Privacy Policy

UK Data Protection Laws:

• UK General Data Protection Regulation (UK GDPR).
• Data Protection Act 2018 (DPA 18).

Personal data: Any information relating to an identifiable individual. This might include your name, NHS number, contact details. It can also be location data or an online identifier.

Special categories of personal data are defined as: Racial or ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, and biometrics (where used for identification) information concerning your health, sex life or sexual orientation.

Data Controller: An entity or individual that determines how and why personal data is processed.

Data Processor: A entity or individual that processes personal data on the behalf of the data controller.

Warwickshire Child and Family Wellbeing services are provided by HCRG Care Services Ltd. We are the data controller for any personal information we hold about you.

HCRG Care Services Ltd is a limited company registered in England and Wales, registered number 7557877. Registered office: The Heath Business and Technical Park, Runcorn, Cheshire, WA7 4QX. Part of the HCRG Care Group of companies.

This service is commissioned by Warwickshire County Council.

Please see our website for further information about the services we provide.

Service Manager

Isabel Main and Kerry Danesi – Crombie

0300 247 0072
wcfw.contact@hcrgcaregroup.com

1 Allerton Road,
Rugby,
CV23 0PA

Data Protection Officer

Deborah Tonkin

The Heath Business Park
Runcorn
Cheshire
WA7 4QX
via email: Ask.IG@hcrgcaregroup.com

We will collect ‘personal data’ about you such as your name, date of birth, address and contact details.  We may also ask you for more sensitive data, called ‘special category data’, such as your ethnicity and information about your health.

Health care professionals are required by law to maintain records about your health. Your health record may include:

• Your contact details.
• Information about the treatment or care you have received.
• Supporting information such as test results, letters, or reports.
• Relevant information from other health professionals, relatives or those who care for you.

These records help to provide you with the best possible healthcare.

In order for HCRG Care Ltd to legally process your information a ‘lawful basis’ needs to be identified.

Our legal basis for processing your personal information falls under one of the following legal bases:

• It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
• It is necessary for a legal obligation or such as responding to a request from a coroner.
• It is necessary for the purposes of our legitimate interests and does not prejudice your rights and freedoms.
• We have your explicit consent (where none of the above bases apply).

Our legal basis for processing special category data falls under one of the following legal bases:

• The provision of health or social care.
• Social protection law for safeguarding purposes.
• Where it is necessary to protect your vital interests – when you are physically or legally incapable of providing consent.
• It is necessary for reason of public interest in area of public health.
• For archiving purposes in the public interest.
• We have your explicit consent (where none of the above bases apply).

The information we hold about you is used to:

To provide services to you such as

• Diagnosis, treatment and follow up care (including sharing relevant information with healthcare professionals directly involved in your care).
• Preventative care.
• Providing social care.

To contact you regarding your care, such as

• Appointment reminders via different methods such i.e., SMS text message, telephone, or email.
• Health related updates.
• Service-related Surveys.
• Other important information relating to your care.

We may also use, or share, your information for the following purposes:

Quality, Improvement, and Research

• Training and education of staff and general public.
• Medical research (We will always seek your consent).
• Organisational research i.e., patient surveys (We will always seek your consent).
• Preparing statistics on NHS performance and activity.
• Investigating concerns, complaints, or legal claims.
• Internal quality improvement initiatives.

The Friends and Family Test (FFT)

NHS organisations including HCRG Care Group are required to use the Friends & Family Test (FFT) to capture feedback and submit response data to NHS England each month.

Patients can access the data which will then help them make informed choices about their future care. We collect feedback from a number of different channels, including SMS text messaging, online – via our HCRG Care Group website and paper questionnaires/feedback forms.

SMS Text Message Reminder Service

We provide a text messaging reminder service which automatically sends SMS messages to remind you of your appointments with us. We will not send any information which is not related to your direct care, and you have the option to opt out of this service if you wish by contacting the team you are in contact with.

• NHS England and NHS Digital
• Integrated Care Boards (ICB’s)
• Other health service providers such as hospitals, GPs, ambulance services, urgent care.
• Local Authorities
• Regulatory Bodies
• Trusted providers that host our IT, archiving, email and texting services and surveys.
• Child Health Information Services (CHIS)
• HCRG Care Group corporate teams who provide our ‘back office’ support – such as IT.
• Translation and interpretation services.
• Other HCRG Care Group services (where relevant for your care).

Please see Appendix A for more information about who we may share information with.

Your information is stored in secure locations and only accessible on a need-to-know basis. These include:

• Electronic Health Records (EHR’s) on our clinical systems.
• Secure Clinical Areas.
• Internal encrypted servers.
• Approved storage companies.

We will keep your healthcare records in accordance with the NHS Records Management Code of Practice for Health and Social Care.

Please note that due to a legal hold on the destruction of records by NHS England, we are currently not destroying records that have reached their retention period. This is to support ongoing statutory public inquiries including:

• UK Covid 19 Inquiry
• Infected Blood Public Inquiry
• Historic Child Sexual Abuse Inquiry

At HCRG Care Group, we take the security and privacy of your information extremely seriously.

We recognise that you trust us with sensitive and personal data, and we are fully committed to keeping it protected at all times.

We follow NHS and UK data protection standards to ensure your information is stored, shared, and managed securely and responsibly.

Here’s how we protect your data:

• Strong encryption: All data is protected with industry-standard encryption when stored and when sent, preventing unauthorised access or misuse.
• Strict access controls: Only staff who need access to your information to provide care or manage services can view it. We use secure logins, multi-factor authentication (MFA), and role-based access permissions.
• Secure infrastructure: Our systems are hosted in trusted, NHS-approved environments that hold ISO 27001 certification as a minimum and are supported by partners who maintain additional internationally recognised security standards. Firewalls, continuous monitoring, and round-the-clock security operations protect these environments.
• Regular testing and assurance: We conduct ongoing security testing, vulnerability assessments, and independent audits to make sure our systems remain robust and resilient.
• Incident management: In the unlikely event of a security incident, we have a clear and well-practised process for responding quickly, containing the issue, and notifying the appropriate authorities in line with NHS and legal requirements.
• NHS compliance: HCRG Care Group completes the NHS Data Security and Protection Toolkit (DSPT) every year and aligns its controls with NHS Digital and relevant other stakeholders.

Your trust, privacy, and safety are at the heart of everything we do, and we are committed to maintaining the highest standards of information security across all our services.

UK data protection laws provide you with the following rights:

The right to be informed

As a data controller, we are obliged to provide understandable and transparent information about the way we process your data (this is provided by our privacy policy)

The right of access

You are entitled to request a copy of the personal data we hold about you.

The right to rectification

You are entitled to request changes to information if it is inaccurate or incomplete.

The right to erasure

Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.

The right to restrict processing

Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data but will not process it any further.

The right to data portability

Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.

The right to object to processing

You have the right to object to our processing of your data where:

• Processing is based on legitimate interest.
• Processing involves automated decision-making and profiling.
• Processing would be for a purpose beyond your care and treatment, e.g., direct marketing and scientific or historic research.

You can opt-out to the sharing of this information under the National Data Opt-Out. Further information can be found on the following website: https://digital.nhs.uk/national-data-opt-out

How to request a copy of your information

Please email the Access to Records Team accesstorecordsteam@hcrgcaregroup.com or write to us at The Heath Business Park, Runcorn, Cheshire, WA7 4QX.

Keep us updated of any changes

Please let us know if you change your address or contact details etc. so that we can keep your information accurate and up to date.

In the event of the contract with the service and HCRG Care Group coming to an end, all relevant documentation and records will be transferred to the new provider (s).

The transfer of records will be conducted in accordance with the current UK Data Protection Law.

We will update this privacy notice from time to time to reflect any changes to our ways of working.

Date privacy notice last updated: January 2026.

EMIS Web – EMIS is an electronic patient record system (EPR). The system is supplied by EMIS Group Ltd, Egton Medical Information Systems Limited, Optum Health Solutions (Uk) Limited.

Chat Health – ChatHealth is a messaging platform which allows service users get confidential help and advice from healthcare professionals.

Temporary Notice in Respect of ‘Connect For Health’:

As detailed here, until 30 November 2025, ‘Connect for Health’ will continue to deliver the School Nursing service as usual in Warwickshire. From 1 December 2025, HCRG Care Group will deliver it.

Compass are working closely with HCRG Care Group to allow care to continue without interruption. To make that possible, between 01/12/25 – 31/03/26, Compass has entered into a formal information sharing agreement with HCRG to give HCRG Care Group read only access into Compass’ system to the health records of children and young people currently open to the Connect for Health Service.

This is required purely to enable continuity of care for only these children and young people. This read only access will be removed as soon as all such records have been transferred to HCRG or 31/03/26 whichever is sooner.

At all times, your information will remain confidential and used only for your care. 

Please see here for more information about your health records and how HCRG will collect, use and protect information.