Fair processing notice
To download this as a pdf please click: NHS Medway CCG Privacy Notice 2016 – Web Version V3.0
The purpose of this notice is to:
- Inform you of the type of information (including personal and sensitive personal information) that NHS Medway Clinical Commissioning Group (CCG) holds
- How the CCG uses the information
- Who the CCG may share that information with
- How we keep the information, safe, secure and confidential.
This privacy statement only covers NHS Medway CCG, who is the data controller, and does not cover any other organisations that can be linked to from this site or any organisation associated with the CCG.
Personal confidential data is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people.
The review interpreted ‘personal’ as including the Data Protection Act 1998 (DPA) definition of personal data, but included data relating to the deceased as well as living people, and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the DPA.
According to the DPA, personal and sensitive data are defined as follows:
- Personal data refers to information which relates to a living individual who can be identified from the data, or from the data and any other information which is, or is likely to be, in their possession and includes opinions about the individual.
- Sensitive personal data refers to information on racial or ethnic origin, political opinions, religious beliefs or other beliefs of a similar nature, whether someone is a member of a trade union, physical or mental health / condition, sexual life, any offences, or any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
The CCG has a duty to ensure that personal confidential data is kept confidential, secure and used appropriately and this notice sets out how the CCG meets this requirement.
Why the NHS collects information about you
The NHS aims to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.
Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment so that they are able to provide you with the best possible care. These records are called your ‘health care record’ and may be stored in paper form or on computer and electronic systems and may include:
- basic details about you, such as your address, date of birth, NHS number, and next of kin
- details of the contacts we have had with you, such as clinical visits
- notes and reports about your health
- details and records about your treatment and care
- results of x-rays, laboratory tests etc.
Your health care records are used for the following reasons:
- by health care professionals looking after you to have accurate and up-to-date information about you to help them decide on any future care you may require
- to ensure accurate and complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS
- to have a good basis for assessing the type and quality of care you have received
- to ensure your concerns can be properly investigated if you need to complain
Who we are and what we do (About us)
NHS Medway Clinical Commissioning Group is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012. The CCG is a clinically-led organisation that puts the needs of Medway residents at the heart of its decisions by working with partners to provide opportunities for people to access services that help them stay healthy. The CCG makes decisions regarding the health services that are available to the population of Medway. It is made up of GP practices from across the Medway towns, responsible for planning and buying (commissioning) the majority of local NHS services for its population, for example hospital services, nursing in the community and mental health services.
The CCG also manages the performance of services that we commission (fund) to make sure that they are safe, provide high quality care and meet the needs of local people. Part of this performance management role may include responding to any concerns from patients about these services, where it is felt to be more appropriate for the CCG to investigate the concerns than for the provider of the health service to investigate.
For further information regarding NHS Medway CCG, please visit our About Us page.
The Data Protection Act 1998
Under the Data Protection Act 1998, the CCG is required to register with the Information Commissioner’s Office (ICO) and detail all purposes for which personal confidential data is collected, held and processed. The CCG’s ICO registration number is Z358488X and further information on our registration can be found on the ICO’s Register of Data Controllers using the following link: http://www.ico.org.uk/esdwebpages/search.
The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.
The CCG will not pass on your details to any third party or other government department unless you consent to this, or when it is necessary and we are allowed or required to by law.
Information we collect and how we use it
For the majority of work that the CCG does, we do not need to use personal confidential data and wherever possible, anonymised data is used. Anonymised data, refers to the process of turning personal and/or sensitive data into a form which does not identify individuals and where identification is not likely to take place. The DPA only applies to personal identifiable information and therefore anonymised data is not covered by the act as there is slim to no chance of the information being re-identifiable.
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning (funding) of healthcare services. We will only use anonymised data. Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency.
- Checking NHS accounts and services.
- Working out what illnesses people will have in the future so that we can work with the local services to make sure that patient needs are met.
- Reviewing the care we commission to make sure it is of the highest standard.
As the CCG is a commissioning organisation responsible for funding services, we do not provide any healthcare services and therefore we do not routinely hold medical records or patient confidential data. There are some specific areas, however, where we do hold and use personal confidential information. In order to process that information we will have met a legal requirement, as follows:
- The information is necessary for facilitating direct healthcare for patients, to ensure you receive the best care possible
- We have received consent from individuals to be able to use their information for a specific purpose; either you ask us to share it or we ask you and you give us specific permission
- There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
- There is a legal requirement that will allow us to use or provide information (e.g. a formal court order)
- We have special permission for health or research purposes (granted by the Health Research Authority under Section 251)
- For the health and safety of others, for example to report an infectious disease
The CCG has a limited number of functions, where personal confidential is information required and these are as follows:
- Individual Funding Requests (IFR) – if your doctor, on your behalf, makes an IFR for a treatment not routinely commissioned (funded), the CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to provide and pay for the agreed funding packages with appointed care providers.
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care and will gain your explicit consent.
- NHS continuing healthcare (CHC) applications – if you make an application for NHS Continuing Healthcare (CHC) funding, the CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to provide and pay for the agreed funding packages with appointed care providers.
This process is nationally defined, we follow a standard process and the CCG uses standard information collection tools when assessing eligibility for CHC applications.
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and will gain your explicit consent.
- Incident Management – the CCG is accountable for effective governance and learning following all Serious Incidents (SIs) and works closely with all provider organisations, as well as commissioning staff members, to ensure SIs are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality, as well as providers.
- Safeguarding – advice and guidance is provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it’s legally required for the safety of the individuals concerned.
Due to public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we rely on a statutory basis rather than consent to process information for this use.
Complaints – when we receive a complaint from a person we hold information about the complaint in our electronic files. This normally includes the identity of the complainant and any other individuals involved in the complaint. It may include sensitive personal data about individuals heath care.
We will only use the personal information we collect to process the complaint and to check on the level of service we provide.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
Before we proceed with handling your complaint we will obtain the explicit, written consent of the patient involved. We ensure they are aware of how and with whom their data may be shared by us, including if they have a representative they wish us to deal with on their behalf.
- Financial transactions – such as payroll management, payment of Continuing Healthcare retrospective reviews, absence returns, travel claims and invoices may include personal and/or sensitive data.
- Human Resources – these functions, such as processing staff change forms, job applications, and sickness reporting will include personal and/or sensitive data.
- Patient and Public Involvement – if you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.
We obtain your consent for this purpose. Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.
All records are protected by safeguards to ensure the ongoing security of the records such as the requirement for all Medway CCG IT equipment to be encrypted, and all cupboards to be lockable.
The records may include basic personal details about you, such as your name and address. Or they may include sensitive information such as information about your health, outcomes of assessments and funding requests, and complaints or incident investigations.
All CCG staff are trained and aware of the necessity to ensure that any processing of personal confidential data is in accordance with the following legislation, guidance and best practice:
We also have to uphold any duty of confidence attached to information and apply Common Law Duty of Confidentiality requirements. This will mean where a legal basis does not exist to use your personal or confidential information, we will not do so.
How your data is used to help the NHS
The law provides some NHS bodies, such as the Health and Social Care Information Centre (also known as NHS Digital), the ability to collect and use patient data that cannot identify a person, which they can then provide to help Commissioners (CCGs) to design and acquire the combination of services that best suit the population they serve.
Data may be linked and anonymised by these bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure individual patients cannot be identified (see information above regarding anonymisation).
Visitors to our website: When someone visits the CCG’s website www.medwayccg.nhs.uk information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.
Whilst on the CCG’s website you may submit personal information about yourself (e.g. name and email address) in order to receive further information regarding the CCG, such as email updates and bulletins.
By entering your details in the fields requested or sending us an email, you are consenting to the CCG contacting you in relation to that specified purpose. Any information you provide will only be used by the CCG and will not be disclosed to other parties unless we are obliged to do so, or additional consent to share the data is obtained.
Invoice Validation: Your care is commissioned (funded) by the CCG as we are responsible for paying for health services within your region. To ensure that public money is spent accurately, healthcare invoices are checked to ensure that they are accurate and genuine. To do this we need to be able to identify you so that the patient and the care provided match, but only information required to validate the invoice is used. Once your personal details have been used to check the validity of your care invoice, your personal details are deleted from our system before the invoice is processed for payment.
NHS Medway CCG has signed an agreement with NHS Digital which has enabled the CCG to access a set of personal confidential data on our patients to undertake this activity. This is allowed by law via the Data Sharing Agreement with NHS Digital referenced above, and means the CCG does not need to obtain explicit consent from individual patients to carry out this activity.
The CCG performs invoice validation within a secure processing environment and with a restricted number of authorised staff. All activities and personal information relating to invoice validation remain within this Controlled Environment and are not shared with other staff in the CCG, to ensure that the information received is used solely for the purposes specified in the Data Sharing Agreement.
Risk Stratification: Risk stratification is a process GPs use to help them identify patients who may benefit from targeted healthcare interventions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing, such as type 2 Diabetes. This is called risk stratification for case-finding.
The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCG does not have access to your personal confidential data. The information is de-identified / pseudonymised.
Pseudonymisation is a technical process that replaces identifiable information with a unique identifier, which prevents those working with the data from being to identify the individual patient.
Data Linkage: Details of patients such as demographic details, patient identifiers e.g. NHS Number and treatment details may be used to link individual data sources together. In order to give a holistic view of care provided and also of future care needs of the population, a joined up view is needed. This data linkage also enables us to identify patients who may benefit from additional preventative care.
This may involve linking data from GP Practices to Secondary care data from hospitals, or to data relating to care delivered in a community setting. This linkage of data from different health and social care data sources is undertaken enabling the processing of data and provision of appropriate analytical support for GPs and CCGs, whilst protecting the privacy and confidentiality of the patient(s).
NHS Medway CCG works with a number of other NHS and partner agencies to provide health and social care services. As part of this work we may share anonymised statistical information with them for the purpose of improving local services, for example understanding how conditions spread across our local area compared against other areas (see further information above regarding anonymisation).
We contract with other organisations to provide a range of services to us such as IT services, and Payroll and other support service. In these instances, we ensure that our partner agencies have contracts which outline that your information is processed under strict conditions and in line with the law.
We ensure that any external data processors (organisations that process data on behalf of NHS Medway CCG) are legally and contractually bound to operate and have sufficient security arrangements in place to ensure the continued safety of the data.
The CCG’s current external data processors are:
- Payroll – Kent and Medway NHS Payroll Services who are hosted by Kent and Medway NHS and Social Care Partnership Trust on a consortium basis.
- Occupational Health – East Kent Hospitals University NHS Foundation Trust.
- Risk Stratification – Maidstone and Tunbridge Wells NHS Trust.
- IT services and Individual Funding Requests – NHS South East Commissioning Support Unit.
- Specialist Assessment and Placements services and Safeguarding services – NHS Swale CCG.
- Communications and Engagement work – Maxim PR & Marketing Limited.
The CCG will not disclose any information that identifies you to anyone outside your care team without your express permission/consent, unless there are exceptional circumstances, such as:
- where we are required to share information by law
- for safeguarding reasons
- if there is an overriding public interest in the disclosure of the information
- where there is a Section 251 exemption permitting the use of sensitive personal information under specific conditions, for example to:
- understand the local population needs and plan for future requirements, which is known as Risk Stratification for commissioning.
- ensure that the CCG is billed accurately for the treatment of its patients, which is known as invoice validation.National Fraud Initiative NHS Medway CCG CCG is required, by law, to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. NHS Medway CCG participates in the Cabinet Office’s National Fraud Initiative which is a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
- The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998. However, data matching by the Cabinet Office is subject to a Code of Practice and further information regarding the Cabinet Office’s legal powers and the reasons why it matches particular information, please see the below links:
- If a match is found there may be an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until a thorough investigation has been carried out.
- The Cabinet Office is responsible for carrying out data matching exercises.
- Generally, information will only be shared within the NHS, but there may be certain circumstances, where we are required to share it with Social Services and other providers/organisations.
- Code of Data Matching Practice
- The Cabinet Office’s legal powers and information on why they match particular information
If you have any concerns about how your information may be shared, please discuss them with your health care provider, e.g. GP, nurse.
Caldicott Guardian and Senior Information Risk Owner
All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. NHS Medway CCG’s Caldicott Guardian is Sarah Vaux, Chief Nurse, and a member of the CCG’s Governing Body, who is responsible for protecting the confidentiality of patients’ and service-users’ information and enabling appropriate information sharing.
The Caldicott Guardian plays a key role in ensuring that NHS, councils with social services and partner organisations are aware of their responsibilities and satisfy the highest practical standards for handling patient confidential information.
Acting as the ‘conscience’ of an organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.
In addition to the Caldicott Guardian, NHS trusts also have a Senior Information Risk Owner (SIRO) who owns the CCG’s overall information risk policy and risk assessment process. This involves ensuring there are robust incident reporting process for any information risks identified by the CCG. NHS Medway CCG’s SIRO is Justin Chisnall, Company Secretary. The SIRO provides regular reports to the Governing Body and Governing Body papers can be found on the CCG’s website.
Should you wish to contact NHS Medway CCG’s Caldicott Guardian or Senior Information Risk Owner, please send any correspondence to the e-mail or postal address listed in the Contact Us section.
Caldicott Guardian and Chief Nurse
Company Secretary and Senior Information Risk Owner
Keeping your information secure and confidential
All Medway CCG staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. All staff receive annual training regarding the confidentiality of information, and staff who have regular access to personal confidential data undertake additional specialist training.
Relevant organisational and technical measures are taken by the CCG to make sure that the information we hold is secure – such as holding information in secure locations, restricting access to information to authorised personnel, protecting personal and confidential information held on equipment such as laptops with encryption. Any transfers of personal confidential data are carried out using secure means, such as encrypted e-mail transfers.
Any information obtained will be retained (kept) for as long as necessary.
Records are kept in accordance with DPA principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule, which determines the length of time records should be kept.
For further information regarding how your records are managed, stored and retained please see the below link:
Your right to opt-out
The NHS Constitution states that “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”.
In line with this there are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. Please note that choosing not to share your information may have an impact on your care and by sharing your information you can help to improve NHS services and the experience of treatment and care for all patients.
Information directly collected by the CCG
If you wish for the CCG to stop processing information about you (in any of the ways detailed above) please contact us using the details at the end of this notice, marking your message for the attention of the Caldicott Guardian.
Information collected by other NHS organisations
There are two types of opt-out, detailed below. If you do wish to apply either opt-out you will need to register this with your GP practice and they will mark your choice in your medical record. Please note you can also withdraw either opt-out at any time by informing your GP practice.
Type 1 opt-out
This opt-out applies if you do not want personal confidential information that identifies you to be shared outside your GP practice for purposes beyond your direct care. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Records for patients who have registered a type 1 opt-out will be marked with a particular code which automatically stops the records from being shared outside of the GP Practice system.
Type 2 opt-out
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. A type 2 opt out applies if you do not want your personal confidential information to be shared outside of NHS Digital for purposes other than for your direct care. A direction from the Secretary of State sets out the Department of Health policy as to how type 2 opt-outs must be applied and instructs NHS Digital to apply type 2 opt-outs from 29 April 2016.
When NHS Digital have collected information about your type 2 opt-out from your GP practice they use that to create a record of all current type 2 opt-outs. Then NHS Digital use that record to check against any set of data that is to be made available by NHS Digital to another organisation and remove all of your personal confidential information if it is in that data set, before that data are made available.
The direction sets out the scope of when your type 2 opt-out does not apply, such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.
There are also some limited circumstances, which are set out in the direction, when NHS Digital don’t apply your type 2 opt-out to information made available. These are cases where:
- The Secretary of State for health has identified the information flow is very important.
- There are complex technical barriers that make it very difficult to apply opt-outs.
For more information on how NHS Digital collect and use opt-out information see their website.
Keeping and Destroying information
There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Records Management Code of Practice for Health and Social Care.
Destruction of data will only happen following a review of the information at the end of its retention period.
Where data has been identified for disposal we have the following responsibilities:
- to ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a cross cut shredder or subcontracted to a reputable confidential waste company that complies with European Standard EN15713.
- to ensure that electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards.
- to retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us).
- To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the 7th Data Protection Act 1998 principle.
Subject Access Requests (accessing your data)
What is a subject access request and how do I make one?
Under the DPA, you have the right to make a request to see or obtain copies of the information that NHS Medway CCG holds about you; this is referred to as a Subject Access Request. Under the DPA you are entitled to be told if any personal information is held about you, and if it is, to be given:
- a copy of the information in permanent form if requested;
- an explanation of any technical or complicated terms e.g. medical terminology or abbreviations;
- an explanation of where we got your information from;
- a description of the information, the purposes for processing the information and who we are sharing the information with, if anyone;
- an explanation of the logic involved in any automated decisions (if you have specifically asked for this).
To view or access a copy of your health records please write to the following address giving as much detail as possible on the record(s) you wish to access:
Post: Information Services Manager, Corporate Services Team Fifty Pembroke Court Chatham Maritime Chatham Kent ME4 4EL
We will ask you for proof of your identity and proof of your address. The CCG then has 40 calendar days, from receipt of the above information, to respond to the request, though the CCG aims to reply in 21 days.
As noted above, the CCG holds limited health information about you where it can use this for direct care purposes. You may also need to contact those NHS organisation(s) where you are being, or have been treated.
Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): https://ico.org.uk/for-the-public/personal-information/ .
Can I access the records of my children?
You may be able to access the records of your child/children. However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child/children.
To apply for access, please use the procedure above.
How long will it take?
We are obliged to comply with our obligations promptly and within 40 days, from the date your request is received however we will aim to respond within 21 working days. If clarification of your request is needed, the 40 day period does not start until that is received.
How much will it cost?
Charges may be applied for requests under the Data Protection Act 1998.
Please see the following tariff
- under the Data Protection Act 1998 a maximum of £50 for paper records
- a maximum of £50 for a mixture of electronic and paper records
- £10 for electronic records
Can I be refused access to my health records?
You can be refused access to your records or part of them:
- if your healthcare provider/clinician thinks you or someone else could be harmed as a result of the disclosure
- the information relates to, or was provided by, a third party (that is someone other than yourself) and they have not given their permission for their comments to be divulged to you
Should you be unhappy with the outcome of your request, you should in the first instance contact the Information Services Manager at NHS Medway CCG who will discuss your request and any ongoing concerns you may have.
You are also free to contact the Information Commissioner’s Office directly in the event you remain dissatisfied:
Information Commissioners Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Can I access the records of a deceased person?
Under the Access to Health Records Act 1990, you may request access to the records of a deceased person if you are the executor of their will or if you have a claim on them. However, if the deceased has stated in their will that they do not wish anyone to have access, their wishes must be upheld.
To request access to a deceased person’s records please write to the following:
Address: Primary Care Support England, Faith House, 2 St Faiths Street, Maidstone Kent ME14 1LL
General Enquiries: 01622 655 000
Changes to this page and the Privacy Notice
If our privacy notice changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties
For further information on why the NHS obtains personal information on its patients, how we use the information, and your rights of access, please read the NHS Care Record Guarantee, which can be found on the Health and Social Care Information Centre (HSCIC) website.
The following links may be useful in obtaining further information:
If you have any questions, concerns or complaints regarding the information we hold about you or the use of your information, or if you would just like to speak with us about your data, please contact:
Post: Information Services Manager, NHS Medway Clinical Commissioning Group, Fifty Pembroke Court, Chatham Maritime, Chatham, Kent ME4 4EL
Phone: 01634 335069/01634 335177
For independent advice about data protection, privacy and data-sharing issues, you can contact:
The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Phone: 08456 30 60 60 or 01625 54 57 45