Westfield Health takes the privacy of all customers and those that communicate with us very seriously and as a valued customer, we wanted to give you statement of our Data Protection Compliance position. In summary:

  • You’re always in control: Your privacy will be respected at all times and we will put you in control of your personal data
  • We work transparently: We will be transparent about the data we collect and how we use that data so that you can make fully informed choices and decisions
  • We operate securely: We will protect the data that you entrust to us via appropriate security measures and controls. We’ll also ensure through the contracts we have in place, that other businesses we work with are just as careful with your data
  • For your benefit: When we do process your data, we will use it to benefit you, to make your experience better and to improve our products and services

Please continue reading for more information about our compliance position.

Appointment of a Data Protection Officer

Westfield Health have appointed a Data Protection Officer, responsible for overseeing compliance with relevant data protection laws.

You are able contact our data protection officer in the following ways should you have any questions or comments about how your data is processed:

[email protected]

Westfield Health
Westfield House
60 Charter Row
S1 3FZ

Policy & Procedural Documentation

Westfield Health have reviewed and updated all policy and procedural documentation to align ourselves with relevant data protection laws and ISO 27001 standards.

Our suite of policies have been reviewed, amended, approved, published and communicated to employees throughout the organisation. Policies include, but are not limited to:

  • Privacy Promise and Privacy Policy
  • Data Protection Policy
  • Information Security Policy & associated policies in line with ISO 27001
  • Data Breach Management Policy
  • Data Retention Policy
  • Data Subject Access Requests Policy
  • Data Protection Impact Assessment Policy
  • CCTV Policy

Staff Training & Awareness

We have ensured that every member of staff at Westfield Health has completed a Data Protection e-learning module and in house classroom session, tailored to their job role, with our Data Protection Officer.

ISO 27001 Certification

Westfield Health has achieved ISO 27001 certification.

ISO 27001 is an international standard that describes best practice for an ISMS (information security management system). ISO 27001 certification demonstrates that we are following information security best practice and provides an independent, expert verification that information security is being managed in line with international best practice and business objectives.

The information security management system (ISMS) enables us to manage all our security practices in one place. The ISMS is a system of processes, documents, technology and people that aids in managing, auditing and improving the organisation’s information security.

At the heart of a compliant ISO 27001 ISMS are business driven risk assessments, allowing us to identify and treat security threats consistently according to our organisation’s documented risk appetite and tolerance levels.

View our Information Security Summary.

Privacy Notices

We have reviewed, redrafted and published all privacy notices to meet the compliance standards set out in the Data Protection Act 2018 and General Data Protection Regulation (GDPR). Both our privacy promise & privacy policy are available on our website.

Record of Processing Activities

In line with our record keeping obligations set out in the Data Protection Act 2018 and GDPR, as both a Data Controller and Data Processor, we have documented our processing activities. This includes recording following information as a minimum:

Westfield Health acting as a Data Controller:

  • Business Function
  • Purpose of Processing
  • Name and contact details of Joint Controller (if applicable)
  • Categories of Individuals
  • Categories of personal data
  • Categories of recipients
  • Link to contract with processor
  • Retention Schedule
  • General description of technical and organisational security measures (if possible)

Westfield Health acting as a Data Processor:

  • Link to contract with Controller
  • Name and details of Controller
  • Name and details of Controller’s representative (if applicable)
  • Categories of Processing
  • General description of technical and organisational security measures (if possible)

Data Processing Agreements

Where Westfield Health acts as a Data Controller, we have ensured that we only appoint Data Processors who can provide ‘sufficient guarantees’ that the requirements of the Data Protection Act 2018 and GDPR will be met and the rights of data subjects protected.

Where Westfield Health acts as a Data Processor for corporate clients, we are happy to review and sign where acceptable Data Processing Agreements submitted by the Data Controller.

Agreements between Controllers and Processors ensure that parties both understand their obligations, responsibilities and liabilities. Agreements help each to comply with the Data Protection Act 2018 and GDPR, and help Controllers to demonstrate their compliance.

We have updated our Corporate Terms & Conditions to embed these requirements.

Data Protection Impact Assessments (DPIA’s)

Westfield Health actively carries out Data Protection Impact Assessments (DPIA’s) in line with Data Protection by Design and Default requirements in order for us to identify and minimise the data protection risks of a project or processing activity.

Westfield Health ensures that DPIA’s are performed where processing is likely to result in high risk to individuals.

Our DPIA’s includes:

  • A description of the nature, scope, context and purposes of the processing;
  • Assessment of the necessity, proportionality and compliance measures;
  • Identification and assessment of risks to individuals; and
  • Identification any additional measures to mitigate those risks.

If you have any further questions, or require any more information is required, please do not hesitate to contact me.

Yours faithfully

Matt Bruce

Data Protection Officer

[email protected]

Find out more about how we safeguard your data

Visit our Trust page