Wellbeing Hub
Bath and North East Somerset

Privacy and Website policy

Community Wellbeing Hub Privacy Notice

This privacy notice explains what information we collect about you, how we store this information, how we share this information and how we keep it safe and confidential. We want you to be confident that your information is kept safe, secure and for you to understand how and why we use it to support your care. Read more below.

Privacy Policy (updated 10th April 24)

1. Definitions

  • GDPR: General Data Protection Regulation.
  • Personal data: Any information relating to an identifiable individual such as your name, NHS number, contact details. It can also be location data or an online identifier.
  • Special categories of personal data are defined as: any information relating to an identifiable individual such as racial or ethnic origin, politics, religious or philosophical beliefs, trade union membership, genetics, biometrics (where used for identification) information concerning your health, sex life or sexual orientation.

2. Who are we?

The Community Wellbeing Hub (CWH) is a partnership between the public, HCRG Care Group, the council, and voluntary and third sector agencies, providing centralised support for residents within BaNES. The hub follows agreed BaNES procedures around safeguarding. Our partners include:

  • Bath and North East Somerset Council
  • HCRG Care Group BANES
  • Age UK Bath & North East Somerset
  • Alzheimer's Society
  • All Cycle Bath & West
  • BEMSCA Bath and North East Somerset Ethnic Minority Senior Citizens Association
  • Bath Mind
  • Better Leisure GLL
  • Carers Centre
  • Citizens Advice Bath & NE Somerset operating as Bath and District Citizens Advice Bureau
  • Clean Slate
  • Curo
  • Developing Health and Independence (DHI)
  • Dorothy House Hospice Care
  • Writhlington Trust, Trading as Dragonfly Leisure
  • KiActiv Health
  • Royal United Hospital
  • Sporting Family Change
  • Stroke Association
  • Sustrans
  • SWAN Transport
  • University of the West of England
  • We Care Home Improvements
  • West of England Rural Network (Village Agents)

The CWH comprises of a call centre (hub), online web site, and subject-specific response teams called ‘pods’. The call centre acts as a triage point, identifying the core need of the person and either resolving the issue or referring the person on to one of the pods. These pods are comprised of partner organisations and their services who act as a network for the resolution of issues and/or onward support. If a clinical or social care need is identified, this is referred to the professional teams within the Care Co-ordination Centre either immediately or within a day. The organisational Pod’s are grouped in the following themes:-

    1. Accessing food – to support people in food poverty to access sustainable food options within their community
    2. Active Travel – to support people to become more active in their everyday lives.
    3. Benefits, debts and cost of living – to assist people to maximise their income & deal with ongoing financial concerns
    4. Drugs, alcohol, and other addictions – support for people with addictions.
    5. Employment, skills and volunteering – access to support for people looking for work, reskills, and volunteering opportunity
    6. Home safety and energy efficiency – support for people to access services to help them keep safe and improve their energy efficiency in their homes.
    7. Home from Hospital discharge services – non-clinical support required by health professionals to support discharge and admissions, or the avoidance of such situations.
    8. Housing advice and support - individuals with complex housing needs or general housing issues.
    9. Healthy Lifestyles and Physical activities – support for people to stop smoking, weight management, diabetes, parenting skills including local initiatives and projects.
    10. Managing at home – support for people to remain in their own homes, identify care options and accessing community support.
    11. Mental Health support – a range of mental health services and support for people
    12. Social prescribing initiatives– local initiatives that connect people to activities groups and services in their area.
    13. Supporting people and their families (family, children, carers, older people) – access to support service for people, their families and their loved ones.
    14. Transport – access to transport for medical appointments and to and from hospital and for shopping and other specific needs.
    15. Wellbeing activities – support for people who would benefit from attending wellbeing activities including wellbeing courses, day centres, social clubs etc
    16. MDT – multi-disciplinary support from partner organisations and other professionals to ensure the support needed for complex cases can be met and delivers the right outcomes for people.
    17. Or any other Pods that might be created at a later date.

Bath & North East Somerset Council and HCRG Care Group are the Joint Data Controllers for all data referrals made via the Riviam referral management system. All data that is processed to each pod is led by HCRG Care Group. For the purposes of data protection legislation, each Pod will be the Data Controller for the data processed. Where an intervention requires more than one organisation to support the individual, each organisation would then act as Joint Data Controllers.

Bath & North East Somerset Council shall process special category data for the purposes of monitoring and quality assuring services, including compliance with NHS Digital Directions for data collection.

3. Why do we collect personal information about you?

Staff members of organisations within the CWH need to collect and maintain information about your health and social care needs, treatments, financial information, the wellbeing of your family, friends and/or neighbours, logistics in relation to food, medications and any other needs you might have so that:

  • Accurate and up to date information is available in order to provide the best possible care and/or treatment and/or support for you.
  • The information is available should you need another form of care, for example a referral to another service.
  • We can review the type and quality of care you received and make the necessary changes in order to provide the best possible care.
  • Your concerns can be properly looked into if you have a complaint.

4. What information we collect and how we obtain it?

Personal information about you is collected in a number of ways. This can be from referral details from our staff, other 3rd parties or hospitals, directly from you or your authorised representative.

We will collect basic ‘personal data’ about you such as; your name, address, contact details including next of kin or carer details and/or NHS number. We might also hold your email address, marital status, occupation, place of birth, preferred name or maiden name and Power of Attorney, advocate or carer information. The reasons why we may collect this information is detailed in section 3 above.

Your personal information can be held in a variety of formats including electronically on computer systems and audio files.

In addition to the above we may also hold more sensitive personal data, called ‘special category data’ which could include:

  • Notes and reports about your health, treatment and care
  • Medical condition
  • Results of investigations, such as x-rays and laboratory tests
  • Future care you may need
  • Smoking status and any learning disabilities
  • Your religion and ethnic origin
  • Whether or not you are subject to any protection orders regarding your health, wellbeing and human rights (safeguarding status)
  • School information and information about your family health or social history
  • Any special needs or preferences for receiving information
  • Financial information

Without this information, we may be unable to fulfil our statutory responsibilities of delivering the appropriate level of support to you.

Once collected, your information will be securely stored by the relevant Data Controller organisation on their systems. If you would like to find out how is your information processed by the other organisation, you will need to get in touch directly with our partners. A list of partners can be found above in section 2.

In all cases, your information is only accessed and used by authorised health and social care professionals, in locally based organisations, who are involved in providing or supporting your direct care.

5. What is our legal basis for processing your information?

In order for us to legally process your information a ‘lawful basis’ needs to be identified. Data protection law recognises the difference between personal data and that of a more sensitive nature known as special categories of data; such as racial or ethnic origin, political opinions, religious beliefs, trade union activities and physical or mental health.

Our legal basis for processing your personal information falls under one of the following legal bases:

  • Performance of a task carried out in the public interest or in the exercise of official authority (the Care Act 2014 (CA2014) and, Civil Contingencies Act 2004 (CCA2004).
  • Necessary for a legal obligation such as responding to a request from a coroner

Our legal basis for processing special category data falls under one of the following legal bases:

  • The provision of health or social care
  • Social protection law for safeguarding purposes.
  • Necessary for the reasons of substantial public interest (As above)

Bath & North East Somerset Council shall process special category data for the purposes of monitoring and quality assuring services, including compliance with NHS Digital Directions for data collection. Bath & North East Somerset Council will share monitoring reports with CWH partners and funders as required.

The University of the West of England (UWE) has been appointed by Bath & North East Somerset Council as the research partner for the Active Way project and will analyse data collected from participants and in Riviam for the purposes of evaluating the success for the project.

You do have the right to “object” to our use of your information, but this could have an impact on our ability to provide you with the support.

6. How we use and share your information?

Your records are used:

  • By social care professionals to make care decisions with, and about you.
  • To make sure your care is safe and effective.
  • To support working with others who provide your care.
  • To make referral on your behalf to other agencies involved in your direct care.

We may also use, or share, your information for the following purposes:

  • If it is in your best interests.
  • Looking after the health of the general public.
  • To ensure that our services can meet patient needs in the future.
  • Preparing statistics on NHS performance and activity or reported required by the Council.
  • Investigating concerns, complaints or legal claims.
  • Helping colleagues review the support they provide to make sure it is of the highest standards.
  • Training and educating staff.
  • Recommendations for special arrangements at home.
  • To manage incidents that you have been involved in.
  • Requests for information from official authorities or your representative.
  • If the service is transferring to us under contract or if you are moving out of the area.
  • The prevention and detection of crime.
  • Funding requests or payments.
  • Integrated care initiatives.
  • Legal advice or proceedings.
  • Responding to legal requests and court orders.
  • Information of public interest relating to Public health campaigns and notifications.

We may also share anonymised data with the NHS for performance monitoring, including through statutory data submissions.

7. Who do we share your information with?

There may be times when will need to share your personal data with other organisations, in order to ensure the best support and outcomes for you. This could be, for example if we were concerned about your wellbeing and safety. You can be assured that we will only ever share information where we have a lawful basis to do so, the minimum data in order to support you, only ever with organisations who can demonstrate lawful and legitimate interest in the information, and always in a safe and secure manner. You will be informed if we intend to share your data, with whom and why, and you can object to this sharing at the time.

Your personal data will never be sold to or shared with marketing companies.

8. How do we keep your information secure?

We take the security of your personal data very seriously. We have operational policies and procedures in place to protect your information whether it is in hard copy or electronic format. We protect your information in the following ways:

Training: Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient data; this includes their mandatory annual training in data security and confidentiality to demonstrate they understand and are complying with Practice policies on confidentiality.

Access Controls: Any member of staff who has access to personal confidential data will have a username and unique password and secure login is based on user roles and their organisation. This will reduce the risk of unauthorised access to your personal data and all access is auditable. Staff leavers will be removed as soon as reasonably practical.

Technical measures: We complete due diligence assessments and impose contractual obligations on our trusted providers and persons working under our instruction.

Our technical systems and partners are subject to the same strict information security regulations that apply to all NHS systems and organisations.

Data is securely transferred from the website and special category data captured and stored is encrypted and can only be viewed by users with secure access.

All data storage facilities meet the highest information security standards in cloud services based in the UK.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you.
  • Keep records about you confidential and secure.
  • Provide information in a format that is accessible to you.

We are committed to protecting your privacy and will only use information collected lawfully in accordance with:

  • Data Protection Act 2018.
  • UK General Data Protection Regulation
  • Human Rights Act 1998.
  • Common Law Duty of Confidentiality.
  • NHS Codes of Confidentiality and Information Security.
  • Health and Social Care Act 2015.
  • And all applicable legislation.

We maintain our duty of confidentiality to you at all times. We will only ever use or pass on information about you if we reasonably believe that others involved in your care have a genuine need for it.

We will not disclose your information to any third party without an appropriate legal basis and there are exceptional circumstances (such as a risk of serious harm to yourself or others) or where the law requires information to be passed on.

9. How long do we keep your information?

Your personal information is held in both paper and electronic forms for specified periods of time as defined by the NHS Records Management Code of Practice for Health & Social Care 2016 and the National Archives. Please click on the link for the retention periods of the various medical records we hold. Records retention schedules.

General enquiries will be kept for up to seven years from the date of the conclusion of the enquiry.

These are the minimum times for which we keep information; we may keep it for longer if we believe doing so will be of benefit to you or we are not able to delete it due to a technical issue.

We have a duty to:

  • Maintain full and accurate records of the care we provide to you
  • Keep records about you confidential and secure

Further details can be found in The Records Management Code of Practice for Health and Social Care 2016.

Please note that the independent inquiry into Child Sexual Abuse (IICSA) has requested that large parts of the health and social care sector do not destroy any records that are, or may fall into, the remit of the inquiry. Therefore, Organisations that retain such records are currently not destroying any children’s records until further notice (please consult the website for more details).

10. Social Media and our Website

When you contact the CWH through social media such as Facebook and Twitter, we hold your information and reason for contact in our social media management portal to enable us to easily access and manage our engagement with you. This may result in us sharing your information with other parties involved in your care, managing your complaint etc.

When you visit our website, we collect standard internet log information and details of visitor behaviours. This is statistical data only which we collect in order to find out the numbers of visitors to the site and the pages visited. The information is collected in such a way that does not identify individuals and we do not make any attempts to identify visitors this way.

Where we do collect personal information on our website, this will be made obvious to you through the relevant pages.

11. What are your rights?

If we need to use your personal information for any reasons beyond those stated above, we will discuss this with you. Under the Data Protection Act 2018 you have the following rights:


The right to be informed - As a controller, we are obliged to provide understandable and transparent information about the way we process your data (this is provided within this privacy notice)

The right of access - You are entitled to request a copy of the personal data we hold about you. (see the section below, how to request a copy of your record)

The right to rectification - Request the correction of inaccurate or incomplete information in your health record, subject to certain safeguards.

The right to erasure - Where no overriding legal basis or legitimate reason continues to exist for processing personal data, you may request that we delete the personal data.

The right to restrict processing - Under certain circumstances, you may ask us to stop processing your personal data. We will still hold the data but will not process it any further.

The right to data portability - Subject to certain conditions, you may request a copy of your personal data to be transferred to another organisation.

The right to object to processing - You have the right to object to our processing of your data where:

  • Processing is based on legitimate interest.
  • Processing involves automated decision-making and profiling.
  • Processing would be for a purpose beyond your care and treatment, e.g. direct marketing and scientific or historic research; you can opt-out to the sharing of this information under the National Data Opt-Out. Further information can be found on the following website:

Please note that the above rights may not apply in all circumstances.

Keep us updated of any changes

Please let us know if you change your address or contact details etc. so that we can keep your information accurate and up to date.

12. How to request a copy of your record?

You can request a copy of your records from HCRG Care Group via the Data Subject Access Portal. Please click on the following link to request your record.

Subject Access Request Portal

Our portal supports the management of requests with regards to records and/or alterations/concerns. Your request will be directed to our Privacy Team who will ensure that the correct service receives your request promptly.

For requests for Council controlled data please submit your request via the following webform:

or write to the Council at;

Data Protection Officer (SAR), Bath & North East Somerset Council, Lewis House, Manvers Street, Bath, BA1 1JG

13. Who can you contact regarding your personal information we hold?

If you have any questions or concerns about the information we hold about you, please do not hesitate to talk to someone in the CWH or contact:

Data Protection Officer

Head of Information Governance, HCRG Care Group Ltd, The Heath Business and Technical Park, Runcorn, Cheshire, WA7 4QX


Data Protection Officer

Bath & North East Somerset Council, Lewis House, Manvers Street, Bath, BA1 1JG


If you are not happy about the way your information is handled, or you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioners Office (ICO).

Visit our partner organisations website for privacy notices on how they manage your personal data. See above in section 2 the list of partner organisations.

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Tel: 0303 123 1113


14. Disaggregation of Services

In the event of the contract between BaNES council with HCRG Care Group Ltd coming to an end, all relevant documentation and records will be transferred to the new provider. The transfer of records will be conducted in accordance with the current UK Data Protection Law.

15. Changes to our privacy notice

We will update this privacy notice from time to time to reflect any changes to our ways of working. Please contact our Data Protection Officer if you would like more information.

Website Privacy Notice

Information we may collect from you

When you visit our website, we collect standard internet log information and details of visitor behaviours. This is statistical data only which we collect in order to find out the numbers of visitors to the site and the pages visited. The information is collected in such a way that does not identify individuals and we do not make any attempts to identify visitors this way.

Referral form

The referral form collects personal details of the person being referred including name, address, date of birth, telephone numbers and email addresses. In addition, information about the support requested is collected.

The information on the referral form will be used to decide the best type of support for the person being referred. Therefore, this information may be shared with relevant health and care services.

Consent for a referral is collected during the form completion process.

Social media

When you contact us through social media such as Facebook and Twitter, we hold your information and reason for contact in our social media management portal to enable us to easily access and manage our engagement with you. This may result in us sharing your information with other partners within the Community Wellbeing Hub involved in providing support, your care, managing your complaint etc.

Web server log files

IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number used by computers on the network to identify your computer. IP addresses are automatically collected by our web servers so that data (such as the web pages you request) can be sent to you.

Web server log files are used to record information about our site, such as system errors. Log files do not contain any personal information or information about other sites which you have visited.


Cookies are files with a small amount of data that is commonly used an anonymous unique identifier. These are sent to your browser from the website that you visit and are stored on your computer's hard drive.

Our website uses these “cookies” to collection information and to provide you with a more personal and interactive experience on our site. You have the option to either accept or refuse these cookies and know when a cookie is being sent to your computer. If you choose to refuse our cookies, this may affect your experience in using our site.


We take the security of your personal data very seriously. Technical and organisational controls have been designed and implemented to protect the personal information that we hold about you. These controls may be:

  • Technical measures to secure the information on our websites and other areas where information is hosted to prevent unauthorised access to your personal data.
  • Organisational controls such as regular confidentiality and security training, vetting, due diligence and contractual obligations imposed on our trusted providers and persons working under our instruction.

However, due to the inherent security risk of providing information and dealing online, we cannot guarantee the security of any data you disclose online.

Therefore, you recognise that your use of our website and social media contacts is entirely at your own risk.

Links to other websites

Please be aware that our site may link to other websites which may be accessed through our site. If you follow a link to any of these websites, please note that they will have their own cookies and privacy policies. We do not accept any responsibility or liability for the privacy and security practices of such third-party websites and your use of such website is entirely at your own risk.

Changes to this Notice

We may update our policy from time to time. We advise you to review this page periodically for any changes. We will notify you of any changes by posting the new Privacy Notice on this page. These changes are effective immediately, after they are posted on this page.

Contact Us

If you wish to exercise any of your data protection rights such as your right of access or erasure or if you have any questions or suggestions about our Privacy Policy, do not hesitate to contact us at

Appeals to the Information Commissioner’s Office

If you are unhappy about the way we have treated your personal data, or feel we have not properly respected your data subject rights, you have the right to contact the Information Commissioner’s Office (ICO) and tell them about this. You can also contact the ICO by phone on 0303 1231113.

This Website Is Using Cookies
We use cookies to run this website, provide social media features and let us know how you use it. Review our Privacy Policy.