Further Definitions and Terms used in Fair Processing Notice

Data Protection Act 2018 (DPA)

The Act of Parliament which regulates the processing of information relating to living individuals, including the collecting, holding, use, and sharing (disclosure) of such information.  South Warwickshire CCG as a Data Controller is required to ensure the principles of the DPA are adhered to ensuring we are legally compliant in the way we collect and use your information.

Data Controller

A person (individual or organisation) who determines the purposes for which and the manner in which your identifiable information will be collected and used.  Data Controllers must ensure that any collection and use of identifiable information complies with the principles of the Data Protection Act 2018.  For health and social care organisations the Data Controller will be the organisation holding your information.  Providing a complete, factually correct and easy to read Fair Processing Notice (Privacy Notice) is just one of the requirements of a Data Controller.  South Warwickshire CCG is the Data Controller unless otherwise stated in its Fair Processing Notice.

Data Processor

Any person (other than an employee of the Data Controller) who process the data on behalf of the Data Controller.  Data Processors are not directly subject to the Data Protection Act 2018 but the Information Commissioner, who is statutorily responsible for ensuring organisations comply with the Act, recommends that organisations should choose data processors carefully and have in place effective means of monitoring, reviewing and auditing their processing with a written contract in place.  Please see our sharing information page for further information about the controls we ensure are in place before making agreements with any data processors and a list of data processors contracted by South Warwickshire CCG in our capacity as Data Controller.  There is further information detailing the use of data processors in the section informing you of the details of information collected and used for specific purposes.


Consent describes the informed agreement for something to happen after consideration by you.  For consent to be legally valid, you must be informed, must have the capacity to make the decision in question and must give consent voluntarily.  In the context of consent to share information, this means you should know and understand how your information is to be used and shared (there should be ‘no surprises’) and you should understand the implications of your decision, particular where your refusal to allow information to be shared is likely to affect the care you receive.  This applies to both explicit and implicit consent.

Explicit Consent

Explicit consent is unmistakeable.  It can be given in writing or verbally, or conveyed through another form of communication such as signing.  You may have the capacity to give consent, but may not be able to write or speak.  Explicit consent is required when sharing information with staff who are not part of the team caring for you.  It may also be required for a use other that than for which the information was originally collected, or when sharing is not related to your direct health and social care. 

Implied Consent

Implied consent is applicable only within the context of direct care of individuals.  It refers to instances where your consent can be implied without having to make any positive action, such as giving your verbal agreement for a specific aspect of sharing information to proceed.  Examples of the use of implied consent would include where a referral is being made by a GP to a community or hospital service we would consider your consent as implied when discussing the referral with you, another example would be within the hospital setting where there are ward handovers, the consent to share your identifiable in this situation is required for your care and you would not expect to be asked to provide explicit consent at each ward handover.


Within the NHS and in social care organisations the term Personal Confidential Data is used to describe identifiable information which you have provided in confidence, for example, in discussion with your GP or hospital specialist.  This information should be kept private or secure.  For the purposes of the Fair Processing Notice (Privacy Notice) ‘identifiable information’ includes the Data Protection Act 2018 definition of personal data, but it is adapted to include dead as well as living people and ‘confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive information’ as defined in the Data Protection Act 2018.

Caldicott Guardian

A senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing.  Each NHS organisation is required to have a Caldicott Guardian which was mandated for the NHS in 1999.

Information Governance Toolkit

An online system which allows NHS and social care organisations to assess themselves or be assessed against Information Governance policies and standards.  It also allows members of the public to view participating organisations’ IG Toolkit assessments.

Information Governance

The set of multi-disciplinary structure, policies, procedures, processes and controls implemented to manage information at a senior level, supporting an organisation’s immediate and future regulatory, legal, risk, environmental and operational requirements.

Send feedback about this page
© NHS South Warwickshire Clinical Commissioning Group
Westgate House, Market Street, Warwick CV34 4DE