General information

This Privacy Statement sets out the data processing practices carried out by Healthwatch Norfolk.

We retain and use personal data (information that relates to and identifies living people) to help us carry out our role as the local independent champion for people who use health and social care services.

We will always make sure that your information is protected and treated securely. Any information that you give will be held in accordance with:

Please contact us to request a copy of our Data Protection Policy.

We also make our Information Asset Register available for people to read to give further clarity about how data relating to them is managed and kept secure. This includes our retention schedule and clear details about the lawful basis for storing and keeping personally identifiable information. Please contact us to request a copy of our Information Asset Register.

Controller’s contact details

Healthwatch Norfolk is the data controller for all the personal data that you enter onto Any issues relating to the processing of personal data by or on behalf of Healthwatch Norfolk should be addressed to:

Healthwatch Norfolk
Suite 6
Elm Farm
Norwich Common
NR18 0SW

Telephone: 01953 856029

Email: [email protected]


How do Healthwatch Norfolk collect information

Most of the personal information we process is provided to us directly from you for one of the following purposes:

We also receive personal information indirectly, in the following situations:

On occasion we will receive information from the families, friends and carers of people who access health and social care services. 

Where it is practically possible, we will make sure that we have your consent to use information that is about you. We will only process your personal data where there is a lawful basis to do so under current data protection legislation.

The information we collect and why

Purpose and legal basis for processing

Our purpose as Healthwatch Norfolk is to collect feedback from the local community about health and social care services in Norfolk.

We collect personal information from visitors to this website through the use of online forms, emails and at face-to face engagement events. In addition, we receive information about our own staff, people who apply to work for us and people who use our website.

What information we need

In our day-to-day work we collect your experiences of health and social care services in Norfolk to help providers and commissioners shape service delivery. This may include details of treatment, waiting times, level of service provided etc.

Alongside your experience we collect some personal data, this includes: 

We also get involved in a number of projects alongside our day-to-day engagement and the type of personal data we collect may vary within our project work.

Information about people who share their experiences with us by other means

There are a number of ways that we collect feedback from people about their experiences of using health and social care services. Our staff will visit different health and social care settings as part of their role to evaluate how services are being delivered. We also receive phone calls and requests for information directly from members of the public as part of our signposting service.

Where personally identifiable information is collected, we will ensure that we have your consent to keep it and we will be clear on how we intend to use your information. We will aim to anonymise information where we can but there may be instances where this is not possible in order to make change happen on your behalf. There may be exceptional circumstances where we can and will keep the data without consent, but we must have a lawful basis for doing so, such as for safeguarding purposes.

We ensure that where consent is required it will be freely given, used only for agreed specific and unambiguous purposes and that you are well informed about how the information will be kept. This includes where it will be stored, details on security and for how long it will be kept. We will comply with current data protection legislation at all times.

Personal information may be collected with your consent through:

Information about our own staff and people applying to work for us

We need to process personal data about our own staff (and people applying to work for us) so that we can carry out our role and meet our legal and contractual responsibilities as an employer.

The personal data that we process includes information about racial or ethnic origin, religion, disability, gender and sexuality. We use this information to check we are promoting and ensuring diversity in our workforce and to make sure we are complying with equalities legislation.

Our employees decide whether or not to share this monitoring data with us, and can choose to withdraw their consent for this at any time. Employees who wish to withdraw their consent for us to process this data can let us know.

Other personal data that we are required to process includes information on qualifications and experience, pay and performance, contact details and bank details.

We check that people who work for us are fit and suitable for their roles. This may include asking people to undertake Disclosure and Barring Service (DBS) checks.

People joining Healthwatch Norfolk will be asked to complete a ‘declaration of interests’ form to identify any services with which they have close links (for example, because they have previously worked there or because the service is run by a close relative) or any other issues which could cause a perceived conflict of interest. Staff are regularly asked to update these forms.

We have a legal obligation to comply with the Freedom of Information Act 2000 and this may include the requirement to disclose some information about our employees – especially those in senior or public facing roles. We also publish some information about our staff, including the names and work contact details of people in some roles.

Information about children

We do not proactively collect personal information directly from children. However, we are sometimes given information about children while working on a project. Therefore some information in the relevant parts of this notice applies to children as well as adults.

Categories of personal data we may collect

The type of personal data we collect will vary depending on the purpose for collecting the data. These are some of the categories of personal data we may collect. (Please note we will state the purpose for collecting the data at time of collection and it will only be stored for this purpose.)

Why we need the data and what we do with it

The personal information you provide us with can be used for the following purposes:

We do some of these things are part of the statutory role as a local Healthwatch, established under the Health and Social Care Act 2008 (as amended by the Health and Social Care Act 2012).

Any personal data that you choose to share with us will be treated as confidential and we will protect it accordingly.

We will always make sure that your information is protected and treated securely. Any information that you give us will be held in accordance with:

Please contact us to request a copy of our Information Governance Policy.

We will never include your personal data in our reports. In most circumstances we anonymise our data to ensure that a person cannot be identified, unless this has been otherwise agreed and consent has been given.

How long we keep data

We publish a retention and disposal schedule which explains how long we keep different types of records and documents for, including records and documents containing personal data. Personal data is deleted or securely destroyed at the end of its retention period.

We also make our Information Asset Register available for people to read to give further clarity about how data relating to them is managed and kept secure. This includes our retention schedule and clear details about the lawful basis for storing and keeping personally identifiable information. Please contact us to request a copy of our Information Asset Register.

Your data protection rights

Under data protection law, you have rights which we need to make you aware of. Your rights will depend on our reason for processing your information.

You are not required to pay any charge for exercising your rights. We have one month to respond to you.

Please contact us if you wish to make a request by:

Emailing: [email protected]


Sending your request in the post to: Healthwatch Norfolk, Suite 6, Elm Farm, Norwich Common, NR18 0SW.

Our data systems

Whitebear provide a secure digital system for Healthwatch Norfolk to manage the data you enter into your feedback centre. The data contained within it is processed on behalf of local Healthwatch and a Data Processing Agreement is in place to ensure that this is held securely and according to current data protection legislation. 

We also use a third-party supplier to provide our newsletter service. By subscribing to this service you will be agreeing to them handling your data. This supplier follows the requirements of the Data Protection Act 1998 in how they obtain, handle and process your information and will not make your data available to anyone other than Healthwatch.

Data from your local Healthwatch is shared with Healthwatch England. Healthwatch England is a committee of Care Quality Commission (CQC) but acts independently. These organisations must comply with all legal requirements and do not reuse any data for any other reason and will not make it available to others.


We are strongly committed to data security. We take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption.

We have put in place physical, electronic and managerial procedures to safeguard and secure the information you provide to us.

Only authorised employees and contractors under strict controls will have access to your personal information.

Personal data will not be transferred to any third countries or international organisations.

Sharing your information

We only share personal information with other organisations where it is lawful to so and in accordance with our Information Governance Policy. Information is shared in order to fulfil our remit which is to pass on your experiences of care to help improve them on your behalf.

Posting your feedback publicly on our website allows others to see it. It also allows us to feature it in our reports to help make changes to local services. When you submit your review to us you have the option to remain anonymous – this means you do not need to include your name alongside your review.

If we see any trends or themes in the feedback we receive, we may send this information directly to relevant health and social care organisations. Below are some organisations we may send feedback to:

Norfolk organisations

Norfolk County Council
The Council run lots of health and social care services in Norfolk including care homes, domiciliary care, and children’s services.

Carers organisations
There are several carers organisations which operate in Norfolk, including Carers Matter Norfolk, Norfolk Family Carers, and Caring Together. For a full list of organisations who can help support carers, see this page of our website: 

Norfolk and Suffolk Foundation Trust (NSFT)
NSFT provide mental health and learning disability services across the two counties.

Norfolk and Norwich University Hospital
The hospital is based in Norwich and provides nearly 1 million outpatient appointments each year, as well as looking after people as inpatients. They also run Cromer Hospital in North Norfolk.

James Paget University Hospital
The James Paget is situated in Gorleston and provides care to Great Yarmouth, Lowestoft and Waveney’s 250,000 population.

Queen Elizabeth Hospital King’s Lynn
The Queen Elizabeth Hospital serves around 280,000 people in West Norfolk as well as parts of Lincolnshire and Cambridgeshire.

National organisations
Care Quality Commission (CQC)
The CQC are the independent regulator of health and adult social care in England – they make sure services are safe and effective.

NHS England and NHS Improvement (NHSE&I) – East of England
Norfolk sits within the NHSE&I East of England, one of seven NHS regions across the country. The East of England region supports the commissioning of health services within the region.

Healthwatch England
Healthwatch is a national organisation, with local branches overseen by Healthwatch England. We share our feedback with Healthwatch England so that they can factor it into any patterns or themes that are emerging across the country.

We will only disclose your personal information where we have your consent to do so, or where there is another very good reason to make the disclosure ­– for example, we may disclose information to CQC or a local authority where we think it is necessary to do so in order to protect a vulnerable person from abuse or harm. Any such disclosure will be made in accordance with the requirements of the current data protection legislation.

Wherever possible, we will ensure that any information that we share or disclose is anonymised, so as to ensure that you cannot be identified from it.

We sometimes use other organisations to process personal data on our behalf. Where we do this, those companies are required to follow the same rules and information security requirements as us, outlined in a Data Processing Contract. They are not permitted to use or reuse the data for other purposes.

We are required to share information with Healthwatch England to ensure that your views are considered at a national level. This enables them to analyse service provision across the country and supply the Department of Health and national commissioners with the information you provide.

Find out more about Healthwatch England’s purpose and what they do.

The information we provide to Healthwatch England contains no personally identifiable data. Any information that is used for national publications is anonymised and will only be used with the consent of a local Healthwatch.

Your right to complain

We believe it is very important to keep your personal information secure and we work to high standards to do so. If you feel that we have not met our responsibilities under data protection legislation, please contact us at [email protected] and we would be happy to help.

If you remain dissatisfied, you can request an independent assessment from the Information Commissioner’s Office (ICO).

Information about people who use our website and cookies

When you browse our website, it does not collect or store your personal data. It does make a log of your IP address much like other websites do (as it is automatically recognised by the website server) but this will not identify you personally.

We will only collect personal data knowingly provided by you, such as:

Please be aware that our website requires the use of cookies, which is a string of information that a website stores on your computer and your browser provides to our website each time you return. (our website provider) uses cookies to help Healthwatch Norfolk identify and track visitors and your website access preferences. If you do not wish to have cookies placed on your computers, you should set your browsers to refuse cookies before using the Healthwatch Norfolk website. Read our cookie policy here.

Links to other websites

If we are linking to other organisations and their website, this privacy notice does not cover how they may process personal information. Please take a moment to read their privacy notice when you visit their website to make sure you are confident with how they process personal information.

Signing up to our newsletter

We use a third-party supplier to provide our newsletter service. By subscribing to this service you will be agreeing to them handling your data.

The third-party supplier handles the data purely to provide this service on our behalf. This supplier follows the requirements of the Data Protection Act 1998 and GDPR in how they obtain, handle and process your information. They will not make your data available to anyone other than Healthwatch Norfolk.