Accessibility tools

Privacy Policy

Surrey Healthy Children and Families LLP is a Limited Liability Company (LLP) that delivers NHS community healthcare services to children and families within Surrey and parts of North East Hampshire and Farnham. The LLP delivers these services via three providers (known as ‘provider organisations’). These are: CSH Surrey; First Community Health and Care (First Community); and Surrey and Borders Partnership NHS Foundation Trust (SABP). Together they jointly deliver the NHS community health service known as Children and Family Health Surrey.

The LLP is a Data Controller under Data Protection Legislation and our ICO registration number ZA243132. The company registration number is OC415159.

A list of services delivered through Children and Family Health Surrey can be found on our website. These services will either be provided by CSH Surrey, First Community or SABP.

This notice explains what information we collect, why we collect it and how we keep it secure. It also explains your rights and our legal obligation. We undertake information audits to establish clear lines on what personal data we hold and what we do with it. You can find more detailed information relating to the LLP providers within their privacy notices: CSH SurreySurrey and Borders Partnership NHS Trust and First Community Health and Care.


This privacy notice was last updated on 12 August 2022. If we use your personal data for any new purposes, updates will be made to the policy information and changes communicated, where necessary in accordance with current legislation. For all queries relating to our privacy policy, please contact the Data Protection Officer by emailing  

Our promise to you on how we use your information


CSH Surrey, First Community and Surrey and Borders Partnership NHS Foundation Trust are some of the many organisations working in the health and care system to improve care for children, young people, patients and the public.

Whenever you use a health or care service, important information about you or you child/children is collected to help ensure you/they get the best possible care and treatment.

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. All of these help to, provide better care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where allowed by law and would never be used for insurance or marketing purposes without your explicit consent.

You have a choice about whether you want your confidential patient information to be used in this way.

To find out more about the wider use of confidential information and to register your choice to opt-out if you do not want your data to be used in this way, visit If you do choose to opt-out you can still consent to your data being used for specific purposes.

If you are not happy with this use of information you do not need to do anything. You can change your choice at any time.


We may hold records about you which may include:

Personal information such as, name, address, date of birth, gender, telephone number (s), email address(s), next of kin, emergency contact information, ethnicity, disability, religion, registered GP, clinical information.


The LLP aims to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided, or plan to provide to you. Health records are held on paper and electronically, and we have a legal duty to keep these confidential, accurate and secure at all times in line with Data Protection Legislation.  

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes, and is not sold on to any other third parties. Information is held for specified periods of time as set out in this policy under, your rights. The LLP has to provide a legal basis for the processing of your information under the UK General Data Protection Regulation (UK GDPR).

If we need to use your personal information for any reason beyond those stated within this policy, The LLP will communicate these changes before doing so.

How we keep in touch:

•    Text message 
•    Email
•    Telephone calls


When required to comply with the law. This may be in circumstances to:

Communicate when things go wrong, we have a duty to which is set out under The Health and Social Care Act 2008 (HSC) 2008.

To report incidents, set out in the HSC 2008.

Safeguard individuals, set out in the Safeguarding Vulnerable Groups Act 2006 and Children Act 1989 & 2004.

Notify officials of infectious diseases which present significant risk to human health and the wider public, set out in The Public Health Control of Disease Act 1984 and the Health Protection Notification Regulations 2010.

Support other organisations with their regulatory requirements e.g. CQC, ICO, support detection, investigation or to prevent a serious crime, monitor referral to treatment times and ensuring compliance with the NHS Constitution and the NHS Operating Framework, conduct audits to measure compliance with the law i.e. Confidentiality Audits, respond to the rights of individuals requests under data protection law, share information relating to vulnerable individuals  with emergency services in the event of an emergency - Civil Contingencies Act 2004.  To support court orders requiring us to share information.


To protect a person’s life. This may be in circumstances to:

Share information to safeguard an individual and therefore prevent harm. 


When carrying out legal requirements or government functions.

This may be in circumstances to:

Deliver care, when responding to complaints or concerns relating to the delivery of care, when monitoring pathways, to share information about a patient for their direct care (subject to both the common law duty of confidence, data protection legislation), and statutory duty under section 251B of the Health and Social Care Act 2012, to manage waiting lists, performance against national targets, activity monitoring e.g. number of referrals, when undertaking local clinical audits, commission funding for treatment and/or equipment.


This may be in circumstances to:

Support business functions e.g. raising system level tickets, arranging access to system, taking photos of service users to publish on twitter and interests’ websites, for general website enquiries, store next of kin data in the event of a medical emergency record of CCTV.



Under Data Protection Legislation, you have the right to obtain a copy of their personal records held by us; this is called a Subject Access Request (SAR). To obtain a copy of your medical records, please submit your request to:

The LLP Subject Access Request Team

CSH Surrey SAR Team, 4th Floor, Dukes Court, Woking, Surrey, GU21 5BH.


You will need to provide your information (e.g. full name, address, date of birth, Hospital/NHS number) and forms of identification. If you wish for another person to process your request on your behalf they will need to obtain your written permission to do so before we can provide copies of medical records. This ensures we are providing confidential information to authorised persons(s).

An individual may choose to nominate a representative (such as a solicitor or relative) to make a request on their behalf, however when this happens the request must be explicitly authorised by the person (e.g. evidenced by a signed letter of consent).

Those who hold Lasting Power of Attorney for Health and Welfare for an individual can apply for that individual’s records.

Further guidance and assistance can be obtained from the Subject Access Request Team.


Be informed about the collection and use of your personal data. This communication is achieved through this privacy policy.


Data Protection Legislation gives you the right to object to the processing personal data in some circumstances. This will depend on the legal basis (as described above). In order to formally object, you will need to do so verbally or in writing to: the Data Protection Officer by emailing​​.

Request the restriction of your personal data, however this will only applies when/if you contest the accuracy of the personal data, the data has been unlawfully processed and/if you oppose erasure and requests.

You can make a request for restriction verbally or in writing to:  the Data Protection Officer by emailing​​.


Have inaccurate personal data rectified, or completed if it is incomplete.

The legislation states that, 'personal data is inaccurate if it is incorrect or misleading as to any matter of fact'. You can make a request for rectification verbally or in writing to:​​.


When you are providing this for the purpose of processing your personal data and activity, you will always have the freely given right to actively accept and withdraw.

The LLP manages consent when processing data in the following ways:

Regularly reviewing consents to check that the relationship with you and the purpose for processing information has not changed. By having appropriate processes in place to refresh consent at appropriate intervals, including any parental consents. Acting on withdrawals of consent as soon as reasonably possible.

The following GDPR articles provide the legal basis for the use and process of this information:

Article 6 (1) (e) the data subject has freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Article 9 (2)(a)  the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;

Article 9 (2)(d)  processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;


Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for the specific purposes. The LLP will regularly review the length of time we keep your personal data and securely delete information that is no longer needed for the purposes it was originally intended. This process will enable clear and accurate data, keeping it up to date, available and confidential.


In circumstances where we need to share your personal data; we will always ensure this is conducted lawfully and account the justifications for doing so. When data sharing external to our organisation, The LLP will always assess the potential benefits and risks to you and others, we will weigh the proportionality for the purpose and what we are trying achieve by this activity. We will also consider if the objective be achieved without sharing personal data and have measures to ensure adequate security is in place to protect the data when sharing this.


The LLP does not transport, store or share personal data outside of the European Economic area.


This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.


If you have any comments, queries or complaints about this Privacy Notice or the processing of your personal information please address these to: Quality and Governance Team, CSH Surrey, 4th Floor, Dukes Court, Duke Street, Woking GU21 5BH.


Alternatively, you are entitled to get in touch with the Information Commissioners Office (ICO). The Information Commissioners Office enforces and oversees the Data Protection Regulations. To find out more about the information rights in the public interest, further details can be found at: