CDS UK takes your confidentiality and privacy rights very seriously. This notice explains how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018.

What information do we collect from you?

Health and social care professionals working with you keep records about your health and any care and treatment you receive, e.g. doctors, support workers, psychologists, psychotherapists, psychiatrists, occupational therapists, social workers and other staff involved in your care.  This may include:

  • Basic details such as name, address, date of birth, phone number, and email address – where you have provided it to enable us to communicate with you by email
  • Your emergency contact details
  • Notes and reports about your physical or mental health and any treatment, care or support you need and receive
  • Results of your tests and diagnosis
  • Relevant information from other professionals, relatives or those who care for you or know you well
  • Any contacts you have with us such as appointments or home visits
  • Information on medicines
  • Patient experience feedback and treatment outcome information you provide

It may also include personal sensitive information such as sexuality, race, your religion or beliefs, and whether you have a disability, allergies or health conditions. It is important for us to have a complete picture, as this information assists staff involved in your care to deliver and provide improved care, deliver appropriate treatment and care plans, to meet your needs.

Information is collected in a number of ways, such as via your healthcare professional, your Clinical Commissioning Group (CCG), referral details from your GP or directly given by you.

Why do we collect this information about you?

Your information is used to guide and record the care you receive and is vital in helping us to;

  • have all the information necessary for assessing your needs and for making decisions with you about your care
  • have details of our contact with you, such as referrals and appointments and can see the services you have received
  • to work effectively with other organisations’ who may be involved in your care.
  • assess the quality of care we give you
  • properly investigate if you, and/or your family have a concern or a complaint about your healthcare

Professionals involved in your care will also have accurate and up-to-date information and this accurate information about you is also available if you:

  • Move to another area
  • Need to use another service
  • See a different healthcare professional

Who might we share your information with?

Your information will be shared with the team who are caring for you and are providing treatment to you.

The NHS and other agencies, including social services and private healthcare organisations work together so we will share information about you, with other professionals and services involved in your care only where it is strictly necessary.

We do this in order to provide you with the most appropriate treatment and support for you, and your carers, or when the welfare of other people is involved.

You have the right to object to information sharing at any time. Please discuss this with your relevant health care professional as this could have implications in how you receive further care, including delays in you receiving care.

Your confidentiality is very important to us and we take this very seriously. However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your patient record with other agencies.

The information from your patient record will only be used for purposes that benefit your care – for example, we would never share it for marketing or insurance purposes.

Improving health, care and services through research

CDS UK actively promotes research with a view to improving future care. Researchers can improve how physical and mental health can be treated and prevented.

If we use your patient information for research, we take strict measure to remove your name and all other personal data to ensure that individual patients cannot be identified and the data is anonymous.  If we need the information in a form that would personally identify you, we will ask for your permission first before releasing any information.

How is information retained and kept safe?

We are committed to keeping your information secure and have operational policies and procedures in place to protect your information.  Information is only shared with those who need to know.

All of the Information Systems used by CDS UK are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by CDS UK are influenced by a number of sources including the 10 National Data Guardian Standards and guidelines produced by NHS Digital and other Government standards.

All employees are legally bound to respect your confidentiality, all staff must comply with our security operating procedures. Any breach of these is treated seriously, and could result in disciplinary action, including dismissal.

If any of your personal information is to be processed overseas (i.e. outside the UK or EU) a full risk assessment would be undertaken to ensure the security of the information and suitable safeguards put in place.

CDS is governed by key pieces of legislation which regulates the processing of personal information. Legislation/guidance includes:

Data Protection Act 2018

UK General Data Protection Regulation

Access to Health Records Act 1990

Health and Social Care Act 2012, 2015

Computer Misuse Act 1990

The Common Law Duty of Confidentiality

Information Security Management – NHS Code of Practice

Records Management – Code of Practice for Health and Social Care 2016

Our healthcare professionals and registered support staff are also regulated and governed by their professional bodies.

Strict principles govern our use of information and our duty to ensure it is kept safe and secure.  Technology allows us to protect information in a number of ways, in the main by restricting access. Our guiding principle is that we are holding your information in the strictest of confidence.

How long do we keep your information?

All records held by the NHS are subject to the Records Management Code of Practice for Health and Social Care Act 2016 (The Code). The Code sets out best practice guidance on how long we should keep your patient information before we are able to review and securely dispose of it.

How will we meet the principles of the GDPR?

  1. When processing your personal data, we always process in line with the Data Protection Principles: only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;

In order to process your personal data, we rely on the following lawful basis

Article 6(1)(f) – task carried out in the legitimate interest of the Controller

To process information regarding your health, we rely upon Article 9(2)(h) – processing is necessary for the provision of health care

  1. Only collecting and using your information to provide you with your care and treatment and will not use it for anything else that is not considered by law to be for this purpose;
  2. Only using enough of your personal information that will be relevant and necessary for us to carry out various tasks within the delivery of your care;
  3. Keeping your information accurate and up to date when using it and if it is found to be wrong, we will make it right, where appropriate, as soon as we can;
  4. Only keeping your information in a way that it will identify you for as long as we are legally required to, whilst ensuring your rights;
  5. Having secure processes in place to keep your personal information safe when it is being used, shared, and when it is being stored.

How can I exercise my data protection rights?

Data Protection law provides you with a number of rights in relation to your personal data. Not all of the rights listed below may be applicable because there are exemptions and restrictions that apply in certain circumstances.

The right to be informed – You may have the right to be informed about the collection and use of their personal data.

The right to access – You may have the right to request us for copies of your personal information.

The right to rectification – You may have the right to request that we correct any information that is inaccurate. You also may have the right to request us to complete information that is incomplete.

The right to restriction of processing – You may have the right to request that we restrict the processing of your personal information, under certain conditions.

The right to erasure – You may have the right to request that we delete your personal data.

The right to object – You may have the right to object to the processing of your personal information.

The right to portability – You may have the right to have your data transferred to another controller.

The right to withdraw consent – You may have the right to withdraw consent previously provided.

The right not to be subject to a decision based solely on automated processing.

If you wish to make a request, please contact with proof of identity. We will respond to your request within one month where your request will be processed unless there is an exemption. If such an exemption, a reason will be provided and your further rights detailed to you.

Your request must be made in writing and we will request proof of identity before we can disclose personal information. All applications for access to health records must be made in writing or via email to the service where you receive your care.

Contacting us if you have a complaint or concern

We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention and we take any complaints we receive very seriously.

Should you have any concerns about how your information is managed by CDS UK, please contact the Operations Director via email to

We have also appointed a Data Protection Officer, who can be contacted at

If you remain dissatisfied following a review by CDS UK, you may wish to contact:

Information Commissioner’s Office

Wycliffe House,
Water Lane,

Their website is at    The Information Commissioner will not normally consider an appeal until you have exhausted your rights of redress and complaint to CDS UK.

CDS UK is registered to the Information Commissioner’s Office (ICO); registration number ZA114563

Caldicott Guardian: Emma Jack – – 020 7794 1655