Fair Processing Notice (Privacy Notice)

NHS South, Central & West Commissioning Support Unit (SCW CSU) takes the storage and processing of personal data very seriously. We also believe in openness about how and why we will be receiving, collecting and processing information.

What is a fair processing notice and privacy notice?

The UK General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A Fair Processing Notice (FPN) is one way of providing this information. This is sometimes referred to as a Privacy Notice.

A fair processing notice should identify who the data controller is, with contact details for its Data Protection Officer (DPO). It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

NHS England is required to protect the public funds they administer. They may share information provided to them with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

Who we are and our Data Protection responsibilities 

A commissioning support unit is an organisation hosted by NHS England and is not a separate organisation in its own right. However, we operate as if we have all privacy responsibilities to ensure that we manage personal data in a professional, legal and ethical way.

For the purposes of the UK General Data Protection Regulation (UK GDPR) & Data Protection Act 2018 (the 'Act') the Controller is NHS England which hosts SCW.  NHS England is registered on the Data Protection Register with the Information Commissioner’s Office (ICO).  Their registration number is Z2950066 -and a copy of the registration is available through the ICO website.  SCW is also listed but we only act as a Controller when NHS England asks us to on their behalf.

Contacting us

South: Omega House, Eastleigh, Hampshire, SO50 5PB

West: South Plaza, Marlborough Street, Bristol, BS1 3NX

Our offices

Here is a complete list of all of our offices and details of how to contact us.

Who is our Data Protection Officer?

As we are a Commissioning Support Unit and are governed by NHS England, we are not required to appoint a Data Protection Officer. We have however identified an individual within SCW who will provide support to the organisation on Data Protection compliance and also support the Data Protection Officer for NHS England.

NHS England’s Data Protection Officer is:

Carol Mitchell, Head of Corporate Information Governance and Data Protection Officer
Transformation & Corporate Operations Directorate
NHS England
Quarry House
Quarry Hill

To contact the Data Protection Officer for NHS England please email: This email address is being protected from spambots. You need JavaScript enabled to view it.

To contact the Data Protection Lead for SCW please email This email address is being protected from spambots. You need JavaScript enabled to view it.  or telephone 02380627579

Should you wish to communicate with us by post please write to:

The Head of Information Governance
NHS South, Central and West Commissioning Support Unit
Floor 2
Omega House
Southampton Road
SO50 5PB

SCW also has a senior member of staff responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian. 

The contact details of our Caldicott Guardian are as follows:  

Laura Tully – Caldicott Guardian – email: This email address is being protected from spambots. You need JavaScript enabled to view it.

They both support another senior member of staff who is responsible for information risk and information security and is accountable to the Managing Director; this person is called the Senior Information Risk Owner (SIRO). 

The contact details of our SIRO are as follows:

Rod How – Executive Director of Finance - email: This email address is being protected from spambots. You need JavaScript enabled to view it.

Various SCW services and information collected about you

  • We may collect personal information about you in a number of ways:
  • Information you provide to us, in order to help you resolve and issue or to provide you with guidance;
  • Information provided as part of work we do, supporting clients to improve and deliver health services. This information will be collected and used under a defined legal basis and under strict conditions of privacy and confidentiality;
  • Information that may be passed to us from care providers in order to resolve questions or queries on your behalf.

The Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) give people control over what businesses and organisations can do with their data.

It applies to 'controllers' and 'processors' of data, which covers every organisation that handles people’s personal data at some point, whether it’s the data of customers, suppliers, the public or staff.  It’s therefore important that we as an organisation are compliant, and that all staff understand the implications of the legislation.

SCW acts as a Processor for our customers, who are also legally required to publish their own Privacy Notices. Where SCW is the Processor for organisations that are also a Controller, you will see us named in their Fair Processing Notice for the services we provide.

SCW provides a range of commissioning support services to various ICBs in England.

An ICB will be responsible for commissioning Health care services for the predetermined geographical area that it covers, to make sure a full range of services is available to the public living in the ICB's area. These commissioned services range from Acute Trust services e.g. your local hospital to Mental Health Services, GP practice services, Community Health Services (District Nursing, Pharmacies, Dental Practices), as well as many other health-related services you may have in your area.

The range of services that the ICBs contract SCW to provide include:

  • INSIGHTS Business Intelligence
  • Primary Care development
  • Digital Transformation
  • System Transformation
  • Public Health Action – Behaviour Change
  • Data Management Services
  • Data Services for Commissioning Regional Office (DSCRO)
  • Clinical Support Services
  • Individual Funding Requests (IFR)
  • Continuing Healthcare (CHC)
  • Financial Services
  • Contract Management
  • Communications and Engagement
  • Human Resources
  • Organisational Development
  • Information Governance 
  • Subject Access Requests (SARs)
  • Procurement
  • IT Services
  • Child Health Information Services
  • Governance Services including handling of Freedom of Information requests
  • Immunisation Management Service (IMS)

For more information on what we do please take a look at our services pages.

In order to carry out the services that we provide, some, but not all of these services, will require SCW staff to process relevant personal information in order to fulfil the contracted work on behalf of the ICBs. This information may in turn be provided back to the ICBs and General Practitioners (GPs) to support their commissioning, management and planning decisions for healthcare services.

Other purposes

Use of anonymised HES data adhering to HES statistical disclosure control rules.

SCW is part of NHS England and provides comprehensive BI services to a wide range of organisations to offer insight and intelligence on a commissioner’s health economy, supporting Integrated Care Boards (ICBs), their member GP practices, local authorities and other CSU Clients.

Other CSU clients may be organisations within a health and social care setting or companies where there is clear evidence of engagement with organisations that reside in a health and social care setting, both within the UK and internationally. 

As part of NHSE, SCW takes part in the National Fraud Initiative.

Transactional HR i.e. recruitment and payroll

Area of work Transactional HR
Processed on behalf of SCW customers
Purpose/s for processing Recruitment, employment, payroll purposes
Format Electronic, paper
Legitimate interests Not applicable
Personal data processed Name, date of birth, address, National Insurance number, employment assignment number
'special category' data processed Race, ethnicity, religion, sexual orientation, disability, relationship status
Transfer of the data outside the UK No
Retention period criteria used NHS Records Management Code of Practice 2021
The source the personal data originates NHS Jobs - application form, ID, Right to work documents, applicant/employee
Whether the processing of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to process the personal data Statutory requirements to process - Require personal data to establish individual's right to work status/carry out pre-employment checks. Require personal data to input new employee's details onto Electronic Staff Record to receive salary
The existence of automated decision-making None

Job applicants, current and former employees

When individuals apply to work at SCW we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Disclosure Barring Service, consent is obtained during the application process unless the disclosure is required by law.

How long do we hold information for?

All records held by SCW will be kept for the duration specified by national guidance from NHS Digital, Records Management Code of Practice. Once information that we hold has been identified for destruction, it will be disposed of in the most appropriate way for the type of information it is. Personal confidential and commercially sensitive information will be disposed of by approved and secure confidential waste procedures.

What are your rights under data protection legislation

You have the right to be informed of the processing that takes place within an organisation that might require the processing of personal or special categories of personal data.  For more information on the types of data please go to Your Information.

You have the right of access and are entitled to access the personal information we hold on you. You have the right to obtain this information in a Data Portability format; i.e. an electronic format of this information. This type of access is referred to as a Subject Access Request. Any requests made will be jointly managed by both the ICB and SCW staff (where this is appropriate and we are under contract to do so) unless you specifically state in your request that you do not wish this to happen.

You can exercise the right to have your information only to be processed for your Direct Care, please see the section on National Data Opt-Out for further details.

Should you wish to exercise this right please contact: 

Governance Team
SCW Commissioning Support Unit
Omega House
SO50 5PB

You have the right to rectification meaning that if you are aware of a mistake in the information held on you then contact the service you supplied your information to for rectification of your record.

You have the right to object to how personal data about you is processed, in some instances. You have right to object to your data being shared with others or used, for example, in research or statistical processes. We must respond to your request within one month, although we may extend this time in certain circumstances. We can also refuse an objection in certain circumstances. If you do not wish to consent to your personal information being shared with us, or have any concerns or questions about the use of your personal information, please contact us should you wish to discuss this.

Your right to erasure means you have the right to ‘be forgotten’ unless there is an overriding legal requirement to retain the information held on you. It is a statutory responsibility for the NHS to retain a record of health care events; i.e. a medical record. All health-related records are held in line with the NHSx Records Management Code of Practice - 2021 retention schedules unless otherwise stated.

If you wish to discuss the content of your medical record, then please contact the medical record-holding organisation to address your concerns.

You have the right to restrict processing or suppress the use of your personal data. However, it is a statutory responsibility for the NHS to retain a record of health care events; i.e. a medical record.

If you wish to discuss the content of your medical record, then please contact the medical record-holding organisation to address your concerns.

If you wish to withhold your consent to share your personal information, it may seriously impact the services and responses we can offer you. The individual teams that have requested your consent for processing will be able to help with any concerns you may have with the use of your personal information.

Your right to withdraw consent, where we have used consent as the legal basis to process your personal data. Please contact us should you wish to discuss this.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. If you have any concerns about this or feel that our collection or use of information is unfair, misleading or inappropriate, you can contact NHS England on 0300 311 22 33 or This email address is being protected from spambots. You need JavaScript enabled to view it.. Please write 'Complaints' in the subject line.

Postal requests should be directed to:

NHS England Customer Contact Centre
PO Box 16738
B97 9PT

For further information go to NHS England Complaints.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This Fair Processing notice was last updated in December 2022.

Further information

You can find out more information on the range of services that NHS England is responsible for along with additional fair processing information here - NHS England Privacy Notice.

Information Commissioner's Office

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office
Wycliffe House
Water Lane

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: This email address is being protected from spambots. You need JavaScript enabled to view it.  or visit the ICO website.