CSS GDPR Compliance Statement

This was updated August 2023.

GDPR Data Processing Compliance Procedures

CSS is committed to ensuring your personal information is always dealt with in the correct manner. Listed below are assurance statements, ensuring you that we are taking the new GDPR data protection regulations into consideration.

  1. CSS will ensure any processing of personal information is only as that set out in the contract/written instruction that describers the subject matter and duration of the processing, the nature and purposes of the processing, types of data processed and categories of individuals, the obligations and rights of the council.
  2. CSS will at the choice of the customer delete or return all personal information when the contract ends.
  3. CSS will and do only employ persons who are committed to confidentiality or are under a statutory obligation of confidentiality. All our staff are DBS checked and sign confidentiality statements.
  4. CSS will ensure they take appropriate security measures and undertake regular testing and evaluating of the effectiveness of technical and organisational measures for ensuring security of processing.
  5. CSS will only subcontract with the prior permission of the customer.
  6. CSS will be able to demonstrate compliance with GDPR by keeping appropriate records.
  7. CSS will notify the customer of any breach without undue delay.
  8. CSS will hold all customer data securely in-house, which is held within the UK and will not transfer data outside the EU without prior permission from the customer.
  9. CSS will assist the customer to meet their obligations under GDPR.

If there is anything else you require clarification on specifically for your local authority please do not hesitate to get in touch with our Data Protection Lead.

Data Migration and Storage

In new client take-on we have always advised customers to only migrate Service Users with Equipment still in situ to our systems.

  • We strongly state that we would check the client data set against the equipment registrar and reject all clients who don’t have equipment.
  • We state that deceased clients should not be migrated
  • We also advise the customer to be aware of Data Retention policies in managing the archiving of data not transferred to CSS
  • We make sure any data migrated as part of the implementation process has prior consent
  • We store migrated data with an NHS accredited Hosting Service Provider
  • By adding a Service User record onto our ordering platform to request a service delivery, it is our position to assume that consent has been obtained
  • To assist in any consent clarifications
    • We are able to provide information on who created the client record for the first time if not part of the import / data migration process
    • We are able to provide information on who requested a service, if the client record existed, to support any clarifications by Service User on consent
    • We are able to provide further information on the data of request and provision if required.

Data Retention

During the duration of the contract CSS will assist the customer to adhere to the Data Retention guidelines by:

  • Providing a mechanism by way of reports to interrogate and qualify data for deletion according to data retention policies
  • Where instructed, CSS will delete the data from our platforms
  • Where required, CSS will provide written assurance that the data has been deleted

Right To Be Forgotten

CSS will assist the customer in removing all records related to a request to be forgotten.  This action will only be undertaken where CSS have

  • Received the request directly from the customer’s authorised officer e.g. Contract Manager
  • Received the request from the Customer’s Data Protection Officer and copied in the Contract Manager
  • Where the request has come from a 3rd Party, CSS will refer this request to the Contract Manager to initiate the process for approval internally prior to CSS undertaking any action. This action will again follow our procedure of a written signed document by the Data Protection Officer, instructing CSS to undertake a removal of the subject data.

Freedom of Information Requests

Freedom of Information (FOI) requests will not be carried out by CSS without the explicit permission of the Authorised officer or the Data Governance Officer.  An approved request should be submitted formally by email to CSS will all relevant parties copied in stating the exact data we should provide.

3rd Party FOI

  • CSS will refer this request to the customer Authorised Officer noting sections of the request that may be a concern to the customer if provided
  • CSS will undertake the extraction on receipt of instruction by the Authorised Officer to proceed
  • CSS will extract and make available the data to the Authorised Officer via secure methods such as egress for validation and onward forwarding to the FOI requester

Internal but not the Authorised Officer

  • CSS will refer the request to the Authorised Officer for approval
  • On receipt of the approval we will extract the data and make available to the Authorised Officer via secure methods such as egress.


CSS is registered with the ICO, registration number Z284089X and will report any incidence of data breach to the customer’s Authorised Officer and where required to the ICO. The incident report will indicate

  • Nature of Breach
  • Affected Data
  • Steps taken to rectify the breach
  • Steps taken to avoid future occurrence

Examples of Breach

  • CSS list breach of data to include but is not limited to
    • Data compromised in transit e.g. sending reports to an unintended source. It is our responsibility that we provide Personal Data to only those who are authorised to receive it and distribute it internally to ensure that we are provided by authority the list of names to distribute personal identifiable data to.  This request shall be received by way of the helpdesk monitoring system to retain an audit of granting of authority
    • Data displayed in error to a 3rd Party
    • Data used in Marketing without prior consent

Contract End

At the end of the contract term CSS as the incumbent will

  • Remove the instance of the customers data from our platforms once the customer has confirmed receipt and read capability of the archived data set
  • Provide written assurance that the client data instance has been removed from our platforms.