Privacy statement

Page last updated: 21 February 2024

We use personal data (information that relates to and identifies living people) and other information to help us to carry out our role as the regulator of health and adult social care services in England.

More about our purpose and role.

We will always make sure that your information is protected and treated securely. Any information about you that we hold, or details you give us, will be held in accordance with:

  • Data protection law - the General Data Protection Regulation (GDPR) and the Data Protection Act 2018
  • CQC's Information Governance Policies
  • CQC's Code of Practice on Confidential Personal Information.

Healthwatch England, the Maternity and Newborn Safety Investigations (MNSI) programme, and the ‘Freedom to Speak Up’ National Guardian’s Office are hosted by CQC and follow the same rules and policies on processing personal data.

Information about people who use services and members of the public

How we may access and use your personal and medical records

We have powers under the Health and Social Care Act 2008 to access and use information – including personal and medical records – where we consider this is necessary for us to carry out our functions as a regulator. We also have powers to access and use information as part of our role protecting the rights of people whose rights are restricted under the Mental Health Act 1983, and powers under the Health and Safety at Work Act 1974.

For example, we check that care services are complying with the regulations regarding record keeping, care planning, consent, cooperating with other providers, and management of medicines.

We publish our guidance for our staff on accessing medical and care records. We usually look at only a small sample of these records during an inspection, often in anonymised form. In rare circumstances we may take a copy of parts of a person’s records.

If you do not want us to look at your personal information when we check services as part of an inspection process, tell your care provider. They can mark your records to show that you do not want us to see them.

If we know that you don’t want us to look at your information as part of an inspection process, we will respect your wishes, other than in rare circumstances which are explained in our Code of Practice on Confidential Personal Information.

Other information we receive from care services

Registered providers and managers of care services must tell us about certain events and incidents, including where they have received allegations of abuse, or where someone using the service is seriously injured. Care services also provide us with statistics including the number of complaints they have received.

This information will usually be anonymous, but we may ask for more information if there are concerns or issues that we need to explore further.

Under Regulation 17 of the Care Quality Commission (Registration) Regulations 2009 providers must notify us of the death of a service user who is liable to be detained in their service. In this case we ask for the name and date of birth of the person who died. This is so we can get cause of death information from coroners. GDPR does not apply to information about deceased persons but we will handle the information as confidential. As you are required to notify us of the death, doing so will not breach your own duty of confidentiality to the deceased person under common law. 

We sometimes look at records containing personal data, such as records relating to the handling of complaints. We do this to check how those services comply with their responsibilities.

We sometimes ask care providers for contact details of people who use their services so that we can seek their views as part of our inspection. If you don’t want us to contact you in this way, please tell your care provider.

Personal data that we receive from other sources

We receive information from people who use the services we regulate, their families, friends and carers. For example, we ask people to share their experiences of care with us. We also talk to people during inspections and receive letters, emails, phone calls, comment cards and survey responses and via social media in which people tell us about care. These often contain personal data.

We also receive information that sometimes contains personal data from other sources, such as NHS England, other regulators, councils and the police.

We use this information to help us decide when, where and what to inspect, and to help us make our judgements when we inspect services.

Data and statistics

We receive data about organisations’ quality of care from NHS Digital, the trusted national provider of high-quality information, data and IT systems for health and social care.

We use these sources of data that contain personal information:

Find more information about what we hold and how we use these sources on the NHS Digital registers of approved data releases.

What data do we hold from NHS Digital that could potentially identify someone?

The data we hold include the following NHS Digital identifiable items:

  • local patient identifier
  • postcode of patient,
  • date of death

Some of this information is unique to a person (for example, local patient identifier), while postcode cannot uniquely identify a person, but all data is stored and processed with the same robust security applied to identifiable data.

We need this information to help meet our purpose of ensuring safe, effective and compassionate, high-quality care. For example, we may compare death rates at different hospitals, look for unusually high infection rates, and check for appropriate use of the Mental Health Act.

NHS Digital send us this information because we meet their strict requirements on keeping it secure and only using it in a way that supports our work. Our powers under the Health and Social Care Act 2008 allow us to require NHS Digital to provide us with this information. Find out more about how we use data to monitor services.

Could others identify individuals from the data?

We may have to raise questions or concerns with a hospital directly; for example, if we are concerned about a hospital's death rates. This only happens in exceptional circumstances.

Under agreement of NHS Digital, we may send codes (hospital numbers) to the hospital to allow them to review their own medical records identifying specific patients to see if their care had been lacking in some way. These codes originate from the hospital and can only be used by hospital staff to identify patients who have been treated at that hospital. We always treat these codes with the utmost care, and we will never attempt to link this data with individuals’ names.

National data opt-out policy

CQC has legal powers to obtain information, including patient-identifiable data, that we need to carry out our role. The national data opt-out policy does not allow NHS service users to opt-out of the use of data where such powers are set out in law. CQC may still access your information if you have registered a national data opt-out. CQC is subject to strict, legal restrictions on the disclosure of confidential personal information. This is in compliance with the national data opt-out policy. Find out more about the national data opt-out programme.

Publishing information

We take care to ensure that our inspection reports and other publications do not identify people who use care services.

In some exceptional circumstances (for example, where a service is used by only a very small number of people) someone mentioned in a report could be identified. Where we think this may happen we will take care to include only the minimum necessary personal information, and we will discuss this with the person (or their family or representatives) before publication.

Information about care providers, registered persons, and people who work at care services

To carry out our role, we need personal data about people who provide, manage and work at care services.

The personal data that we obtain and use mainly relates to ‘registered persons’ (people who are registered with us to provide or manage services) ‘nominated individuals’ (senior persons within provider organisations who represent them in their dealings with CQC), and senior management who control the organisations we register. However, in the course of our work, we do obtain and use some information about other people who work for, with, or at those services too.

Applications to register

Anyone applying to be a ‘registered person’ will be asked to submit an application form. Applications are also submitted by organisations wishing to be registered.

We may also collect additional personal data, for example through interviews, by asking them to undertake Disclosure and Barring Service (DBS) checks, or through our partner organisations or publicly available sources.

This personal data will be used to make decisions regarding registration and may also be used in the course of our subsequent regulation of the services they provide or manage.

We may share personal data we obtain in the course of our activities with other organisations where we need to do this to carry out our role, or to assist those bodies in their roles. For example, we may make referrals to the DBS or professional regulators, or may share information with NHS England, NHS Improvement or service commissioners or other regulatory bodies to assist them in their work.

We are required to publish a register of providers and managers of the services we regulate. Entries on this register can be viewed by searching our website. The published register includes the names of registered providers and managers, and of nominated individuals, along with contact details.

Email addresses

We ask providers and managers for email addresses so we can contact them for reasons relating to our role – for example, to send official notices, to request information that we need, or to share relevant guidance and information.

These email addresses do not form part of the public register and are not published.

We may share these email addresses with other public bodies where there is a lawful and legitimate reason to do so. We will not share email addresses with private organisations or for marketing purposes.

People who work at care services

In the course of our work, we do obtain some information about people who work at care services. For example, we sometimes look at training records or evidence of recruitment checks as part of our inspection of a care service.

We sometimes ask for staff contact details so that we can ask them about the services where they work.

Our inspection powers allow us to interview any person who works for a registered care provider in private. We take notes of these interviews and use the information that we receive to guide our inspections and make our regulatory judgements.

People who work for registered providers may also contact us to share concerns about services, or other information that may assist us in our work. Find out more about raising concerns about services where you work.

We consider the records of interviews, and other information we receive from people who work at care services, to be confidential, and we handle this information in accordance with data protection law and our Code of Practice on Confidential Personal Information. There may be times when we need to share this information with others. This includes where we believe a vulnerable person is at risk of harm, or when another organisation needs to take action to ensure the safety and quality of care.

Information about our own staff and people applying to work for or with us

We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role (for example, by ensuring that we have the right staff to perform our inspections) and so we can meet our legal and contractual responsibilities as an employer.

The personal data that we process includes information about racial or ethnic origin, religion, disability, gender and sexuality. We use this information to check we are promoting and ensuring diversity in our workforce and to make sure we are complying with equalities legislation.

Our employees decide whether or not to share this monitoring data with us, and can choose to withdraw their consent for this at any time. Employees who wish to withdraw their consent for us to process this data can contact the HR team.

Other personal data that we are required to process includes information on qualifications and experience, pay and performance, contact details, bank details, and service records (including records of continuous service and pension contributions/entitlements).

We check that people who work for us are fit and suitable for their roles. This may include asking people to undertake Disclosure and Barring Service (DBS) checks.

People joining CQC will be asked to complete a ‘declaration of interests’ form to identify any services we regulate to which they have close links (for example, because they have previously worked there or because the service is run by a close relative) or any other issues which could cause a perceived conflict of interest. Staff are regularly asked to update these forms.

We share information about our employees as required to meet our contractual obligations to them – for example, by sharing relevant personal data with pension service administrators. We also share personal data where required by law – for example, by providing information about our employees to HMRC.

We have a legal obligation to comply with the Freedom of Information Act 2000 and this may include the requirement to disclose some information about our employees – especially those in senior or public facing roles. We also publish some information about our staff, including the names and work contact details of people in some roles and information on the salary bands of all employees.

Information about people who use our website

We will only collect personal information volunteered by you via our website, such as:

  • feedback from surveys and online forms.
  • email addresses.
  • preferred means of communication.

This personal information about you will be used to exercise our functions, and to improve the quality and safety of care.

We use Google Analytics to monitor use of our website. Google Analytics uses cookies to help analyse how people use our site, and this information will include your IP address and the pages you visit. You may refuse the use of cookies using your browser’s settings.

This privacy statement covers the CQC site. This does not cover links within this site to other websites.

Online services – 'Your CQC account'

Any details we collect through your CQC account and our online notification and registration forms will be held in accordance with data protection law, CQC's Data Protection Policy and Code of Practice on Confidential Personal Information.

Information that has been saved (or autosaved) in our online forms but not sent or submitted to us will not ordinarily be reviewed by us. In certain circumstances, or if we are required to as part of an investigation, we may need to view pending versions of forms.

Signing up to our e-newsletter

We use a third-party supplier to provide our e-newsletter service. If you subscribe to this service, your name and email address will be shared with them.

The third-party supplier handles the data purely to provide this service on our behalf. This supplier observes the requirements of data protection law in how they obtain, handle and process your information. They will not make your data available to anyone other than CQC without your permission.

Consultation responses

We carry out consultation exercises to help us develop our plans and policies. We collect responses from people who use services, care professionals and other organisations.

We have a lawful basis to process personal data collected from consultation responses as processing is necessary to meet our legal obligations and to carry out our role.

We will store personal information securely and use it strictly for analysis only. Once a consultation ends, we store responses according to our retention and destruction schedule.

For some consultations we engage a specialist company to analyse results. Our agreement with such companies covers information security and data protection.

You have the right to withdraw your consultation response from our analysis at any point before we have completed it. To do this, email the address given for that consultation.

How we share information with other organisations

We publish information about how we work with other organisations.

We only share personal data with other organisations where it is lawful to do so and in accordance with our Code of Practice on Confidential Personal Information. We do not use personal data for direct marketing (promoting or selling goods, services etc.) or share information with anyone else who will use it for direct marketing, unless you have specifically consented to this.

We sometimes use other organisations to process personal data on our behalf. Where we do this, those companies are required to follow the same rules and information security requirements as us, and are not permitted to reuse the data for other purposes.

We work with Experts by Experience, Mental Health Reviewers and Specialist Advisors who are not employees of CQC, but who work with our inspection teams. We also coordinate the work of Second Opinion Appointed Doctors who provide an independent medical opinion for people whose rights are restricted under the Mental Health Act. We sometimes need to share personal data with these people, or with the organisations that support them on our behalf. For example, passing contact details of someone who has contacted CQC to an Expert by Experience so that they can telephone them to discuss their care. They work to our requirements and standards to ensure that they protect this information properly.

We sometimes have to take part in independent inquiries, investigations and reviews. This can mean we have to securely share information with them.

Statutory public inquiries are governed by the Inquiries Act 2005 (“the 2005 Act”), and the associated inquiries rules. Under the 2005 Act, an inquiry may require us to provide evidence. This may include personal data relating to the inquiry's terms of reference. The inquiries rules also set out how information can be shared and disclosed.

Investigations and reviews which are not statutory inquiries do not usually have powers to require us to provide information. We will only release personal data to these investigations and reviews where we are satisfied that:

  • it is lawful and proportionate to do so, and
  • confidential personal information will be properly protected in accordance with the law.

We are currently participating in and responding to requests from the UK Covid-19 Public Inquiry. The inquiry has been set up under the 2005 Act to examine the UK’s response to and impact of the Covid-19 pandemic. We will need to respond to questions and requests received from the Inquiry

More information about the UK Covid-19 Public Inquiry, including the terms of reference and scope of activity.

Retention and disposal of personal data

We publish a retention and disposal schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of its retention period.

This document also shows the legal basis under Article 6 of GDPR for processing each type of record and document. Where records and documents contain ‘special category’ personal data (such as health information, or information about a person’s racial or ethnic origin, religious or philosophical beliefs, or sex life or sexuality), the document also shows the legal basis under Article 9 for CQC’s processing of that information.

Your rights

Your right to access information about you

If you think we may hold your personal data, you have a right to receive a copy of your personal data that we hold, and to information about how and why your personal data has been processed by CQC. You can find out how to make a subject access request. We may ask you for proof of identity before we can provide you with your personal data.

You can ask us to provide your personal data to you in your preferred format, including as paper copy or in a machine-readable form.

Correcting your personal data

If you think that the information we hold about you may be wrong or incomplete, you can ask us to correct it. We will usually respond to you within one month to inform you of the action we have taken. If we need to refuse your request to correct your personal data, we will explain the reasons for this to you.

Erasing your personal data (your 'right to be forgotten')

You have the right to ask us to erase your personal data that we hold where:

  • We no longer need to use that personal data for the purpose for which it was originally obtained, or
  • We are relying upon your consent to hold that personal data, and you wish to withdraw that consent (please note: we do not rely on consent to hold personal data that we need for the purpose of our regulatory functions), or
  • You object to our holding and use of your personal data, and we do not have an overriding reason why we need to keep doing so, or
  • We have processed your personal data unlawfully.

We will usually respond to you within one month to inform you of the action we have taken. If we need to refuse your request to correct your personal data, we will explain the reasons for this to you.

Restricting, or objecting to, how we use your personal data

You have the right to ask CQC not to process your personal data in ways which you object to – for example, not to share it with anyone.

You can do this where you feel that the personal data is inaccurate, has been unlawfully processed by CQC and you object to its erasure, or is no longer needed for the purpose for which it was originally obtained but you require it for the conduct of legal proceedings.

You can also object to our processing of your personal data, on grounds relating to your particular situation.

We will usually respond to you within one month to inform you of the action we have taken. If we need to refuse your request to correct your personal data, we will explain the reasons for this to you.

Transfers of personal data

We design and operate our systems and processes to ensure that your personal data is as safe as possible. All personal data is stored within the UK or the European Economic Area (EEA).

We use data processors. They are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we instruct them to do it.

The delivery of those services may include transfers of personal data outside of the UK or EEA. This will only be allowed where international data transfer agreements (also called standard contractual clauses) are in place. This ensures appropriate safeguards are applied to protect personal data under GDPR.

Contacting CQC about your personal data

If you are unhappy about how CQC processes your own personal data, wish to exercise your rights in relation to your personal data, or need to contact us about our processing of personal data, please use the contact details below.

For any other complaint about our actions, find out how to make a complaint.

If you feel that we have not met our responsibilities under data protection law, you have a right to request an independent assessment from the Information Commissioner’s Office (ICO).

Our contact details and key roles

The Care Quality Commission (CQC) is data controller for all personal data processed by CQC or on our behalf. Any issues relating to the processing of personal data by or on behalf of the CQC may be addressed to:

The Information Rights Manager
Care Quality Commission
Newcastle upon Tyne

Telephone: 03000 616161


CQC’s Data Protection Officer (DPO) under Article 37 of the GDPR is Nimali De Silva, Head of Governance and Legal Services. The DPO’s role is to monitor and advise CQC on meeting its data protection responsibilities. The DPO can be contacted using the details above.

CQC’s Caldicott Guardian is Dr Sean O'Kelly, Chief Inspector of Healthcare. He can be contacted using the details above.