Who we are

Our website address is: https://cass.independent-review.uk.

This privacy statement only covers the Cass Review website (www.cass@independent-review.uk). It does not cover all sites that can be linked to from this site, so you should always be aware when you are moving to another site and read the privacy statement on that site.

Website Privacy

During the course of the Review, we may need to collect personal information for a number of purposes. The information on this page explains our website privacy policy and how we will use and protect any information about you that you give us when you visit this website.

The Cass Review is bound by the same data protection rules as the commissioning organisation, NHS England and NHS Improvement, and will be following the organisational processes as set out in the privacy notice.

What personal data we collect and why we collect it

From time to time, you will be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates and website feedback.

By entering your details in the fields requested, you enable the Cass Review and its service providers to provide you with the services you select. Any information you provide to the Cass Review will only be used by us, our agents and service providers and will not be disclosed unless we are obliged or permitted to by law to do so.

If you post or send offensive, inappropriate or objectionable content anywhere on www.cass.independent-review.uk or otherwise engage in any disruptive behaviour on www.cass.independent-review.uk, we may use whatever information is available to us, about you, to stop such behaviour. 

We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event that the purpose has been met or when you no longer wish to continue your subscription.

People who contact our enquiry inbox

The Cass Review has a enquiries inbox which gives a central contact for members of the public, patients or their representatives to contact the Review team. This can be for individuals to submit an enquiry, register a complaint or provide feedback.

The Review collects information when members of the public contact us. This can be when they ask a general enquiry through our contact form or directly with team members. In doing so, we collect relevant information at the point of contact to resolve their enquiry.

The data collected by the Cass Review about the enquiry is primarily stored in our contacts log. This includes a record for the individual with an associated entry relating to their case (i.e. a general enquiry, submission of evidence, complaint etc.). The log contains the name, contact information and any other information relating to the enquiry.

There may also be instances where individuals contact specific team members and information provided at this point will be collected (i.e. name and contact information).

The information is used by the Review team to manage the response to the query within the organisation.

For GDPR purposes the lawful basis for processing is Article 6(1)(e) –

‘…exercise of official authority…’.

If you get involved in our work as a participant or contributor

The Review will build evidence and reach conclusions through a process of ongoing engagement with stakeholders. Our approach to this is set out on our website www.cass.independent-review.uk. Stakeholders are encouraged to register their interest in being a participant or contributor to the Review. This may involve:

• people who choose to attend, respond or comment on open access engagement opportunities e.g. responding to online surveys or attending an open meeting

• people who are invited to attend workshops/events/ focus groups on a one-off basis

• people who are a member of a working group which meets regularly

• people who wish to submit evidence to support the Review

The data is provided by stakeholders when registering to attend a meeting or event, and / or when submitting an expression of interest (through an online form).

The information provided on the form includes:

  • name
  • age, address and postcode
  • e-mail address
  • the type of stakeholder, e.g. patient, parent, professional
  • how they want to be involved
  • a short summary of their experience, expertise or interest in the subject matter

For GDPR purposes the lawful basis for processing is Article 6(1)(e)

‘…exercise of official authority…’.

Subscribers to our mailing lists

The Cass Review will in the routine course of its business need to communicate with stakeholders throughout the duration of the Review. These communications are to provide relevant stakeholders with important information in relation to the business of the Review. Other communications may be in relation to the Review, or a workstream of the Review to which interested parties have subscribed for further information as and when it is available (i.e. event attendance, updates on project progress or canvassing feedback on documentation for initiatives).

The data collected by the Review team will be the subscriber’s name and email address.

Contact information is primarily collected on request, i.e. colleagues or members of the public contact the Review either directly or via the website subscribe function and ask to be placed on a relevant mailing list for updates. It may also be collected by the Review team in the routine course of their work with relevant stakeholders, i.e. it is deemed appropriate a mailing list is created to canvass responses or feedback on documentation.

The information is used by the Cass Review team, its hosted bodies, or data processors acting on our behalf.

For GDPR purposes the lawful basis for processing is Article 6(1)(e) –

‘…exercise of official authority…’.

Leaving comments

When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.

An anonymized string created from your email address (also called a hash) may be provided to the Gravatar service to see if you are using it. The Gravatar service privacy policy is available here: https://automattic.com/privacy/. After approval of your comment, your profile picture is visible to the public in the context of your comment.

If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.


If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.

Who we share your data with

Under the Data Protection Act, we have a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

We do not pass on your details to any third party or government department.

How long we retain your data

If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.

For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.

What rights you have over your data

If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.

Where we send your data

Visitor comments may be checked through an automated spam detection service.


We want to make the site easy, useful and reliable, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

  • Enabling a service to recognise your device so you don’t have to give the same information several times during one task
  • Recognising that you may already have given a username and password so you don’t need to do it for every web page requested
  • Measuring how many people are using services, so they can be made easier to use and there’s enough capacity to ensure they are fast.

You can manage these small files yourself through your browser setting.

Please note that the cookie providers listed below may distribute the gathered cookie information with other third party websites for the purpose of activity tracking. You can find out more about the policy of each cookie provider on their respective privacy pages.

Current cookies

Please be aware that the providers listed below may change their cookie names without notice.

As an example, we use the following cookies on our website:

Cookie: Google Analytics
Example name: _utma, _utmb, _utmc, _utmz, GAPS, LSID, LSOSID, OTZ
Purpose:   These cookies are used to collect information about how visitors use our site, which we use to help improve it. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. More information about Google cookies.

Cookie: www.google.com (Google embedded search)
Example name: __utmx, __utmxx, APISID, HSID, NID, PREF, SAPISID, SID, SSID
Purpose: These cookies are used to collect information about how visitors use our site, which we use to help improve it. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited and what they have searched for. More information about Google cookies.

Embedded content from other websites

Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.

The suppliers of these services may also set cookies on your device when you visit the pages where we have used this type of content. These are known as ‘third-party’ cookies. Third party cookies are delivered on behalf of their respective organisations and as such they may change their name and purpose from the cookies identified below, this is beyond the control of the Cass Review.

Cookie: YouTube
Example name: PREF, VISITOR_INFO1_LIVE, use_hitbox
Purpose: To track visitor views, and to remember user preferences when viewing YouTube videos embedded in our website web pages.   More information about YouTube cookies.

Cookie: Twitter
Example name: guest_id, remember_checked, remember_checked_on, secure_sessions, twll
Purpose: To track visitor information and for security authentication. More information about Twitter cookies.

How to control and delete cookies

We will not use cookies to collect personally identifiable information about you.

However, if you wish to restrict or block the cookies which are set by our websites, or indeed any other website, you can do this through your browser settings. The ‘Help’ function within your browser should tell you how.

Alternatively, you may wish to visit www.aboutcookies.org which contains comprehensive information on how to do this on a wide variety of browsers. You will also find details on how to delete cookies from your machine as well as more general information about cookies.

Please be aware that restricting cookies may impact on the functionality of our website.

If you wish to view your cookie code, just click on a cookie to open it. You’ll see a short string of text and numbers. The numbers are your identification card, which can only be seen by the server that gave you the cookie.

For information on how to do this on the browser of your mobile phone you will need to refer to your handset manual.

To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.

Changes to our policy

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.


This site has security measures in place to protect the loss and alteration of information under our control.

Contact us

If you have any questions about these terms and conditions or the practices of this website, please email us at cass.review@nhs.net