You are here
We use personal data (information that relates to and identifies living people) and other information to help us to carry out our role as the regulator of health and adult social care services in England.
We will always make sure that your information is protected and treated securely. Any information about you that we hold, or details you give us, will be held in accordance with:
- the Data Protection Act 1998
- CQC's Information Governance Policy
- CQC's Code of Practice on Confidential Personal Information.
Information about people who use services & members of the public
Accessing medical records and other care records
We have powers under the Health and Social Care Act 2008 to access and use information – including personal and medical records – where we consider this is necessary for us to carry out our functions as a regulator. We also have powers to access and use information as part of our role protecting the rights of people whose rights are restricted under the Mental Health Act 1983.
For example, we check that care services are complying with the regulations regarding record keeping, care planning, consent, cooperating with other providers, and management of medicines.
We publish our guidance for our staff on accessing medical and care records. We usually look at only a small sample of these records during an inspection, often in anonymised form. In rare circumstances we may take a copy of parts of a person’s records.
If you do not want us to look at your personal information when we check services, tell your care provider. They can mark your records to show that you do not want us to see them.
If we know that you don’t want us to look at your information, we will respect your wishes, other than in rare circumstances explained in our Code of Practice on Confidential Personal Information.
Other information we receive from care services
Registered providers and managers of care services must tell us about certain events and incidents, including where they have received allegations of abuse, or where someone using the service is seriously injured. Care services also provide us with statistics including the number of complaints they have received.
This information will usually be anonymous, but we may ask for more information if there are concerns or issues that we need to explore further.
We sometimes look at records containing personal data, such as records relating to the handling of complaints. We do this to check how those services comply with their responsibilities.
We sometimes ask care providers for contact details of people who use their services so that we can seek their views as part of our inspection. If you don’t want us to contact you in this way, please tell your care provider.
Personal data that we receive from other sources
We receive information from people who use the services we regulate, their families, friends and carers. For example, we ask people to share their experiences of care with us. We also talk to people during inspections and receive letters, emails, telephone calls, comment cards and survey responses in which people tell us about care. These often contain personal data.
We also receive information that sometimes contains personal data from other sources, such as NHS England, other regulators, councils and the police.
We use this information to help us decide when, where and what to inspect, and to help us make our judgements when we inspect services.
Data and statistics
We receive data about organisations’ quality of care from NHS Digital, the trusted national provider of high-quality information, data and IT systems for health and social care.
We use three sources of data that contain personal information:
- Hospital Episode Statistics (HES),
- Mental Health data
- Office for National Statistics (ONS) mortality data
Find more information about what we hold and how we use these sources on the NHS Digital registers of approved data releases.
What data do we hold from NHS Digital that could potentially identify someone?
The data we hold include the following NHS Digital identifiable items:
- date of birth (patient),
- local patient identifier,
- postcode of patient,
- mother’s date of birth (in relation to maternity data),
- NHS number,
- birth date (baby, in relation to maternity data),
- date of death
Some of this information is unique to a person (NHS Number, local patient identifier), and others cannot uniquely identify a person (e.g. a postcode), but all data is stored and processed with the same robust security applied to identifiable data.
We need this information to help meet our purpose of ensuring safe, effective and compassionate, high-quality care. For example, we may compare death rates at different hospitals, look for unusually high infection rates, and check for appropriate use of the Mental Health Act.
NHS Digital send us this information because we meet their strict requirements on keeping it secure and only using it in a way that supports our work. Our powers under the Health and Social Care Act 2008 allow us to require NHS Digital to provide us with this information. Find out more about how we use data to monitor services.
Could others identify individuals from the data?
We may have to raise questions or concerns with a hospital directly; for example, if we are concerned about a hospital's death rates. This only happens in exceptional circumstances.
Under agreement of NHS Digital, we may send codes (hospital numbers) to the hospital to allow them to review their own medical records identifying specific patients to see if their care had been lacking in some way. These codes originate from the hospital and can only be used by hospital staff to identify patients who have been treated at that hospital. We always treat these codes with the utmost care, and we will never attempt to link this data with individuals’ names.
Concerns or objections about data provided by NHS Digital
If you have concerns about data that we receive from NHS Digital, or wish to object to your information being shared in this way, see the NHS Digital website.
We take care to ensure that our inspection reports and other publications do not identify people who use care services.
In some exceptional circumstances (for example, where a service is used by only a very small number of people) someone mentioned in a report could be identified. Where we think this may happen we will take care to include only the minimum necessary personal information, and we will discuss this with the person (or their family or representatives) before publication.
Information about care providers, registered persons, and people who work at care services
To carry out our role, we need personal data about people who provide, manage and work at care services.
The personal data that we obtain and use mainly relates to ‘registered persons’ (people who are registered with us to provide or manage services) ‘nominated individuals’ (senior persons within provider organisations who represent them in their dealings with CQC), and senior management who control the organisations we register. However, in the course of our work, we do obtain and use some information about other people who work for, with, or at those services too.
Applications to register
Anyone applying to be a ‘registered person’ will be asked to submit an application form. Applications are also submitted by organisations wishing to be registered.
We may also collect additional personal data, for example through interviews, by asking them to undertake Disclosure and Barring Service (DBS) checks, or through our partner organisations or publicly available sources.
This personal data will be used to make decisions regarding registration and may also be used in the course of our subsequent regulation of the services they provide or manage.
We may share personal data we obtain in the course of our activities with other organisations where we need to do this to carry out our role, or to assist those bodies in their roles. For example, we may make referrals to the DBS or professional regulators, or may share information with NHS England, NHS Improvement or service commissioners or other regulatory bodies to assist them in their work.
We are required to publish a register of providers and managers of the services we regulate. Entries on this register can be viewed by searching our website. The published register includes the names of registered providers and managers, and of nominated individuals, along with contact details.
We ask providers and managers for email addresses so we can contact them for reasons relating to our role – for example, to send official notices, to request information that we need, or to share relevant guidance and information.
These email addresses do not form part of the public register and are not published.
We may share these email addresses with other public bodies where there is a lawful and legitimate reason to do so. We will not share email addresses with private organisations or for marketing purposes.
People who work at care services
In the course of our work, we do obtain some information about people who work at care services. For example, we sometimes look at training records or evidence of recruitment checks as part of our inspection of a care service.
We sometimes ask for staff contact details so that we can ask them about the services where they work.
Our inspection powers allow us to interview any person who works for a registered care provider in private. We take notes of these interviews and use the information that we receive to guide our inspections and make our regulatory judgements.
People who work for registered providers may also contact us to share concerns about services, or other information that may assist us in our work. Find out more about raising concerns about services where you work.
We consider the records of interviews, and other information we receive from people who work at care services, to be confidential, and we handle this information in accordance with the Data Protection Act 1998 and our Code of Practice on Confidential Personal Information. There may be times when we need to share this information with others. This includes where we believe a vulnerable person is at risk of harm, or when another organisation needs to take action to ensure the safety and quality of care.
Information about our own staff and people applying to work for or with us
We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role (for example, by ensuring that we have the right staff to perform our inspections) and so we can meet our legal and contractual responsibilities as an employer.
The personal data that we process includes information about racial or ethnic origin, religion, disability, gender and sexuality. We use this information to check we are promoting and ensuring diversity in our workforce and to make sure we are complying with equalities legislation.
Our employees decide whether or not to share this monitoring data with us, and can choose to withdraw their consent for this at any time. Employees who wish to withdraw their consent for us to process this data can contact the HR team.
Other personal data that we are required to process includes information on qualifications and experience, pay and performance, contact details, bank details, and service records (including records of continuous service and pension contributions/entitlements).
We check that people who work for us are fit and suitable for their roles. This may include asking people to undertake Disclosure and Barring Service (DBS) checks.
People joining CQC will be asked to complete a ‘declaration of interests’ form to identify any services we regulate to which they have close links (for example, because they have previously worked there or because the service is run by a close relative) or any other issues which could cause a perceived conflict of interest. Staff are regularly asked to update these forms.
We share information about our employees as required to meet our contractual obligations to them – for example, by sharing relevant information with pension service administrators.
We have a legal obligation to comply with the Freedom of Information Act 2000 and this may include the requirement to disclose some information about our employees – especially those in senior or public facing roles. We also publish some information about our staff, including the names and work contact details of people in some roles and information on the salary bands of all employees.
Information about people who use our website
We will only collect personal information volunteered by you via our website, such as:
- feedback from surveys and online forms.
- email addresses.
- preferred means of communication.
This personal information about you will be used to exercise our functions, and to improve the quality and safety of care.
This privacy statement covers the CQC site. This does not cover links within this site to other websites.
Online services – 'Your CQC account'
Any details we collect through your CQC account and our online notification and registration forms will be held in accordance with the Data Protection Act 1998 and CQC's Data Protection Policy on confidential and personal information.
Information that has been saved (or autosaved) in our online forms but not sent or submitted to us will not ordinarily be reviewed by us. In certain circumstances, or if we are required to as part of an investigation, we may need to view pending versions of forms.
Signing up to our e-newsletter
We use a third-party supplier to provide our e-newsletter service. If you subscribe to this service, your name and email address will be shared with them.
The third-party supplier handles the data purely to provide this service on our behalf. This supplier observes the requirements of the Data Protection Act 1998 in how they obtain, handle and process your information. They will not make your data available to anyone other than CQC without your permission.
How we share information with other organisations
We only share personal data with other organisations where it is lawful to do so and in accordance with our Code of Practice on Confidential Personal Information. We do not use personal data for direct marketing (promoting or selling goods, services etc.) or share information with anyone else who will use it for direct marketing, unless you have specifically consented to this.
We sometimes use other organisations to process personal data on our behalf. Where we do this, those companies are required to follow the same rules and information security requirements as us, and are not permitted to reuse the data for other purposes.
We work with Experts by Experience and Specialist Advisors who are not employees of CQC, but who work with our inspection teams. We also coordinate the work of Second Opinion Appointed Doctors who provide an independent medical opinion for people whose rights are restricted under the Mental Health Act. We sometimes need to share personal data with these people, or with the organisations that support them on our behalf. For example, passing contact details of someone who has contacted CQC to an Expert by Experience so that they can telephone them to discuss their care. They work to our requirements and standards to ensure that they protect this information properly.
Retention and disposal of personal data
We publish a retention and disposal schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of its retention period.
Changes to the law – the General Data Protection Regulation (GDPR)
The GDPR will come into force in May 2018, and will replace much of the Data Protection Act 1998. We are working to ensure that we will process personal data in accordance with the requirements of the GDPR, once it comes into force.
Your right to access information about you
If you think we may hold your personal data and you want to see it, find out how to make a subject access request. We may ask you for proof of identity and a small fee before responding to your request.
Correcting or deleting your personal data
If you think that we may already hold your personal data, and you want us to correct information that you believe is wrong, or if you want us to delete your personal data or to stop processing it, then you have the right to object to the data being used or to ask for it to be corrected.
Please make your objection in writing by sending an email to: firstname.lastname@example.org
or send it by post to:
Information Rights Manager
Care Quality Commission
Newcastle upon Tyne
Sometimes we may need to refuse a request to delete, correct or stop processing personal data. For example this may be when we need to protect a vulnerable person from harm, or as a result of our legal obligations, or to help us carry out our functions.
Complaints about how we process personal data
If you are unhappy about how CQC processes your own personal data, or have any other complaint about our actions, find out how to make a complaint.
If you feel that we have not met our responsibilities under the Data Protection Act 1998, you have a right to request an independent assessment from the Information Commissioner’s Office (ICO). You can find more details on their website www.ico.org.uk.
Our contact details and key roles
The Care Quality Commission (CQC) is data controller for all personal data processed by CQC or on our behalf. Any issues relating to the processing of personal data by or on behalf of the CQC may be addressed to:
The Information Rights Manager
Care Quality Commission
Newcastle upon Tyne
Telephone: 03000 616161
CQC has not yet designated a Data Protection Officer under Article 37 of GDPR, but will do so by the time GDPR comes into force (May 2018), and will publish their details on this page.
CQC’s Caldicott Guardian is Professor Ted Baker, Chief Inspector of Hospitals. He can be contacted using the details above.
- Last updated:
- 17 October 2017