Healthwatch Surrey is an independent champion created under the Health and Social Care Act 2012 that gives the people of Surrey a voice to improve, shape and get the best from health and social care services by empowering local people and communities.
Participants are under no obligation to provide information and can choose freely whether to share their experiences or not.
This Privacy Notice explains how we handle information that we collect about people in the course of our work and the data processing practices that we have in place.
We are strongly committed to data security and we take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption.
We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us. Only authorised employees, contractors and volunteers under strict controls will have access to your personal information.
Any information that you give will be held in accordance with the current data protection regulations.
Find out more about our purpose and what we do on our About us pages.
1. What information do we collect?
During our day-to-day business, we collect a range of personal information, experiences, and opinions from the individuals we are in contact with across a variety of platforms. This includes:
- Information about people who use our website
- Information about people who share their experiences with us by other means
- Information about people who sign up to our newsletter
- Information about people applying to work for us or volunteer with us
Further information about each of these categories can be found below:
Information about people who use our website
Please note that this section relates to the Healthwatch Surrey website only. We are not responsible for the content or practices of websites that may be accessed via links from our website.
The Healthwatch Surrey website does not automatically capture or store any personal information apart from your IP address which is needed to allow you to download the website onto your device.
We will only request personal information from you when you complete an online form, provide feedback from a survey we are running or send us an email.
Information about people who share their experiences with us in other ways
There are a number of other ways that we collect feedback from people off-line about their experiences of using health and social care services day to day. These include:
- Our staff and volunteers visit different health and social care settings and high street locations as part of our role to talk to the public and evaluate how services are being delivered.
- We receive phone calls and requests for information directly from members of the public as part of our advice and signposting service.
- We collect feedback from people about their experiences of using health and social care services from local Citizen’s Advice.
- We receive completed feedback forms and surveys by post.
- We receive text messages to our text phone.
You are under no obligation to provide information to us and can choose freely whether to share your experiences. Where you do provide information, you do so on the understanding that it will be stored, used and shared in accordance with our legal basis to do so as set out in this Privacy notice.
On occasion we also receive information from the families, friends or carers of people who access health and social care services. It is the responsibility of the person providing the information to ensure they have permission to do so from the person whose experience is being shared.
Information about people who sign up to our newsletter
Information about our own staff and people applying to work with us
We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role and meet our legal and contractual responsibilities as an employer. Details can be found in the employee handbook or provided separately to job applicants.
2. How do we hold your information and keep it secure?
Electronic information that we collect is held in:
- Microsoft office 365 including Sharepoint where access is restricted according to staff role. The data resides in servers in the UK.
- Email – All internal emails are sent securely. Where it is necessary to send an email containing personal information externally, the sender encrypts the email using Egress Switch. Access to shared email accounts is restricted according to job role.
- A secure digital database provided by The Ekko Group Ltd. whose servers are based in Ireland. We have a data processing agreement in place with them to ensure the data they hold is held in accordance with current UK data protection legislation.
- Mailchimp holds contact details for people who have signed up for our e-bulletin. MailChimp has servers located in the US and has certified its compliance with the EU-U.S. Privacy Shield Framework
- SurveyMonkey holds responses to surveys that are completed online anonymously via our website. SurveyMonkey has servers located in the US and has certified its compliance with the EU-U.S. Privacy Shield Framework
Information that is held in paper format is held in secure, lockable storage where access is restricted to Healthwatch staff and relevant volunteers only, and destroyed as appropriate according to our retention policy.
3. How do we use your personal information and on what legal basis?
The personal information you have provided to us can be used for the following purposes:
- In our day-to-day work as the Health and Social Care watchdog in Surrey
- To facilitate the analysis of Health and Social Care provision nationally by Healthwatch England
- To send you our newsletter where you have requested it
- To respond to any queries you may have
- To improve the quality and safety of care through the publication of reports
We will never share your name or contact details unless:
- You have given us specific permission,
- We are required by law, for example to prevent abuse of an older person or child,
- We are permitted by law, for example where public interest overrides the need to keep the information confidential.
Whilst your name or contact details will not be shared, there may be instances where full anonymisation is not possible in order to make change happen on your behalf.
We do not use automated decision-making processes.
The legal grounds we rely on to process your information
In order to fulfil our role, Healthwatch Surrey invites people to provide information about their experiences of health and social care services. This is done on the understanding that, once collected, the information will be held, stored and processed under the legal basis of ‘public task’ (Article 6e of the GDPR). Where special category data is processed, this is done under the condition that the processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care (Article 9 (2)i of the GDPR).
Under UK law, in the Freedom of Information Act 2000, Healthwatch Surrey is designated as a public authority and it is anticipated that this designation will also be used in the forthcoming GDPR legislation.
4. How we share information with other organisations
We only share your information with other organisations in accordance with our legal basis as set out in this Privacy Notice.
We share information with four categories of third party organisations:
- Ekko Group Ltd provide our database and is a data processor on our behalf. Access to this secure database is restricted according to job role. We have a data processing agreement in place with Ekko to ensure the data they hold is held in accordance with current UK data protection legislation.
- We receive data from local Citizens Advice Bureaus (CABs). This data is captured at CAB level onto the CAB database and information relevant to Healthwatch Surrey is identified by Healthwatch Champions and uploaded into the Ekko database directly. Access is restricted according to job role.
- Where you share experiences about services based in other counties, we may share that information with the Healthwatch covering the relevant area. This would be done by secure email.
Additionally, when you share an experience with us, it will be included in our analysis of the health and social care services. We share this information in person or using secure electronic means with those responsible for health and social care services in Surrey and some of it is used in Healthwatch reports and publications to help influence the way services are delivered in the future.
We never share our mailing lists with any other organisation.
5. How long we keep and when we dispose of personal data
Personal data is deleted or securely destroyed at the end of its retention period. Retention periods are set out in our Retention Policy. Please contact us if you require further information.
6. Your right to access information about you
If you think we may hold personal data relating to you and want to see it, please write to us using the Contact Details below.
7. Complaints about how we look after or use your information
If you feel that we have not met our responsibilities under the current data protection legislation, you have a right to request an independent assessment from the Information Commissioner’s Office (ICO). You can find details on their website www.ico.org.uk.
8. Correcting or deleting your personal data
If you know that we are holding your personal data and believe that it may be wrong, or if you would like us to stop holding it, then you can contact us using the details below.
9. Our contact details and key roles
Healthwatch Surrey is data controller for all of the personal data that you provide us with. Any queries or concerns relating to the processing of personal data by or on behalf of Healthwatch Surrey may be sent to:
Healthwatch Surrey has designated Helen Anjomshoaa, Office Manager at Surrey Independent Living Council as a Data Protection Officer under Article 37 of the GDPR.