care we give you
  • properly investigate if you, and/or your family have a concern or a complaint about your healthcare

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

  • Move to another area
  • Need to use another service
  • See a different healthcare professional

Who might we share your information with?

Your information will be shared with the team who are caring for you and are providing treatment to you.

The NHS and other agencies, including social services and private healthcare organisations work together so we may need to share information about you, with other professionals and services involved in your care.

We do this in order to provide you with the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.

You have the right to refuse/withdraw your consent to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

Your confidentiality is very important to us and we take this very seriously. However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies. In these rare circumstances we are not required to have your consent.

The information from your patient record will only be used for purposes that benefit your care – for example, we would never share it for marketing or insurance purposes.

How information is retained and kept safe?

Information is retained in secure electronic and paper records and access is restricted to only those who need to know.

It is important that information is kept safe and secure, to protect your confidentiality.

There are a number of ways in which your privacy is shielded; by removing your

identifying information, reviewing processes, adhering to strict contractual conditions and ensuring strict sharing or processing agreements are in place.

CDS is governed by key pieces of legislation which regulates the processing of personal information. Legislation/guidance includes:

Data Protection Act 1998

Human Rights Act 1998 (Article 8)

Access to Health Records Act 1990

Health and Social Care Act 2012, 2015

Public Records Act 1958

The Environmental Information Regulations 2004

Computer Misuse Act 1990

The Common Law Duty of Confidentiality

Information Security Management – NHS Code of Practice

Records Management – Code of Practice for Health and Social Care 2016

General Data Protection Regulations (GDPR) – post 25th May 2018

Department of Health –

Information Commissioner’s Office –

NHS England –

Our healthcare professionals and registered support staff are also regulated and governed by their professional bodies.

Strict principles govern our use of information and our duty to ensure it is kept safe and secure.  Technology allows us to protect information in a number of ways, in the main by restricting access. Our guiding principle is that we are holding your information in the strictest of confidence.

Improving health, care and services through research

CDS-UK actively promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented.

If we use your patient information for research, we take strict measure to remove your name and all other personal data to ensure that individual patients cannot be identified.  If we need the information in a form that would personally identify you, we would ask for your permission first before releasing any information.

How we keep your information safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information

All of the Information Systems used by CDS-UK are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by CDS-UK are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other Government standards.

All employees are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal.

If any of your personal information is to be processed overseas (i.e. outside the EU) a full risk assessment would be undertaken to ensure the security of the information.

How long do we keep your information?

All records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (The Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

How will we meet the principles of the GDPR?

We will process your personal information fairly and lawfully by;

  1. Only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;

We do not rely on consent to use your information as a ‘legal basis for processing’. We rely on specific provisions under Article 6 and 9 of the General Data Protection Regulation, such as ‘…a task carried out in the public interest or in the exercise of official authority vested in the controller.’

This means we can use your personal information to provide you with your care without seeking your consent. However, you do have the right to say ‘NO’ to our use of your information but this could have an impact on our ability to provide you with care.

  1. Only collecting and using your information to provide you with your care and treatment and will not use it for anything else that is not considered by law to be for this purpose;
  2. Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care;
  3. Keeping your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can;
  4. Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;
  5. Having secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

How can I access the information you hold about me?

Each organisation has a senior person responsible for protecting the confidentiality of your information and enabling appropriate sharing. This person is known as the Caldicott Guardian.

You have a right to see the information we hold about you, both on paper or electronic, except for information that:

  • Has been provided about you by someone else if they have not given permission for you to see it;
  • Relates to criminal offences;
  • Is being used to detect or prevent crime; and
  • Could cause physical or mental harm to you or someone else

Your request must be made in writing and we will request proof of identity before we can disclose personal information. All applications for access to health records must be made in writing or via email to the service where you receive your care.

Contacting us if you have a complaint or concern

We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously.

Should you have any concerns about how your information is managed by CDS-UK, please contact the Operations Director via email to [email protected]

If you remain dissatisfied following a review by CDS-UK, you may wish to contact:

Information Commissioner’s Office

Wycliffe House

Water Lane




Their website is at    The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to CDS-UK.

CDS-UK is registered to the Information Commissioner’s Office (ICO); registration number ZA114563

Caldicott Guardian – Graeme Galton [email protected]

Data Protection & Operations – Annabel Horne [email protected]


Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.

For further information visit or

You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.

Other websites

Our website contains links to other websites. This privacy policy only applies to this website so when you link to other websites you should read their own privacy policies.

Changes to our privacy policy

We keep our privacy policy under regular review and we will place any updates on this web page. This privacy policy was last updated on 30 April 2018.

How to contact us

Please contact us if you have any questions about our privacy policy or information we hold about you: by email [email protected]