Find out more about how and why CityCare holds information about people. Follow the links to understand more about the data we collect, how you can access your health records and how to raise concerns and questions. We also have a Supplementary Privacy Notice on Covid-19 for Patients.

This document describes Nottingham CityCare Partnership’s (CityCare) compliance against changing data protection legislation: General Data Protection Regulation (GDPR) in force from 25 May 2018 and supporting domestic legislation in Parliament at the time of writing. You can find out more about the changes from the Information Commissioner’s Office website at

Compliance with legislation is an ongoing and business as usual process. The size and complexity of CityCare’s organisation and operations means that large numbers of partners and stakeholders are seeking assurance, and this general statement has been derived from the Information Commissioner’s Office checklist for data controllers, available from the ICO’s website.

CityCare demonstrates compliance with existing law through the NHS Digital Data Security and Protection Toolkit (DSPT). Reporting is available to the general public from / (use organisation code NR3 or search Nottingham CityCare Partnership CiC). The IG Toolkit for 2018-19 had a final outcome of ‘Standards Met’. Assurance will be provided through the NHS Digital Data Security & Protection Toolkit and Care Quality Commission (CQC) reporting on an annual basis.

CityCare is a social enterprise, not a public authority, and is therefore not subject to the Freedom of Information Act (2000). We do want to be transparent about our activity and obligations, so if further detail is required, please contact with a copy to your main CityCare contact, as we will need to work with them to provide you with a response. We may need to forward your request to partner organisations if they are better placed to answer your questions and will contact you to discuss if this is necessary. Thank you.

Download the Compliance statement

Who we are

CityCare - officially known as Nottingham CityCare Partnership Community Interest Company (CIC) - provides community healthcare and education services. We are a private company limited by guarantee and a social enterprise, which means that we use any profits we make to improve our services or for other charitable purposes.

CityCare services are bought (commissioned) for local people by public authorities such as NHS Nottingham City Clinical Commissioning Group (CCG) and Nottingham City Council.

As part of our commissioning contracts, we follow the same principles and standards as NHS organisations and provide information to our commissioners on the quality and safety of our services.

CityCare is registered as a data controller with the Information Commissioner’s Office under the Data Protection Act (2018).

Freedom of Information

CityCare is not a public body and has no responsibilities under the Freedom of Information Act 2000.

Why do we collect information about you?

CityCare aims to provide you with the highest quality care. To do this effectively, efficiently and safely, we must keep records about you, your health and the care we have provided or plan to provide to you.

These records may include information such as:

  • Your address, date of birth and emergency contact details.
  • Equality and diversity data (for example, ethnicity, religion). We are legally obliged to collect this information so we and our commissioners can be sure that we provide our services fairly to anyone from any background or community who may need them.
  • Notes and reports about your health, information about your treatment and care, results of laboratory tests, X-rays and medication.
  • Information from other people who are involved with your care, such as other health and social care professionals or relatives.
  • Records on other contact we have had with you, for example if you have contacted us with an enquiry, or have attended an event and agreed for us to send you our newsletters. CityCare telephones have line caller ID and calls to the Health & Social Care Point are recorded for training and monitoring purposes.

The people who provide you with health and social care use your records to make sure your care is safe and effective; to support decisions about your health made between you and care professionals and to work effectively with other health and social care professionals who are providing you with care.

Health and social care professionals who are involved in providing treatment or care have a duty to fully involve you with decisions about your care, including discussing and agreeing with you what they will record about you, and to share information with other care providers when it’s needed to make sure you get the best possible care. This is as important as the duty to protect your confidentiality.

Health and social care professionals have always shared information about people in order to provide the best possible care.

The most secure and effective way to do this is to allow other organisations who provide you with care to access your records directly.

Sharing may be locally between providers who use the same records systems or through the Medical Interoperability Gateway (MIG). This is a GP sharing service held inside the secure NHS network.

Sharing is ONLY between professionals directly involved with your care.

Your records are also used for other legal purposes which do not directly relate to care, such as:

  • Checking the quality of care and care records (known as clinical audit)
  • Protection of the health of the general public
  • Keeping track of NHS spending
  • Managing and improving services
  • Teaching health workers
  • Assisting with research
  • Statistical purposes
  • Investigating any concerns or complaints that you and your family may have about your care

Wherever possible, all information that could identify you is removed from records before using them for purposes other than your direct care.

Some research or audits require person-identifiable information to be effective. We will always ask your permission before information that could identify you is used for research. We will never sell your information or provide it to any organisation for sales or marketing purposes.

There are some occasions where we are legally obliged to share information that names you without asking you, for example:

  • Registering births
  • Reporting some infectious diseases
  • Reporting gunshot wounds to the police
  • Where a Court orders us to do so

In rare situations, sharing may be authorised when the public good outweighs your rights to confidentiality, for example:

  • When a serious crime has been committed.
  • To protect children or adults who are not able to decide for themselves whether their information should be shared.
  • When there are serious risks of harm to the public or staff providing treatment or care.

Nottinghamshire Health and Care Portal

The Nottinghamshire Health and Care Portal is a shared care record hosted by Nottingham University Hospitals NHS Trust. This is an electronic record that allows health and social care professionals to quickly and securely access relevant information about your care and treatment while they are looking after you.

Before your information is accessed in this way you will be informed where possible that this is happening.

Nottingham CityCare Partnership CiC provides information such as your test results, medication and care plans for other health and social care providers across Nottinghamshire to see this information about you.

Your information is stored securely and only accessed by staff who have a legitimate reason to do so.

Further information can be found in the following leaflet or by visiting

National Data Opt-out

The national data opt-out was introduced on 25 May 2018, enabling patients to opt out from the use of their data for research or planning purposes, in line with the recommendations of the National Data Guardian in her Review of Data Security, Consent and Opt-Outs.

Patients can view or change their national data opt-out choice at any time by using the online service at

By 2020 all health and care organisations are required to be compliant with the national data opt-out policy, where confidential patient information is used for research and planning purposes. NHS Digital and Public Health England are already compliant and are applying national data opt-outs.

Everyone working for health and social care providers has a legal duty to keep information about you confidential. Other organisations providing you with care, who have access to your records, also have a legal duty to keep it confidential.

Information which is collected about you may be electronic, on paper or a mixture of both. CityCare’s computer network and email systems are kept on the NHS secure network, HSCN.

CityCare electronic records about your health are stored on a records system called SystmOne, which is used by many healthcare providers in England and Wales. The system and all records on it are also held on HSCN. SystmOne automatically records who has accessed any of your records that are held on this system.

Paper records are locked in secure locations. All our staff are trained on how to manage confidential information and annual audits are carried out to make sure that our systems are working. We also use technology such as password protecting documents to make sure your information is kept confidential and secure.

To protect your privacy, our staff may not leave telephone messages for routine contacts, or will only leave their first names. CityCare sometimes uses general or team email addresses because these can be checked daily, whereas an individual may be out of the office and unable to respond to you.

Text Health is a confidential text messaging service that enables children and young people (aged 11-19) or parents of children aged 0-19 to contact Nottingham City’s 0-19 Public Health Nursing Team. Messages are reviewed by a team comprising Specialist Public Health Nurses (Health Visitors and School Nurses), and Registered Nurses working in Nottingham CityCare’s 0-19 Public Health Nursing Team. Messages are answered within 24 hours, Monday to Friday, between 8:30am and 5pm, except Bank Holidays. Text messages are transcribed onto Nottingham CityCare’s electronic patient records if users’ personal details are provided. Where text messages are anonymous they are stored securely in line with national guidance on management of health records. Nottingham CityCare’s Text Health service is supported by Chat Health. For more information and to see their privacy notice please visit

A requirement of the Data Protection Act 2018 is that we appoint a Data Protection Officer.

The Data Protection Officer can be contacted via the Information Governance Team at Nottingham CityCare Partnership CiC. Please refer to the ‘Get In Touch’ page for contact details

Under the Data Protection Act 2018, you have the right to ask for a copy of your record.

In order to make a subject access request please email 

If you have any queries about how your data is being used, please contact our information governance team on