Guidance

DHSC privacy notice

Updated 8 September 2023

1. The Data Protection Act 2018 and the United Kingdom General Data Protection Regulation (UK GDPR)

This legislation replaces previous current data protection law, giving more rights to you as an individual and more obligations on those controlling and processing your data for any purpose. This notice is to explain your rights and give you the information to which you will be entitled under this legislation.

2. Contact our Data Protection Officer

The Department of Health and Social Care (DHSC) is the data controller for the department itself and also for its executive agencies (the UK Health Security Agency, and the Medicines and Healthcare Products Regulatory Agency).

The Data Protection Officer is Lee Cramp who can be contacted:

In writing:

Department of Health and Social Care
39 Victoria Street
London SW1H 0EU

By email: data_protection@dhsc.gov.uk

DHSC Personal Information Charter.

3. Reasons and purposes for processing personal data

We need to handle personal data about you so that we can provide better services. High standards in handling personal data are very important to us because they help us to maintain the confidence of everyone who deals with us. When we handle your personal data, we undertake to:

• make sure you know why we need it
• only ask for what we need, and not to collect too much or irrelevant information
• protect your information and ensure no one has access to it who should not
• let you know if we are going to share it with other organisations
• make sure we do not keep your information for longer than necessary
• assure you that your individual rights under UK GDPR can be exercised
• ensure that measures are put in place to allow appropriate consent to be obtained for holding personal data of anyone aged under 13

We additionally undertake to:

• value the personal data entrusted to us and make sure that we abide by the law when it comes to handling your personal data
• ensure we consider security at the outset of any new project where we are planning to hold or use personal data in new ways, and to continue to review existing systems to ensure they are compliant with new laws
• provide training to staff in how to handle personal data, maintain proper oversight of our information assets and respond appropriately if information is not used or protected properly

4. Why we process personal data

We process personal data to enable us to:

• promote our policies, procedures and services to the public
• maintain our accounts and records
• support and manage our staff

We also process personal data to include administration of health and social care services, management and administration of land, property and residential property and undertake research.

We operate a CCTV system on our premises for the prevention of crime and the safety and security of our staff and premises.

Processing of information is also undertaken to adhere to NHS guidance and regulations.

5. Lawful basis for processing your personal data

The UK GDPR and Data Protection Act 2018 set out the available lawful bases for the processing of personal data.

In most cases, as a government department, DHSC may process personal data as necessary for the performance of a task carried out in the public interest or in the exercise of the department’s official authority. If another lawful basis applies, we will tell you.

6. The information we process

We process information about:

• our employees and former employees
• our customers and clients
• our suppliers and service providers
• our advisers, consultants and other professional experts (including NHS professionals)
• complainants and enquirers
• students and pupils
• elected representatives
• holders of a public office
• academics
• members of supporters of unions
• NHS and other healthcare professionals
• health and care organisations
• legal representatives of the organisation
• applicants to committees
• applicants for permits, licenses, certificate and permit holders
• authors, publishers, editors, artists or other creators
• members and/ or supporters of voluntary organisations and advisory groups
• committees and health associations
• licence and certificate holders
• social care providers
• individuals falling within the terms of reference of a public enquiry
• members of advisory groups and committees
• contracts
• offenders and suspected offenders
• members of the public and those inside, entering or in the immediate vicinity of areas under surveillance by CCTV
• members or supporters of health-related organisations
• NHS staff
• research applicants
• researchers
• university staff and students
• patients
• individuals on civil registers
• members of the general populace

7. Who we share personal data with

We sometimes need to share the personal data we control (and our data processors may also share information) with other organisations. Where this necessary we are required to comply with all aspects of data protection legislation. What follows is a description of the types of organisations we may need to share personal data we process for one or more reasons.

Where necessary, required and within the law we may share information with:

• family, associates and representatives of the person whose personal data we hold

• employment and recruitment agencies

• current, past and prospective employers

• educational establishments and examining bodies

• other government departments

• credit reference agencies

• suppliers and service providers

• debt collection and tracing agencies or organisations

• financial organisations

• devolved government departments

• health and care organisations

• trade, employer associations and professional bodies

• other statutory law enforcement agencies and investigative bodies

• health, social and welfare advisers or practitioners

• survey and research organisations

• police forces and other law enforcement organisations

• the Government Internal Audit Agency and other auditors as required

• the Civil Service Commission

• the Advisory Committee on Business Appointments

• the Office of the Commissioner for Public Appointments

8. Data retention

Outside of specific exemptions under the legislation your personal data shall be retained for no longer than the purposes for which it is being processed.

9. Your rights

The data we are collecting is your personal data. You have the right to:

• see what data we hold about you (this is known as a ‘right of access request’)

• ask us to stop using your data, but keep it on record

• have some or all of your data deleted

• have some of your data corrected

• lodge a complaint with the Information Commissioner’s Office (ICO) if you think we are not handling your data fairly or in accordance with the law

10. Right of access requests

Data protection legislation allows you to find out the personal data we hold about you on computer and IT records (formerly known as a ‘subject access request’).

The legislation requires us to respond to a valid request within one month. However, in the event we are unable to meet this timescale (for example due to a large volume of information to be assessed) we will keep you informed of progress towards fulfilling your request.

To request access to personal data we hold about you, please write to our Data Protection Officer using the contact details in section 2 above.

11. Automated decision-making or profiling

We may use automated decision-making or profiling in certain circumstances as required or permitted by law to enable us to deliver efficient services.

This does not affect your individual rights as outlined in section 9, ‘Your rights’.

12. Contacting the Information Commissioner’s Office

For independent advice about data protection, privacy and data-sharing issues, you can contact the independent ICO at:

The Information Commissioner
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Tel: 0303 123 1113

www.ico.org.uk