Skip to the content


What is a Privacy Notice?

The EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A privacy notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

This is the privacy notice relating specifically to ECCH’s Adult Services.


ECCH as a Data Controller

ECCH is a data controller under the EU General Data Protection Regulation and the Data Protection Act 2018. Our legal name is the East Coast Community Healthcare C.I.C. Our head office address is:

Hamilton House

Battery Green Road



NR32 1DE


How to contact us

Please contact us if you have any questions about our privacy notice or information we hold about you:

Contact details of our Data Protection Officer

ECCH’s Data Protection Officer is:

Heather Howman

Deputy Director of Quality and Data Protection Officer


Additional Contact Information

ECCH Senior Information Risk Owner (SIRO) is:

Simon Bragg (

ECCH Caldicott Guardian is:

Noreen Cushen-Brewster (

Our Services

East Coast Community Healthcare (ECCH) are commissioned to provide a range of Adult Services across the Great Yarmouth and Waveney areas. Delivery of these services requires access to, and processing of, personal confidential and special category data. ECCH is committed to maintaining the highest levels of data protection and security part of which is ensuring that users of our services are fully aware of the information we are likely to collect, what we do with it, who it might be shared with, and the legal basis under which personal information is collected and processed. 


Services Provided

The services provided under this Privacy Notice include:


  • Cardiac Rehab and Specialist Nurses
  • CFS/ME
  • Community Dietetics
  • Community Matrons
  • Continence & Luts
  • Stomas Nurses
  • Community IV
  • Community Liaison
  • District Nursing
  • Emergency Intervention Vehicle
  • Frailty Service
  • Home Oxygen Service
  • Community Diabetes Service
  • Intermediate Care Beds
  • Specialist Palliative Care
  • Management of Community Equipment
  • Marie Curie
  • Matrons
  • Neurology
  • Occupational Therapy
  • Out of Hospital Services
  • Pharmacy and Medicines Management
  • Physiotherapy
  • Podiatry
  • Pulmonary Rehab and Specialist Nurses
  • Adults Speech and Language Therapy
  • Specialist Equipment
  • Specialist Nursing
  • Stroke and ESD
  • TB Control Team
  • Wheelchairs


This list may not be exhaustive as services will change from time to time in line with commissioning requirements.


Data Collected & Processed

While individual services use different data it will typically include collection and processing of the following personal data:

  • Name (current and previous)
  • Address (current and previous)
  • Postcode
  • Phone number
  • E-mail address
  • Date of Birth
  • NHS Number
  • Registered GP
  • Next of kin
  • Marital status
  • Occupation


Additionally the following types of special category data (data that is more sensitive) are likely to be collected:

  • Physical health information
  • Mental health information
  • Racial or ethnic origin
  • Language
  • Religious beliefs or other beliefs of a similar nature
  • Sexual preferences and sexual health

Legal Basis

We need to know your personal, sensitive and confidential data in order to provide care to you, under the General Data Protection Regulation we will be lawfully using your information in accordance with one or more of the following: -

  • Article 6, (a) you have given consent to the processing of your personal data for one or more specific purposes
  • Article 6 (c) processing is necessary for compliance with a legal obligation to which the controller is subject
  • Article 6 (d) processing is necessary in order to protect your vital interests or those of another natural person
  • Article 6 e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 6 f) processing is necessary for our legitimate interests or the legitimate interests of a third party

Additionally, because we also process special category data we also comply with one or more of these additional conditions:

  • Article 9 (2) a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes
  • Article 9 (2) c) processing is necessary to protect the vital interest of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
  • Article 9 (2) f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
  • Article 9 (2) h) processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services…
  • Article 9 (2) i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…


Processing Your Personal Data

ECCH processes personal data for a number of reasons and in various ways – these are outlined below:

  • For the purpose of direct patient care, ECCH will ensure that any information collected about is you is initially provided by you, and where any additional information is collected or used, it will be with your explicit consent for that purpose or activity
  • For the provision of indirect care, and to maintain rules for use of information, ECCH uses a number of approved and secure services / systems to process information about you such as:
    • A nationally approved clinical records system (SystmOne)
    • Nationally approved pseudonimisation services to provide non-identifiable statistical information to commissioners and NHS bodies


Keeping your information confidential and safe

It is everyone’s legal right to expect that information held and used about them is safe and secure, and is only used for the agreed purpose(s). Everyone working for the NHS or supporting the NHS is subject to the Common Law Duty of Confidentiality. Information provided in confidence will only be used for the provision of direct care or for the purpose(s) advised with consent given by the patient, unless there are other specific circumstances covered by the current UK and European legislation. 

ECCH takes this responsibility very seriously and has ensured that it has robust and effective measures, process and procedures in place to achieve this expectation for you and the information we hold and process about you. 

Supporting this approach, under UK Legislation, NHS guidance and directions such as the Common Law Duty of Confidence and the NHS Confidentiality Code of Conduct, all our staff are required also to protect your information, tell you how your information will be used, and enable you to decide if and how your information will be shared.

The Data Protection Act (DPA) 2018 came into force in May 2018.  This Act places a responsibility on ECCH as a data controller to ensure that your information is collected and managed in a secure and confidential way.

The DPA also provides you with a right of access to personal information that ECCH holds about you (this applies equally to service users, members of staff and any other individual that ECCH may hold information about in its legal capacity). Requests for access to personal information we hold about you are called Subject Access Requests – see below for more information.

From 25th May 2018 new regulations come into force in the UK and across Europe, the General Data Protection Regulations (GDPR) provides additional protection for individuals and greater control over the way their data is used. ECCH is bound by, and complies with, the requirements of GDPR.

ECCH also issues an annual statement linked to its Information Governance compliance which identifies what governance and controls it has in place in line with legal and national guidance.

How will we use information about you?

Your information is used to deliver and improve the services that ECCH Adult Services provide. It may be used to:

  • Make sure services are planned to meet yours, and other patients’, needs in the future
  • Review the care given to you, and others, to make sure it is of the highest possible standard
  • Check and report on how effective ECCH has been in providing direct services to patients and the community and the services it has commissioned from other providers
  • To improve the efficiency of healthcare services, by sharing information with other organisations (sometimes non-NHS) for a specific, legally justified purpose that has been documented
  • Ensure that money is used properly to pay for the services it provides
  • Investigate complaints, legal claims or serious incidents
  • Make sure that ECCH gives value for money
  • Support ECCH when seeking reimbursement for treatment that has been provided (but the amount of information used will be the minimum necessary)
  • Fulfil contractual obligations as set out in the NHS Standard Contract


Information Sharing With Other NHS Agencies and Non-NHS Organisations

To support our functions, we may share your information for health purposes and for your benefit with other organisations such as NHS England, NHS Trusts, General Practitioners, etc. Information may also need to be shared with other non-NHS organisations.

Where information sharing is required with third parties, we will always have a relevant contractual obligation and Data Sharing Agreement in place and will not disclose any detailed health information without your explicit consent unless there are exceptional circumstances such as when the health or safety of others is at risk, where the law requires it, or to carry out a statutory function. 

We are required by law to report certain information to the appropriate authorities. This is only provided after formal permission has been given by a qualified health professional. There are occasions when we must pass on information, such as notification of new births and infectious diseases which may endanger the safety of others, such as meningitis or measles (but not HIV/AIDS), and where a formal court order has been issued.

Our guiding principle is that we hold your information in strictest confidence.

We may be asked to share basic information about you, such as your name and address which does not include sensitive information where ECCH holds such information. This would normally be to assist another organisation in the provision of care to you, or to carry out their own statutory duties. In these circumstances, where it is not practical to obtain your explicit consent, we will inform you through a Privacy Notice such as this one. 


Your right to withdraw consent

ECCH has its own local consent / opt out processes and mechanisms for preventing information to be shared or to restrict sharing.  However, it must be emphasised that this cannot be totally restricted and at times consent may be overridden especially in areas such as Safeguarding Children/Vulnerable Adults, Female Genital Mutilation (FGM) or the correct charging for services provided by the NHS (these are just some of the examples that may apply).

Where you wish to restrict your information across the NHS generally the process is the same for local and national schemes: You can opt out at any time by speaking to your GP Practice reception.

You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care unless one of the following criteria applies which means that it isn’t possible to opt out of having your information shared:

  • The information is used to support your direct care and treatment
  • You have consented to the use of your information for a specific purpose such as a research study
  • A mandatory legal requirement (such as a court order) exists.
  • The information released is not considered to be identifiable personal confidential data
  • The information is made available in anonymised form
  • The information is used to support the management of communicable diseases and other risks to public health under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002



Accessing your information

Under current legislation you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to ECCH. In line with all NHS organisations we comply with the Information Governance Alliance Records Management Code of Practice for Health and Social Care 2016.

Please note that this guidance not only defines how long an organisation should keep information for but also when it can be legitimately destroyed. That means there may be occasions where ECCH no longer has data because its retention was no longer required in line with this guidance.

Information may be destroyed via a combination of methods dependent on how it has been stored and which organisations may have been processing data on behalf of ECCH.

If you wish to make a SAR please email the Patient Liaison Team at:


Download pdf's:

ECCH Privacy Notice March 2019

ECCH Adult Services Privacy Notice March 2019

ECCH Health Improvement Privacy Notice March 2019

ECCH Childrens Services Privacy Notice March 2019

Fair Processing Notice Leaflet March 2019