The Department of Health and Social Care (DHSC) and the Office for Health Information and Disparities (OHID) own this digital order form and it has been produced so those who conduct abortions in England and Wales can order printed copies of the HSA4 form: abortion notification. This notice sets out how data collected through this digital order form will be used and lists the person completing the form rights under Articles 13 and/or 14 the General Data Protection Regulation (GDPR).
Data controller
The Department of Health and Social Care (DHSC) is the data controller.
What personal data we collect
We will collect data on:
Your name
Your job title
Your organisation
The address you want the printed forms to be sent to
Your email address
The number of order forms you require
How we use your data (purpose)
Your data will be treated in the strictest confidence.
We collect your personal data as part of the digital order form process:
So that DHSC can send out your printed order forms
So that DHSC can contact you for further information about your order (if you have given your consent)
Legal basis for processing personal data
Our lawful basis for processing this data is Article 6(1)(e) of the GDPR which states that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This is in line with the Secretary of State’s duties in relation to the promotion and provision of the health service in England (including public health functions), as outlined in Part 1 of the NHS Act 2006 (as amended by the Health & Social Care 2012).Data processors and other recipients of personal data
All responses to the digital order form will be seen by:
Team members at DHSC and OHID working on mail fulfilment associated with the HSA4 form
DHSC’s third-party supplier (SocialOptic), who is responsible for hosting the online digital form
DHSC’s third-party supplier (HH Global), who is responsible for undertaking the mail fulfilment of the HSA4 printed form
International data transfers and storage locations
Storage of data by DHSC is provided via secure computing infrastructure on servers located in the European Economic Area (EEA). Our platforms are subject to extensive security protections and encryption measures.
Storage of data by SocialOptic is provided via secure servers located in the United Kingdom (UK).
Storage of data by HH Global is provided via secure servers located in the United Kingdom (UK). HH Global uses SFTP for requirements where a secure data transfer service is required. The SFTP service is included within their annual ISO 27001:2013 and Cyber Essentials certifications and is also independently penetration tested annually. The storage used by our SFTP service is a fully managed IaaS Storage Network protected by Secure AES-256 storage providing secure Controller-Based Encryption (CBE) at the file and block level.
Retention and disposal policy
DHSC will only retain your personal data for as long as either:
it is needed for the purposes of the order that we send out
the law requires us to
This means that personal data will be held by DHSC for a minimum of 12 months.
SocialOptic and HH Global will securely erase the data held on their system every 30 days, or when instructed to do so by DHSC if the data has served its intended purpose (whichever happens earlier).
Data retention will be reviewed on an annual basis. Anonymised data will be kept indefinitely.
How we keep your data secure
DHSC uses appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.
SocialOptic is Cyber Essentials certified.
Your rights as a data subject
By law, you have rights as a data subject. Your rights under the General Data Protection Regulation and the UK DPA 2018 apply.
These rights are:
the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate to be corrected
the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
the right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
Comments or complaints
Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact data_protection@dhsc.gov.uk in the first instance or write to:
Data Protection Officer
1st Floor North
39 Victoria Street
London
SW1H 0EU
Anyone who is still not satisfied can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk and their postal address is:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF