Introduction

Working as the responsible Data Processor on behalf of data controller organisations, in supporting this web application NHSML is committed to protecting the privacy and security of all the information we manage. This privacy statement explains how we collect, use, and share data within our Data Collection and Reporting Service (DCRS) platform. The DCRS platform is managed by the NHS ML and is used by a wide range of organisations UK-wide to facilitate efficient and secure social / public health data collection and reporting.

Data Collected

The wider DCRS platform allows each data controller organisation we support to flexibly record the programme data it needs. The types of data we allow to be recorded are:

• Personal information (e.g. name, address, date of birth, contact details, NHS number etc).
• Health & Wellbeing information (e.g. point in time diet, physical activity and wellbeing data. History of diagnosis, treatment, medications).
• Health & Wellbeing intentions and outcome information: (e.g. overall and incremental goal data, final outcome data).
• Group activity data: Data surrounding group-based activities (also allows inclusion of basic personal information, simple attendance and outcome recording).
• Supplementary data: This includes the ability for notetaking (for qualitative analysis) across any of the above data recording areas.
• System-generated data: User activity logs, access timestamps, operational worker and application usage data.

Data Use

The data collected through the DCRS platform is used to:

• Support service delivery and improve outcomes.
• Facilitate reporting and research.
• Comply with legal obligations for reporting and auditing.
• Ensure the security, performance, and functionality of the application.

As Data Processors we process personal and programme-related data under strict NHS and NHSML guidelines to ensure all information we manage on behalf of data controllers is handled securely and confidentially.

Data Sharing

The DCRS service does not share any data with third parties. Our data controller organisations who use DCRS always alert individuals via client consent processes of any data sharing they need to undertake for their work programmes prior to undertaking data collection. This gives the opportunity to opt-out and even where opting in, our data controller organisations are legally obliged to only share data in accordance with GDPR and UK data protection law.

Your Rights

Rights of those whose data is collected within the DCRS platform:

• Right to access a copy of your data.
• Right to request correction of any inaccurate or incomplete data.
• Right to request the deletion of your data, where applicable.
• Right to restrict or object to certain types of data processing.

To exercise your rights or to raise any concerns, please review our wider organisation privacy policy and find our privacy policy contact details (see link at end of page).

Data Security

We use a range of technical and organisational measures to protect your data from unauthorised access, loss, or misuse. These include encryption, regular system audits and secure data storage protocols.

Retention of Data

We retain personal data only for as long as the data controller requests in order to fulfil the purposes outlined in their own service policy documentation, unless a longer retention period is required or permitted by law.

Changes to This Privacy Statement

This privacy statement may be updated periodically to reflect changes in our practices or legal requirements. We encourage you to re-read this statement periodically to stay informed about how we are protecting your data.

Contact Information

If you have any questions or concerns about this privacy statement or our data practices, please contact us via https://www.midlandsandlancashirecsu.nhs.uk/statutory-notices/privacy-policy-2.