This privacy notice tells you about information we obtain, hold and use about you.
It describes what we do with it, how we will look after it and who we share it with. It covers information we collect directly from you as well as information we may get from other individuals or organisations.
This notice does not provide exhaustive detail. However, we keep and maintain accurate and detailed records about how your information is used. We can provide further detail and explanation outside of this information should it be requested and without charge. Contact details for us can be found at the end of this page.
Any requests for further information should be sent to the contact address at the bottom of this page.
- Who we are
- The sorts of information we use
- Information we collect
- Reasons we might need to use personal information
- Finance/validating invoices
- Risk stratification and proactive care management
- Commissioning Purposes
- Patient Experience: Complaints, Concerns or Enquiries made to us
- The legal basis for data flows.
- Section 251 of the NHS Act 2006
- How long we hold information for and our destruction arrangements
- Sharing your information with other organisations or individuals (third parties)
- Other organisations that provide services for us
- Protecting your privacy
- Your rights
- Subject access requests and requests to correct errors
- Opting Out
- Staff Related Information
- Further Information
- Our contact details
Who we are
The Greater Nottingham Clinical Commissioning Partnership (Greater Nottingham CCP) and the Mid Nottinghamshire Clinical Commissioning Groups (Mid Nottinghamshire CCGs) are responsible for ensuring there is effective planning, buying and monitoring of services from healthcare providers such as hospitals and GP practices in place. This means making sure that the NHS services that people need in the Nottinghamshire area are available as well as making sure that those services are high quality and value for money. This is known as “commissioning”.
We need to use information about you to enable us to do this effectively, efficiently and safely. As Data Controllers, we are responsible for how your information is used and explaining that to you. The Greater Nottingham CCP and the Mid Nottinghamshire CCGs share responsibility for commissioning services across the County and these are referred to as the lead commissioner.
The NHS Greater Nottingham Clinical Commissioning Partnership is formed from, NHS Nottingham City CCG, NHS Nottingham West CCG, NHS Rushcliffe CCG and NHS Nottingham North & East CCG.
The Mid Nottinghamshire Clinical Commissioning Groups are formed from, NHS Mansfield & Ashfield CCG and NHS Newark & Sherwood CCG.
For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the NHS. We use six types of information/data:
- Anonymised data, which is data about you but from which you cannot be personally identified;
- De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified;
- De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you;
- Anonymised information (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment.
- Personal data from which you can be personally identified
- Special category (sensitive) information/data about you from which you can be identified.
Personal data and personal sensitive data are only used where it is lawfully and absolutely necessary.
Information we collect
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information. Examples of this include:
- Evaluation and review of services such as checking their quality and efficiency.
- Checking NHS accounts and services.
- Working out what illnesses people will have in the future so that we can work with the local primary care services such as GPs, community services and hospital services to make sure that patient needs are met.
- Preparing performance reports about the services we commission
- Reviewing the care we commission to make sure it is of the highest standard.
- We will only use information that may identify you (known also as personal, confidential data) in accordance with Data Protection law. Under Data Protection law we are required to have a legal basis if we wish to process any personal information.
Reasons we might need to use personal information
The areas where we use personal information are:
- Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS.
- Continuing Healthcare Assessments (a package of care for those with complex medical needs).
- Responding to your queries, concerns or complaints.
- Incident investigations.
- Assessment and evaluation of safeguarding concerns for individuals.
- If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations.
- Staff personal confidential information for employment purposes (see below for further information about staff personal information use).
We keep your information in written form and / or on a computer securely and confidentially.
The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation.
To ensure that the NHS continues to run lawfully and efficiently, the Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information without explicit consent, but only when it is necessary for the work listed above. We have to meet strict conditions that are set out in section 251 of the NHS Act 2006, and approval is given based on the advice of the Health Research Authority’s Confidentiality and Advisory Group
Finance/ validating invoices
Invoice validation is an important process in ensuring that patient care is paid for correctly. It involves using a patient’s NHS number to check which CCG is responsible for paying for their treatment. We can also use an NHS number to check that care has been funded through specialist commissioning, which NHS England pays for.
The process makes sure that the organisations providing care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment within the CCG. The use of personal data by CCGs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and it is anticipated this will be in place until at least end of September 2018. This approval provides the legal basis for the CCGs to process personal data for invoice validation purposes.
Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The CCGs use risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCGs do not have access to person identifiable data. The information is pseudonymised.
Hospitals and community setting organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve. This information is known as commissioning datasets. The CCG obtains these datasets from NHS Digital which relate to patients registered with our GP practices. This enables us to plan, design, purchase and pay for the best possible care available for you
The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you. Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
We also receive similar information from the GP Practices within our CCG membership that also does not identify you.
- We use these datasets (Secondary User Service (SUS) Service Level Agreement Monitoring (SLAM)) for a number of purposes such as:
- Performance managing contracts;
- Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
- To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
- To help us plan future services to ensure they continue to meet our local population needs;
- To reconcile claims for payments for services received in your GP Practice;
- To audit NHS accounts and services.
Patient Experience: complaints, concerns or enquiries made to us
When we receive a complaint, concern or enquiry from a person, we make up a file containing the details of the complaint, concern or enquiry. This normally contains the identity of the person and any other individuals involved in the complaint, it may also include the person’s relevant medical records.
We will only use the personal information we collect to process a concern or enquiry, or complaint in line with the NHS complaints regulations. We are required to disclose the person’s identity to the service that the complaint, concern or enquiry is about in order to carry out the complaint, concern or enquiry process. If a person making an enquiry or raising a concern does not want their identifying information to be disclosed, we will respect that but that may mean that the concern or enquiry is not able to be resolved fully. It is not possible to handle a complaint on an anonymous basis.
We may pass on anonymised information from the complaint, enquiry or concern to our commissioners so that they can reflect on the experience of the person using the service, and where possible and appropriate use that information to improve the services we commission.
We will keep personal information securely in uniquely referenced concern, enquiry and complaint files in line with our retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
The legal basis for data flows
The CCGs process personal data under a variety of legal bases depending on the data being processed and the purposes it is processed.
For each instance a legal basis is identified and recorded. The legal bases most commonly used are:
Condition for processing personal data (from Article 6(1))
the data subject has given consent to the processing of their personal data for one or more specific purposes;
This option may be used for example when we keep individuals up to date with general news and events in the CCGs.
For other uses of personal data it is usually a very last resort. Consent must meet criteria of being freely given, specific, informed and unambiguous indication with affirmative action (in agreement).
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
A less common used condition for our purposes for processing personal data.
Required where a contract with an individual is or will be put in place.
processing is necessary for compliance with a legal obligation to which the controller is subject;
Applies where there is another legal requirement. It may be a court order or a duty under another law.
processing is necessary in order to protect the vital interests of the data subject;
Where the matter is concerns an instance of life or death.
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
The most likely condition to be used by the CCGs for processing of personal data.
Condition processing special category (sensitive) personal data (from Article 9 (2)0
Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law.
Used in limited instances (as above).
Explicit consent must meet criteria specified under data protection law.
Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement
We would use this condition for processing personal data about staff for employment purposes
Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent.
Used where the matter concerns an instance of life or death and an individual affected is not able to make a decision themselves.
Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.
Used in instances of legal matters.
Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
Most commonly applied condition for CCGs processing personal data for the management of health or social care systems.
Necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
Used for public health purposes.
(Section 251 of the NHS Act 2006)
The Secretary of State for Health gives limited permission for CCGs (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.
This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.
This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses.
Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available.
More information about Section 251 is available from the Health Research Authority web site.
How long we hold information for and our destruction arrangements
All records held by the CCGs will be kept for the duration specified by national guidance from NHS Digital (Information Governance Alliance), found in the Records Management Code of Practice for Health and Social Care 2016.
In all circumstances data will be retained in accordance with data protection requirements and ‘kept for no longer than is absolutely necessary’.
Once data is no longer required it will be destroyed securely:
- Paper records will be destroyed in line with international standards. Where external confidential waste suppliers are used these will be under contract and assurance that destruction meets the necessary legal requirements and standards.
- For digital media permanent destruction will be achieved by over writing the media a sufficient number of times or physical destruction of media by breaking it up into small pieces.
Sharing your information with other organisations or individuals (third parties)
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We would not share information that identifies you unless;
- You have given us permission • This is anonymised and therefore non-personal data • We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime • It is necessary to protect children and vulnerable adults from harm • A formal court order has been served upon us; and/or • For the health and safety of others, for example to report an infectious disease like meningitis or measles.
Other organisations that provide services for us
We have entered into contracts with other NHS organisations to provide other services for us. These include holding and processing data including patient information on our behalf in provision of Information Technology (IT) services or providing human resources services for our staff. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained, that procedures are in place to keep information secure and protect privacy.
The CCGs also have services that support this function provided by a Joint Data Management Team (hosted by NHS Rushcliffe CCG). These services are also subject to the same legal rules and conditions for keeping personal information confidential and secure. Where possible a pseudonymisation technique (whereby identifiable information is replaced with an alias) is used so that other NHS staff processing data on our behalf do not have access to information such as the NHS number and data cannot be tracked back to individuals.
We will not otherwise share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the General Data Protection Regulation.
Protecting your privacy
We are committed to protecting your privacy and will only process personal information in accordance with the General Data Protection Regulation, the Data Protection Act 2018, the Human Rights Act 1998 and the Common Law Duty of Confidence.
The CCGs are Data Controllers under the terms of data protection law and are individually legally responsible for ensuring that all personal information that is processed i.e. held, obtained, recorded, used or shared about individuals is done in compliance with the six Data Protection Principles. All data controllers must notify the Information Commissioner’s Office of all personal information processing activities. Our registration details can be found on the public register of Data Controllers: Information Commissioner’s Public Register of Data Controllers.
All information that we hold about individuals will be held securely and confidentially. We use administrative and technical controls to do this. All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. We will only use the minimum and proportionate amount of personal information necessary. Where possible we will use information that does not directly identify individuals, but when it becomes necessary for us to know or use personal information a person, we will only do this when we have either a legal basis or have that person’s consent. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies individuals, where it is appropriate to their role, and is strictly on a need-to-know basis.
The CCGs have a Caldicott Guardian (see “Contact us”, below) who is the person responsible for protecting the confidentiality of patient information and enabling appropriate and lawful information sharing.
You have certain legal rights, including:
- to have your information processed fairly and lawfully
- to request access any personal information we hold about you
- the right to privacy, and to expect the NHS to keep your information confidential and secure
- to request that your confidential information is not used beyond your own care and treatment and to have your objections considered
- to request that any inaccurate data that we hold about you is corrected
- in some circumstances to have data erased.
- to object to automated decision making and profiling. Currently the CCGs do not use automated individual decision-making (making a decision solely by automated means without any human involvement).
These are commitments set out in the NHS Constitution, for further information please visit: https://www.gov.uk/government/publications/the-nhs-constitution-for-england
Subject access requests and requests to correct errors
Individuals can access personal information about them by making a ‘subject access request’ under the EU General Data Protection Regulation. If we do hold information about you we will:
- confirm this to you;
- give you a copy in a format that is easy to understand;
- provide the information within one month, or contact you if that is not going to be possible;
- not charge you a fee; unless there are extenuating circumstances.
To make a request for any personal information we may hold you need to put the request in writing to the address provided below (see contact details at the end of this page).
If we do hold information about you and you consider it to be inaccurate, you can ask us to correct any mistakes by, once again, contacting us at the address below.
We will only retain personal confidential information for as long as necessary. Records are maintained in line with the IGA Records Management Code of Practice which offers guidance on the minimum length of time records should be retained.
If you do not wish us to share or process your information for purposes beyond your direct care, or have any concerns then please let us know. We may need to explain the possible impact this could have on our ability to help you, and discuss the alternative arrangements that are available to you. There are two types of objection that can be applied to your information -
Type 1 opt-out
If you do not want personal confidential data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. Patients are only able to register the opt-out at their GP practice.
National Data Opt-Out: information held by NHS Digital
Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.
From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-Out.
Further information on the National Data Opt-Out can be found here at: https://digital.nhs.uk/national-data-opt-out
Objections will be respected, except in very limited circumstances such as:
- You have given explicit permission for a particular use of data (e.g. a research project) • Data is anonymised and therefore non personal data • We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime • It is necessary to protect children and vulnerable adults from harm • A formal court order has been served upon us • For the health and safety of others, for example to report an infectious disease like meningitis or measles.
You have the right to refuse/ withdraw consent to information sharing at any time. The possible consequences will be fully explained to you and could include delays in receiving care or omission from health screening programmes. If you wish to discuss withdrawing consent please contact us (see Contact us, below), or speak to your GP.
Staff Related Information
Job Applications, Current and Former Employees
When individuals apply to work at Greater Nottingham Clinical Commissioning Partnership or the Mid Nottinghamshire CCGs, we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference we will not do so without informing them beforehand unless the disclosure is required by law.
Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.
Once a person has taken up employment with us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with Greater Nottingham Clinical Commissioning Partnership or Mid Nottinghamshire CCGs has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.
In order to comply with our obligations as an employer we will need to share your personal information with other organisations for the purpose of managing your employment, these are:
- NHS Arden & GEM CSU
- COPE (Consultants in Occupational Health, Physiotherapy and Ergonomics) - Greater Nottingham CCP staff information only.
- Sugarman Health and Wellbeing – Mid Nottinghamshire CCGs’ staff information only.
- NHS Shared Business Services
As part of the alignment the information will be shared across the 6 Nottinghamshire CCGs HR functions.
The links below give more information about your rights and the ways that the NHS uses personal information:
- NHS Care Record Guarantee NHS Constitution • Confidentiality: The NHS Code of Practice • Health Research Authority’s Confidentiality and Advisory Group • An independent review named Information: To share or not to share?The Information Governance Review was conducted in 2012. • Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides more information about the data used to support commissioning • NHS England advice for CCGs and GPs on information governance and risk stratification • NHS Digital • The Information Commissioner (the Regulator for Data Protection Legislation, who can offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information)
Our Contact Details
If you have any questions or concerns regarding how we use your information or wish to submit a Subject Access Request for access to personal information, please contact us at:
NHS Greater Nottingham CCP & NHS Mid Nottinghamshire CCGs
Rm 3.05 1 Standard Court
Telephone: 0115 883 9508
The contact details for the Greater Nottingham CCP & Mid Nottinghamshire CCGs’ Caldicott Guardian, who is the most senior person in the organisation responsible for patient confidentiality, are:
Elaine Moss, Chief Nurse & Director of Quality: firstname.lastname@example.org
Data Protection Officer
NHS Greater Nottingham CCP & Mid Nottinghamshire CCGs
1 Standard Court
Telephone: 0115 883 9508
Data Protection Regulator
If you have any concerns about the processing of your information you may also contact the Data Protection Regulator:
This privacy notice was reviewed in May 2019.