Fair Processing

SCW takes the storage and processing of personal data very seriously. We also believe in openness about how and why we will be receiving, collecting and processing information.

What is a fair processing notice and privacy notice?

The UK General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A fair processing notice is one way of providing this information. This is sometimes referred to as a privacy notice.

A fair processing notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

As part of NHSE, SCW takes part in the National Fraud Initiative

NHS England and NHS Improvement are required to protect the public funds they administer. They may share information provided to them with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

Our Data Protection responsibilities and how to contact us

For the purposes of the Data Protection Act 2018 (the 'Act') the Controller is NHS England which hosts SCW.  NHS England is registered on the Data Protection Register with the Information Commissioner’s Office (ICO).  Their registration number is Z2950066 -and a copy of the registration is available through the ICO website.  SCW is also listed but we only act as a Controller when NHS England asks us to on their behalf.

A Clinical Commissioning Group (CCG) will be responsible for commissioning Health care services for the predetermined geographical area that it covers, to make sure a full range of services is available to the public living in the CCGs area.

South: Omega House, Eastleigh, Hampshire, SO50 5PB

West: South Plaza, Marlborough Street, Bristol, BS1 3NX

Here is a complete list of all of our offices and details of how to contact us.

The Data Protection Act 2018 and General Data Protection Regulation (GDPR) gives people better control over what businesses and organisations can do with their data. It also makes data protection laws identical across all EU countries, making things clearer and simpler for everyone.

It applies to 'controllers' and 'processors' of data, which covers every organisation that handles people’s personal data at some point, whether it’s the data of customers, suppliers, the public or staff.  It’s therefore important that we as an organisation are compliant, and that all staff understand the implications of the new legislation.

SCW acts as a Processor for our customers, who are also legally required to publish their own Privacy Notices. Where SCW is the Processor for organisations that are also a Controller, you will see us named in their Fair Processing Notice for the services we provide.

SCW provides a range of commissioning support services to various CCGs in England.

A CCG will be responsible for commissioning Health care services for the predetermined geographical area that it covers, to make sure a full range of services is available to the public living in the CCG's area. These commissioned services range from Acute Trust services e.g. your local hospital to Mental Health Services, GP practice services, Community Health Services (District Nursing, Pharmacies, Dental Practices), as well as many other health-related services you may have in your area.

The range of services that the CCGs contract SCW to provide includes:

  • INSIGHTS Business Intelligence
  • Primary Care development
  • Digital Transformation
  • System Transformation
  • Public Health Action – Behaviour Change
  • Data Management Services
  • Data Services for Commissioning Regional Office (DSCRO)
  • Clinical Support Services
  • Financial Services
  • Contract Management
  • Communications and Engagement
  • Human Resources
  • Organisational Development
  • Information Governance
  • Procurement
  • IT Services
  • Child Health Information Services
  • Governance Services including handling of Freedom of Information requests

For more information on what we do please take a look at our services pages.

In order to carry out the services that we provide, some, but not all of these services, will require SCW staff to process relevant personal information in order to fulfil the contracted work on behalf of the CCG. This information may in turn be provided back to the CCGs and General Practitioners (GPs) to support their commissioning, management and planning decisions for healthcare services.

Who is our Data Protection Officer?

As we are a Commissioning Support Unit and are governed by NHS England, we are not required to appoint a Data Protection Officer. We have however identified an individual within SCW who will provide support to the organisation on Data Protection compliance and also support the Data Protection Officer for NHS England.

NHS England’s Data Protection Officer is:

Carol Mitchell, Head of Corporate Information Governance and Data Protection Officer
Transformation & Corporate Operations Directorate
NHS England
Quarry House
Quarry Hill
Leeds
LS2 7UE

To contact the Data Protection Officer for NHS England please E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

To contact the Data Protection Lead for SCW please e-mail This email address is being protected from spambots. You need JavaScript enabled to view it.  or telephone 02380627579

Should you wish to communicate with us by post please write to:

The Head of Information Governance
NHS South, Central and West Commissioning Support Unit
Floor 2,
Omega House
Southampton Road
Eastleigh
Hampshire
SO50 5PB

SCW also has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. 

The contact details of our Caldicott Guardian are as follows:  

Liam Williams – Director of Provider Management - email: This email address is being protected from spambots. You need JavaScript enabled to view it.

They both support another senior member of staff who is responsible for information risk and information security and is accountable to the Managing Director; this person is called the Senior Information Risk Owner (SIRO). 

The contact details of our SIRO are as follows:

Rod How – Executive Director of Finance - email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Transactional HR i.e. recruitment and payroll

Area of work Transactional HR
Processed on behalf of SCW customers
Purpose/s for processing Recruitment, employment, payroll purposes
Format Electronic, paper
Legitimate interests Not applicable
Personal data processed Name, date of birth, address, National Insurance number, employment assignment number
'special category' data processed Race, ethnicity, religion, sexual orientation, disability, relationship status
Transfer of the data outside the UK No
Retention period criteria used NHS Records Management Code of Practice 2016
The source the personal data originates NHS Jobs - application form, ID, Right to work documents, applicant/employee
Whether the processing of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to process the personal data Statutory requirements to process - Require personal data to establish individual's right to work status/carry out pre-employment checks. Require personal data to input new employee's details onto Electronic Staff Recorod to receive salary
The existence of automated decision-making None

Job applicants, current and former employees

When individuals apply to work at SCW we will use the information they supply to us to process their application and to monitor recruitment statistics.  Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure Barring Service, consent is obtained during the application process unless the disclosure is required by law.

How long do we hold information for?

All records held by SCW will be kept for the duration specified by national guidance from NHS Digital, Records Management Code of Practice. Once information that we hold has been identified for destruction, it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures.

Your rights under data protection legislation

You have the right to be informed of the processing that takes place within an organisation that might require the processing of personal or special categories of personal data.  For more information on the types of data please go to Your Information.

You have the right of access and are entitled to access the personal information we hold on you.  You have the right to obtain this information in a Data Portability format; i.e. an electronic format of this information. This type of access is referred to as a Subject Access Request. Any requests made will be jointly managed by both CCG and SCW staff (where this is appropriate and we are under contract to do so) unless you specifically state in your request that you do not wish this to happen.

You can exercise the right for your information only to be processed for your Direct Care, please see the section on National Data Opt-Out for further details.

Should you wish to exercise this right please contact: 

Governance Team
SCW Commissioning Support Unit
Omega House
Eastleigh
Hampshire
SO50 5PB

You have the right to rectification meaning that if you are aware of a mistake in the information held on you then contact the service you supplied your information to for rectification of your record.

If you do not wish to consent to your personal information being shared with us, or have any concerns or questions about the use of your personal information, you have the Right to Object. Please contact us should you wish to discuss this.

Your right to erasure means you have the right to ‘be forgotten’ unless there is an overriding legal requirement to retain the information held on you. It is a statutory responsibility for the NHS to retain a record of health care events; i.e. a medical record. All health-related records are held in line with the NHS Records Management Code of Practice 2016 retention schedules unless otherwise stated.

If you wish to discuss the content of your medical record then please contact the medical record-holding organisation to address your concerns.

You have the right to restrict processing or suppress the use of your personal data. However, it is a statutory responsibility for the NHS to retain a record of health care events; i.e. a medical record.

If you wish to discuss the content of your medical record then please contact the medical record-holding organisation to address your concerns.

If you wish to withhold your consent to share your personal information it may seriously impact the services and responses we can offer you. The individual teams that have requested your consent for processing will be able to help with any concerns you may have with the use of your personal information.

You can exercise the right for your information only to be processed for your Direct Care, please see the section on the National Data Opt-Out for further details.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. If you have any concerns about this or feel that our collection or use of information is unfair, misleading or inappropriate, you can contact NHS England on 0300 311 22 33 or This email address is being protected from spambots. You need JavaScript enabled to view it.. Please write 'Complaints' in the subject line.

Postal requests should be directed to:

NHS England Customer Contact Centre
PO Box 16738
Redditch
B97 9PT

For further information go to NHS England Complaints.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This Fair Processing notice was last updated in March 2019.

Further information

You can find out more information on the range of services that NHS England are responsible for along with additional fair processing information here NHS England Privacy Notice.

Information Commissioner's Office

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.  or visit the ICO website.