At NHS Midlands and Lancashire Commissioning Support Unit we’re committed to protecting and respecting your privacy.

As a support organisation Midlands and Lancashire CSU does not generally collect and use the personal information of patients and service users, except in supporting our client organisations to make the right decisions about care services. We are an organisation hosted by NHS England to provide these services on their behalf, to NHS clients.

We may collect your personal details if you contact us directly and use these details to help you with resolving any enquiry you may have.

The information provided below is to inform you of how we use information of a personal nature in our support of our clients and how this information may be shared.

Who we are

A commissioning support unit is an organisation hosted by NHS England and is not a separate organisation in its own right. However, we operate as if we have all privacy responsibilities to ensure that we manage personal data in a professional, legal and ethical way.

The Commissioning Support Unit (CSU) has various roles and responsibilities, but our work involves supporting clients, who may be care providers, or commissioners of care services, in a number of areas including:

  • Complaints are investigated and managed;
  • Freedom of Information Act requests are appropriately managed;
  • Advice and guidance for access to personal records is provided;
  • Communications and engagement services;
  • Contract monitoring is undertaken;
  • Business intelligence is provided;
  • Financial Services;
  • IT Services;
  • New developments;
  • Prevention and detection of fraud.

Further information may be found on the MLCSU our range of support and the NHS England website about the responsibilities we undertake as an organisation operated by NHS England.

Information collected about you

We may collect personal information about you in a number of ways:

  • Information you provide to us, in order to help you resolve and issue or to provide you with guidance;
  • Information provided as part of work we do, supporting clients to improve and deliver health services. This information will be collected and used under a defined legal basis and under strict conditions of privacy and confidentiality;
  • Information that may be passed to us from care providers in order to resolve questions or queries on your behalf.
How we use your information

We may use your information to do the following:

  • To meet our legal, statutory and contractual obligations;
  • To provide you with information you have requested;
  • To evaluate and review services on behalf of care providers to ensure quality and efficiency;
  • Preparing analyses and statistics for use in health management;
  • Review care that has been commissioned to ensure standards are being met;
  • With the consent of individuals to carry out surveys and other reviews.
How we share your information

Generally, we do not share individual’s identifiable information with any other organisations unless there is a defined legal basis to do so.

We have in place robust mechanisms for considering how personal information is used which includes formal documentation to consider the reasons for sharing and also the involvement of a “Caldicott Guardian”, a senior manager whose role it is to consider whether not sharing and use of personal data is reasonable and that the right controls are in place.

If we share your personal information, it will be with very tight controls on who see the information and the purposes for which it is used.

Where is your personal data kept?

Your personal data is always kept secure and all NHS organisations are required to provide assurances, every year, that controls are in place to manage personal data. These controls include access controls, encryption and physical controls.

Your personal data will be kept under strict conditions within the UK, being protected by suitable access controls ensuring that only people with an authorised professional need can access your data and encrypting your data, when necessary, to ensure it is protected from inappropriate access.  Where exceptions to this process are undertaken you will be informed.

More information as to the assurances NHS organisations provide can be found in these two locations – The Data Security and Protection Toolkit and the Information Governance Toolkit.

How long is your personal information kept for?

Personal data used for specific purposes will be kept only for as long as it is needed to perform the work required, it will then usually be securely deleted. Your medical records which will always stay with your clinicians will be kept under strict NHS rules to ensure that the information remains available for your care and treatment.

There are documents that are available if you wish to look at how long the NHS retains data for, these documents include all identifiable information and also more general documents such as policies, finance records etc. To find out more please see the Records Management Code of Practice for Health and Social Care 2016.

What are your rights?

You have a number of rights under data protection law (The Data Protection Act 2018 and the EU General Data Protection Regulation 2016) and these are listed below.

The right to be informed (transparency)

You have a right to know how your personal information is being used, and this privacy notice is part of this obligation which we must fulfil. You may contact us if you want to know more about how we use your information or if something is unclear.

The right of access to your information

You have a right to request to see what information we are holding about you (this is known as making a “Subject Access Request” – please see below for more information.

The right of rectification

You have a right to have any inaccurate information held about you corrected. You can contact us and request this, if you believe we hold inaccurate information about you.

The right to be forgotten (right of erasure)

In certain circumstance you have a right to have your personal information erased. This may only be performed if we have no other legal reasons to keep your information.

The right to data portability

You have a right to receive your personal information in a “machine readable form” and to be able to take this information to another person or organisation.

The right to object

You have a right to object to how personal data about you is processed, in some instances. You have right to object to your data being shared with others or used, for example, in research or statistical processes.

The right to stop automated decision making, including profiling

We do not use automated decisions and profiling at this time. However, this right exists and you may exercise this right should you be informed that we are doing, or planning to do this type of work.

The right to complain

You have the right to complain both to us and to the UK regulator (The Information Commissioner) if you believe that your personal information is not being used legally. Please see the complaints section, below.

How do I request what information you hold about me?

Requesting your information from us is known as a Subject Access Request. We must respond and provide you with your information within one month of receiving your request, although we may extend this time in certain circumstances.

If you wish to request your information you may use the details below:

  • By telephone – 0151 2967326 (Monday to Friday, 9am-5pm)
  • By email –

How do I make a complaint?

If you feel that you wish to make a complaint relating to how we use and handle your personal information, you should contact

If you are not satisfied that your complaint has been resolved, you have the right to contact the Information Commissioner to lodge a complaint with them:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Tel: 0303 123 1113

We keep our privacy notice under regular review and we will place any updates on this web page. This notice was last updated on 04/12/2018.

Data Protection Notification

Midlands and Lancashire CSU is a ‘data processor’ under the DPA. We are registered to process personal data through the NHS Commissioning Board (NHS England) who have notified the Information Commissioner that we process personal data and the details are publicly available from the:

Information Commissioner’s Office
Wycliffe House
Water Lane,
Wilmslow SK9 5AF

Registration number: Z2950066

How to contact us

Please contact us via our Data Protection Officer if you have any questions about our privacy notice or information we hold about you:

Hayley Gidman

Heron House, 120 Grove Road, Fenton, Stoke-on-Trent, Staffordshire ST4 4LX

Tel No. 01782 872648