Millbrook Healthcare Limited provides community equipment, wheelchair, assistive technology and home improvement agency services to local authorities and the NHS. We take your confidentiality and privacy rights very seriously. This privacy notice tells you what to expect us to do with your personal information, explaining how we collect, process, transfer and store your personal information and forms part of our accountability and transparency to you under the General Data Protection Regulation (GDPR) 2018 and Data Protection Act 2018.

We will tell you:

  • Why we are able to process your information;
  • What purpose we are processing it for;
  • Whether you have to provide it to us;
  • How long we store it for;
  • Whether there are other recipients of your personal information;
  • Whether we intend to transfer it to another country; and
  • Whether we do automated decision-making or profiling.

How will we meet the principles of the GDPR?

We will process your personal information fairly and lawfully by:

  1. only using it if we have a lawful reason and when we do, we make sure you know how we intend to use it and tell you about your rights;

We do not rely on consent to use your information as a legal basis for processing. In simple terms, this means we can use your personal information to provide services to you without seeking your consent. Please note under the regulation you do have a right to say no to our use of your information, but this could have an impact on our ability to provide services to you.

  1. only collecting and using your information to provide you healthcare services and will not use it for any other purpose that is not considered by law to be for this purpose;
  2. only using sufficient amounts of personal data that will be relevant and necessary for us to carry out various tasks in providing healthcare services to you;
  3. keeping your personal information accurate and up to date when using it, and if it is found to be incorrect, we will make it right, where appropriate, as soon as we can;
  4. only keeping your information in a way that will identify you for as long as we are legally to, whilst ensuring your rights; and
  5. having secure processes in place to keep your personal information safe and secure when it is being used, shared, and when it is being stored.

What information do we collect from you?

Millbrook Healthcare staff keep records about the services we provide to you. This may include:

  • Basic details such as your name, address, date of birth, telephone number(s), and email address  – where you have provided it to enable us to communicate with you by email;
  • Your next of kin and contact details;
  • Notes and reports about your physical health and any care or support you need and receive;
  • Relevant information and reports from other professionals, relatives or those who care for you or know you well;
  • Telephone records and recordings of inbound and outbound calls;
  • Any contact(s) you have with us such as home visits or clinic appointments; and
  • Service user experience feedback and treatment outcome information you provide.

Your personal information and records are in both electronic and hard copy paper format. Electronic record are held securely on a computer system and secure IT network.

Why do we collect this information about you?

Your information is used to guide, inform and record the services you receive and is vital in helping us to:

  • Have all the necessary information to assess your needs and for making decisions with you about the services you receive;
  • Have details of our contact with you, such as referrals and appointments and can see the services and equipment you have received;
  • Assess the quality and outcomes of the services provided; and
  • Investigate if you have any concerns or a complaint about the services you have received.

Staff involved in your care will also have accurate and up to date information and this accurate information about you is also available if you move to another area, need to use another service or see a different healthcare professional.

Who might we share your information with?

Your information will be shared with the team providing services for you. However, we work collaboratively with NHS partners, local authority agencies including social services so may need to share information about you with other professionals and services involved in your care and equipment provision.

We do this in order to provide the most appropriate care and support for you or when the welfare of other people is involved. We will only share your information in this way if we have your consent and it is considered necessary.

You have the right to refuse and withdraw your consent to information sharing at any time. Please discuss this with a member of staff as this could have implications in how you receive further care, support and equipment, including delays in your receiving care, support and equipment.

However, a person’s right to confidentiality is not absolute and there may be other circumstances when we must share information from your records with other agencies. On these rare occasions we are not required to have your consent. Examples of this are:

  • If there is a concern that you are putting yourself at risk of serious harm;
  • If there is concern that you are putting another person at risk of serious harm;
  • If there is concern that you are putting a child at risk of harm;
  • If we have been instructed to do so by a Court;
  • If the information is essential for the investigation of a serious crime;
  • If you are subject to the Mental Health Act (1983), there are circumstances in which your ‘nearest relative’ must receive information even if you object; or
  • If your information falls within a category that needs to be notified for public health or other legal reasons, such as certain infectious diseases.

The information from your records will only be used for the purposes that benefit the services we provide and we would never share it for marketing or insurance purposes.

Improving health, care and services through planning

To help us monitor our performance, evaluate and develop the services we provide, it is necessary to review and share minimal information, for example with our NHS and local authority commissioning partners. The information we share would be anonymous so you cannot be identified and all access to and use of this information is strictly controlled.

In order to ensure that we have accurate and up to date records, we carry out a programme of audits with access to records for this purpose monitored and only anonymised information being used in the reports that are shared internally.

How do we keep your information safe?

The organisation is committed to keeping your information secure and have operational policies and procedures in place to protect your information whether it is in electronic or hard copy (paper) format.

The organisation is entered on the Information Commissioner’s data protection register, with registration number Z5840326.

All of the information systems used by the organisation are implemented with robust information security safeguards to protect the confidentiality, integrity and availability of your personal information. The security controls adopted by the organisation are influenced by  a number of sources including NHS Digital and Government standards. This also includes certification with the Cyber Essentials accreditation scheme.

All staff and sub-contractors are legally bound to respect your confidentiality and must comply with our information governance and information security procedures. Any breach of these procedures is treated seriously and may, in certain cases, result in disciplinary action.

Please note that if any of your personal information is to be processed overseas and outside of the EEA, a full risk assessment would be undertaken to ensure the security of the information.

In ensuring the safety and confidentiality of your personal information, the organisation also has to complete Data Protection Impact Assessments (DPIA). This is a process which helps assess privacy risks and identified the legal basis for the collection, use and disclosure of information, known as processing.

All new projects and processes that involve using or sharing personal information will require a completed DPIA at the initial stages and prior to any procurement decision being made. All DPIAs completed will be submitted to the Data Protection Officer and/or the Information Governance and Security Group for approval.

How long do we keep your information?

All clinical records held by the organisation are subject to the records Management Code of Practice for Health and Social Care Act 2016 (the Code). The Code sets out best practice guidance on how long we should keep your clinical information before we are able to review and securely dispose of it.

For further information on specific timescales, please refer to the retention schedule appendix within the Information Governance policy.

 Your rights

You have the right:

  • To ask us to not use your personal data for direct marketing
  • To ask us not to process your personal data where it is processed on the basis of legitimate interests, if there are no compelling reasons for that processing
  • To request from us access to personal data held about you
  • To ask for the information we hold about you to be rectified if it is inaccurate or incomplete
  • To ask that we stop any consent-based processing of your personal data after you withdraw the consent
  • To ask, in certain circumstances, to delete the personal data we hold about you
  • To ask, in certain, circumstances, for the processing of that information to be restricted; and
  • To ask, in certain circumstances, for data portability

How can I access the information you hold about me?

You have the right to access and see the information we hold about you, whether in electronic or hard copy format. The exception to this is information that:

  • Has been provided about you by someone else if they haven’t given permission for you to see it
  • Relates to criminal offences
  • Is being used to prevent or detect crime
  • Could cause physical or mental harm to you or someone else

Your request can be made in writing, email or verbally and can be given to the service where you receive your services from us or, alternatively, sent to:

Data Protection Officer

Millbrook Healthcare Limited
Nutsey Lane
SO40 3XJ 


The complaints team are available to assist you with any comments, concerns and complaints. The team act independently of any of the services we provide ensuring your concerns are thoroughly investigated and responded to in a timely manner. Please find contact details below:

Governance Officer

Millbrook Healthcare Limited
Nutsey Lane
SO40 3XJ


You can also get further information and advice or report a concern to the UK’s independent authority, the Information Commissioner, via the contact details below:

Information Commissioner’s Office

Wycliffe House
Water Lane

Tel. 0303 123 1113

Other useful contacts

Data Protection Officer

Millbrook Healthcare Limited
Nutsey Lane
SO40 3XJ

Tel. 02380 662312


Caldicott Guardian

Millbrook Healthcare Limited
Nutsey Lane
SO40 3XJ