First Community Privacy Policy

First Community Health and Care CIC (First Community) is a Data Controller and is registered with the Information Commissioner's Office (ICO), registration number is Z2917115. Our registered address is Consort House, 5-7 Queensway, Redhill, RH1 1YB.

As an organisation, we are committed to protecting your information and respecting your privacy in accordance with the Data Protection Act 2018 (DPA18) and the UK General Data Protection Regulation (UK GDPR).  

First Community is committed to digital transformation and will be improving the way that we communicate with patients by using SMS texts and email.  

This notice explains what information we collect, why we collect it and how we keep it secure. It also explains your rights and our legal obligation. We undertake information audits to establish clear lines on what personal data we hold and what we do with it.  

Notification of changes to this privacy notice  

This privacy notice was last updated April 2025. If we use your personal data for any new purposes, updates will be made to the privacy notice and changes communicated, where necessary in accordance with current legislation. For all queries relating to our privacy policy, please email: FCHC.DPO@nhs.net.   

How the NHS and care services use your information  

First Community is one of many organisations working in the health and care system to improve care for patients and the public.  

Whenever you use a health or care service, such as using Community Care services, important information about you is collected to help ensure you get the best possible care and treatment.  

The information collected about you when you use these services can also be provided to other approved organisations, where there is a legal basis, to help with planning services, improving care provided, research into developing new treatments and preventing illness. 

All of these help to provide better care for you, your family and future generations. Confidential personal information about your health and care is only used in this way where permitted by law and would never be used for insurance or marketing purposes without your explicit consent.  

You have a choice about whether you want your confidential patient information to be used in this way.  

To find out more about the wider use of confidential information and to register your choice to opt out if you do not want your data to be used in this way, visit www.nhs.uk/my-data-choice

If you do choose to opt-out, you can still consent to your data being used for specific purposes.  If you are not happy with this use of information you do not need to do anything. You can change your choice at any time. 

If you are not happy with this use of information you do not need to do anything. You can change your choice at any time.  

For patients

How we use your information  

What information we collect?  

If you are a patient, we hold records about you which may include:  Personal information such as, name, address, date of birth, gender, telephone number (s), email address(s), preferred contact, emergency contact information, ethnicity, disability, religion, registered GP, clinical information.  

The health professionals caring for you keep records about your health, treatment and care you receive with the NHS. The information in the record may come from you or other care providers e.g., GP, social care or hospital. The maintenance of these records will ensure that you receive the best possible care. These records may be held on paper or on a computer and they include:  

  • Basic personal details about you such as name, address, date of birth, preferred contact etc  
  • Contacts we have had with you such as appointment or clinic visits.  
  • Notes and reports about your health, treatment and care  
  • Results of x-rays, scans and laboratory tests  

Relevant information from people who care for you and know you well such as health professionals, relatives and carers.  

It is essential that the details we hold about you are accurate and up to date so we will always check that your personal details are correct when you visit us and ask you to please inform us of any changes as soon as possible.  

We will use data which you cannot be identified from when we are undertaking the planning and commissioning of local health and care services. This 'deidentified data' is effectively anonymised in accordance with the Information Commissioner's Office Code of Practice.

If you are not happy for your health data to be shared with the organisations detailed above, then you can object to this. To do so you should contact your Practice so they can discuss the potential impact this could have on your care and treatment.  

If you do not wish for your de-identified data to be used for planning and commissioning of PCN services you are able to opt-out of this via the National Opt-Out - https://www.nhs.uk/your-nhs-data-matters/   

Why do we collect this information?  

First Community aims to provide you with the highest quality of health care. To do this we must keep records about you, your health and the care we have provided, or plan to provide to you. Health records are held on paper and electronically, and we have a legal duty to keep these confidential, accurate and secure at all times in line with the Data Protection Act 2018 (DPA18) and the UK General Data Protection Regulation (UK GDPR).  

We aim to maintain high standards, adopt best practice for our record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold on to any other third parties. Information is held for specified periods of time as set out in this policy under your rights.  

First Community has to provide a legal basis for the processing of your information under Data Protection legislation.  If we need to use your personal information for any reason beyond those stated within this Privacy Notice, First Community will communicate these changes before starting any new processing activity.   

How we keep in touch:  

  • Text message  
  • Email   
  • Telephone calls  

Our obligations  

We have a duty to:  

  • Inform you of the legal basis for processing your information, as required under Data Protection legislation.  

We are fully committed to safeguarding personal information, including mobile numbers, in compliance with the Data Protection legislation We understand the importance of privacy and confidentiality, and we strive to provide comprehensive healthcare services while respecting our patients' rights and preferences.  

In certain instances, we may need to refer our patients to other healthcare organisations or specialists to ensure the best possible care. Your mobile number may be shared to facilitate the referral process and enable seamless Version: October 2025 communication between all involved parties. This sharing of mobile numbers is solely for the purpose of providing optimal care and treatment.  

We have established robust partnerships with trusted healthcare providers and organisations that uphold strict data protection protocols and respect patient confidentiality. These collaborations ensure that your personal information remains secure and is used only for the intended purpose in accordance with applicable laws and regulations.  

Here are some ways in which we may use your mobile number to enhance your healthcare experience:  

  1. Appointment Reminders: We may send you text message reminders for upcoming appointments, helping you stay on track with your healthcare schedule.  
  2. Test Results and Follow-ups: In certain cases, we may use your mobile number to communicate important test results or to schedule follow-up appointments or consultations.  
  3. Health Campaigns and Information: Occasionally, we may share health-related campaigns, preventive care tips, or relevant educational information via text messages to support your overall well-being.  
  4. Practice Updates: We may use your mobile number to inform you about changes in our practice, such as new services, updated policies, or any other practice-related information that may be relevant to your care.  
  5. Prescription Reminders: If you have opted into our prescription reminder service, we may send you text messages to remind you when it's time to refill or collect your prescriptions.  

We understand that you may have questions or concerns regarding the sharing of your mobile number for referrals. Our staff are here to provide you with further information, address any concerns you may have, and ensure that you feel confident and well-informed about the handling of your personal information.  

Your privacy and control over your personal information are of utmost importance to us. If you prefer not to receive communication via your mobile number or wish to choose specific types of communication, please let our staff know, and we will accommodate your preferences accordingly.  

Our Legal Basis for Processing Personal Data  

Our business is based on statutory powers which underpin the legal bases that apply for the purposes of the UK GDPR.   The services we provide include nursing and therapy, specialist care, and support as well as a rehabilitation ward and minor injury unit at Caterham Dene Hospital.  

We are commissioned to provide NHS services by Surrey Heartlands Integrated Care Board (ICB) and Sussex Health & Care Integrated Care Board (ICB).    

We are also commissioned by other NHS Healthcare providers  and GP Practices across Sussex and Surrey.  

Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.  

For entering into and managing contracts with the individuals concerned, for example our employees, the legal basis is:  

Article 6(1)(b) - processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. 

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is:  

Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject.  

Where we process special categories data, for example data including health, racial or ethnic origin, or sexual orientation, we need to meet an additional condition in the UK GDPR. Where we are processing special categories personal data for purposes related to the commissioning and provision of health services the condition is:  

Article 9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.  

First Community may rely on the following legal bases when processing your personal information:  

  • When required to comply with the law. This may be in circumstances to:  
  • Communicating when things go wrong: we have a duty to which is set out under The Health and Social Care Act 2008 (HSC) 2008 to report incidents, set out in the HSC 2008.  
  • Safeguard individuals, set out in the (Safeguarding Vulnerable Groups Act 2006), Children Act 1989 & 2004.  
  • Notify officials of infectious diseases which present significant risk to human health and the wider public, set out in The Public Health (Control of Disease) Act 1984 and the Health Protection (Notification) Regulations 2010.  
  • Support other organisations with their regulatory requirements, e.g. Care Quality Commission (CQC), Information Commissioner's Office (ICO).  Version: October 2025 Support detection, investigation or to prevent a serious crime, monitor referral to treatment times and ensuring compliance with the NHS Constitution and the NHS Operating Framework, conduct audits to measure compliance with the law (e.g., Confidentiality Audits), respond to the rights of individuals requests under data protection law, share information relating to vulnerable individuals with emergency services in the event of an emergency (Civil Contingencies Act 2004).  
  • To support court orders requiring us to share information.  

Vital interests  

To protect someone's life. This may be in circumstances to:  

  • Share information to safeguard an individual and therefore prevent harm.   

Public task

When carrying out statutory, governmental or statutory functions. This may be in circumstances to:  

Deliver patient care, when responding to complaints or concerns relating to the delivery of care, when monitoring patient pathways, to share information about a patient for their direct care (subject to both the common law duty of confidence, data protection legislation), and statutory duty under section 251B of the Health and Social Care Act 2012, to manage waiting lists, performance against national targets, activity monitoring e.g. number of referrals, when undertaking local clinical audits, commission funding for treatment and/or equipment.  

Legitimate interests  

This may be in circumstances to:  

Support business functions, e.g. raising system level tickets, arranging access to system, take photos of service users to publish on social media for general website enquiries, store preferred contact data in the event of a medical emergency record of CCTV.  

Service Specific Processing 

Some specific areas in which First Community process data are detailed below, along with the legal basis relied on for the processing.

HR Processes  
Type of date Personal and Special Category Data 
Source of data Data subject
Legal basis for use  UKGDPR Article 6(1)(b) and Article 9(2)(h)
 

 

Equality and Diversity Information from First Community Network members   
Type of data Personal and Special Category Data 
Source of data Data Subject 
Legal basis for use UKGDPR Article 6(1)(e) and Article 9(2)(j) 
 

 

Digital Remote Monitoring for Heart Failure Patients   
Type of Data  Personal and Special Category Data 
Source of Data   
Legal Basis for use  UKGDPR Article 6(1)(e) and Article 9(2)(h) 
 

Heart Failure @ Home is a digital remote monitoring service specifically designed for heart failure patients. It is a service provided by the heart failure nurse specialist as part of First Community Health and Care, in partnership with Surrey Heartlands ICS.  

The Heart Failure at Home service utilises the Doccla platform to support the remote monitoring of patient heart rate, blood pressure and weight readings and adverse heart failure symptoms. For more information see the Doccla - Privacy policy or speak to the HeartFailure@Home team.  Where necessary and relevant to support your direct care, we will share your HeartFailure@Home confidential patient information with members of our network to support safe, efficient, and effective care and treatment.  

Joy App for Social Prescribing   
Type of Data Personal and Special Category Data 
Source of Data  Data Subject 
Legal Basis for use  UKGDPR Article 6(1)(e) and Article 9(2)(h) 
 

The Joy App is a digital tool for Social Prescribing, to provide a care navigation tool designed to improve the mental health and wellbeing of patients, by connecting them to local interventions, such as exercise groups and activities. 

End Users are referred to the App by their GP, but they set up their own account and give consent to the GP for sharing data. 

Your rights  

We have a duty to provide you with rights of access to your data when requested.  Under the Data Protection Legislation, patients have the right to obtain a copy of  their personal records held by us; this is called a Subject Access Request (SAR).   To obtain a copy of your medical records, please submit your request to the First

Subject Access Request  

First Community Health and Care CIC  

Consort House 

5-7 Queensway

Redhill 

Surrey

RH1 1YB  

Or email fchc.subjectaccessrequest@nhs.net

You will need to provide your information (e.g., full name, address, date of birth, Hospital/NHS number) and forms of identification. If you wish for another person to submit your request on your behalf, they will need to obtain your written permission to do so before we can provide copies of medical records. This ensures we are providing confidential information to authorised persons(s). 

An individual may choose to nominate a representative (such as a solicitor or relative) to make a request on their behalf, however when this happens the request must be explicitly authorised by the person (e.g., evidenced by a signed letter of consent).  

Those who hold Lasting Power of Attorney for Health and Welfare for an individual can apply for that individual's records.  

Further guidance and assistance can be obtained from the Subject Access Request Team.  

Under Data Protection legislation, you have a right to:  

Be informed  

Be informed about the collection and use of your personal data. This communication is achieved through this privacy policy.  

Object and restrict  

The legislation gives individuals the right to object to the processing of their personal data in some circumstances. This will depend on the legal basis (as described above) for processing your information. In order to formally object, you will need to do so verbally or in writing to FCHC.DPO@nhs.net.  You may request for the restriction of your personal data, however this will only apply when/if you contest the accuracy of the personal data or the data has been unlawfully processed. You can make a request for restriction verbally or in writing to FCHC.DPO@nhs.net.  

Rectification and erasure  

Have inaccurate personal data rectified or completed if it is incomplete.  

The legislation states that 'personal data is inaccurate if it is incorrect or misleading as to any matter of fact.' You can make a request for rectification verbally or in writing to FCHC.DPO@nhs.net.  

Consent  

When you are providing consent for the purpose of processing your personal data and activity, you will always have the freely given right to actively accept and withdraw.  

First Community manages consent when processing data in the following ways:  

Regularly reviewing consents to check that the relationship with the individual and the purpose for processing information has not changed. By having appropriate processes in place to refresh consent at appropriate intervals, including any parental consents. Acting on withdrawals of consent as soon as reasonably possible.

National Data Opt-Out  

Whenever you use a health or care service, such as attending Accident & Emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.  

The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for instance to help with:  

  • Improving the quality and standards of care provided  
  • Research into the development of new treatments.  
  • Preventing illness and diseases  
  • Monitoring safety  
  • Planning services.

This may only take place when there is a clear legal basis to use this information. All these uses help to provide better health and care for you, your family and future generations. Confidential patient information about your health and care is only used like this where allowed by law.  

Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn't needed.  

You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.  

To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.   On this web page you will:  

See what is meant by confidential patient information.  

Find examples of when confidential patient information is used for individual care and examples of when it is used for purposes beyond individual care.  

  • Find out more about the benefits of sharing data
  • Understand more about who uses the data
  • Find out how your data is protected   
  • Be able to access the system to view, set or change your opt-out setting  
  • Find the contact telephone number if you want to know any more or to set/change your opt-out by phone  
  • See the situations where the opt-out will not apply.  

You can also find out more about how patient information is used at: https://www.hra.nhs.uk/planning-and-improving-research/policies-standards-legislation/data-protection-and-information-governance/gdpr-guidance/templates/template-wording-for-generic-information-document/ (which covers health and care research); and https://understandingpatientdata.org.uk/what-you-need-know (which covers how and why patient information is used, the safeguards and how decisions are made)  

You can change your mind about your choice at any time.  

Data being used or shared for purposes beyond individual care does not include your data being shared with insurance companies or used for marketing purposes and data would only be used in this way with your explicit consent.  

Health and care organisations have to put systems and processes in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.  

How long will we hold your information?  

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for the specific purposes. All NHS patient records are kept in line with the NHS Records Management Code of Practice 2021 and the Retention Schedule.  

First Community will regularly review the length of time we keep your personal data and securely delete information that is no longer needed for the purposes it was originally intended. This process will enable clear and accurate data, keeping it up to date, available and confidential. 

How we share your information  

In circumstances where we need to share your personal data; we will always ensure this is conducted lawfully and document the justifications for doing so.  

Who we share your information with

The following are the types of organisations that First Community share your information with :

Type Local Examples Types of data that may be shared
Primary Care organisations  GPs, Dentists, Opticians, Pharmacies Attendances, diagnosis, treatment, referrals, medication/prescriptions, follow ups. 
Acute Trusts  Surrey & Sussex NHS Trust  Attendances, waiting times, treatments and follow ups 
Community Trusts or organisations 

Central Surrey Health  

Sussex Community Foundation NHS Trust

Surrey & Borders Partnership NHS Trust 

 Attendances, waiting times, treatments and follow ups 
 

Currently, the external data processors First Community work with include: 

Organisation  What service they provide on behalf of FCHC
Doccla  The Heart Failure at Home service utilises the Doccla platform to support the remote monitoring of patient heart rate, blood pressure and weight readings and adverse heart failure symptoms. 
SCW  Information Governance Support Services 
Emishealth  Emishealth provide our electronic patient record 
RL Datix  RL Datix provide an eRostering platform to enable us to efficiently manage workforce deployment 
Campaign Master  To create staff and stakeholder newsletters and emails 
MyMHealth  MyCOPD App for respiratory patients 
Smart Survey  An online survey tool used across the organisation to gain feedback from staff, patients and other stakeholders 
Better Brand Agency / Amazon Web, SendGid (Twilo), Laravel Forge (Laravel Holdings Inc) & BugSnay  To provide Steady on your Feet a fall preventions online website 
(SmartBear Software)   
Auditbase  Provides our electronic patient record and audiology tool for our audiology service 
Prey Inc  Prey Inc provide software to allow First Community to remotely monitor, lock and reset remote device.
The Joy App Care management system A care navigation tool designed to improve the mental health and wellbeing 
Accurx  A system to improve communication between healthcare staff and patients to improve outcomes and productivity.
Numed Spirometry For patients who require spirometry testing this digital tool within the spirometer allows the test information to be uploaded into emis, our patient clinical record 
Hugh Steeper LTD First Community are subcontracting the Orthotic clinical service to Hugh Steeper Ltd, who will process patient data to prescribe and procure/manufacture orthotic devices as part of the patient health care plan
Medisort First Community is working with Medisort to collect infectious waste from patients' homes. Limited personal data is shared with Medisort to enable them to collect the secure waste disposal unit 
 

International transfer of your personal data  

First Community does not transfer, store or share personal data outside of the European Economic area.  

Links to other publications - websites  

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit. 

Complaints  

If you have any comments, queries or complaints about this Privacy Notice or the processing of your personal information please address these to:  

Email: FCHC.DPO@nhs.net    

Alternatively, you are entitled to get in touch with the Information Commissioner's Office (ICO). The Information Commissioner's Office enforces and oversees Data Protection legislation. To find out more about the information rights in the public interest, further details can be found at: www.ico.org.uk.