How the CCG uses information - what you need to know
These pages explain your rights under the Data Protection Act 1998 and tell you how NHS South Norfolk Clinical Commissioning Group processes information about you in accordance with the Act.
Who are we?
NHS South Norfolk Clinical Commissioning Group (SNCCG) is a local membership organisation led by family doctors that is responsible for planning and paying for healthcare services. We do not provide healthcare like a GP Practice or hospital; our role is to make sure the appropriate NHS care is in place for the people of South Norfolk, within the budget we have. The CCG is responsible for buying (also known as ‘commissioning’) health services from healthcare providers such as hospitals, GP practices, dentists and pharmacists, and suppliers who offer non-standard services for the people of South Norfolk, as well as providing directly some health services directly such as Personal Health Budgets and Independent Funding Requests.
All GP practices in South Norfolk are members of the CCG and our role is to make sure that appropriate care is in place for the people of South Norfolk today and in the future.
As an NHS organisation, the CCG operates at a number of different levels in regards to processing of personal data.
For commissioning purposes and to help us to model and plan services to best meet your future needs, the CCG has to understand the health, social and general wellbeing issues that our population is facing today. The only way that we can achieve this is by using information that your GP, your clinician or your social worker enter into your care record as well as some information that is provided via external public sources. This information may exist on paper or in electronic format and the CCG ensures that these are kept safe and secure in an appropriate way.
In carrying out some of these roles we may collect information about you which helps us respond to your queries or secure specialist services. Our CCG receives some information about you and this document outlines:
- How that information is used
- Who we may share that information with
- How we keep your information secure (confidential)
- What your rights are in relation to the information the CCG uses about you
Why we collect Information about you
In carrying out our role and responsibilities as a commissioner of services for people working and living in the CCG, it is essential that the CCG have an understanding of the health and social care needs of our community so as to ensure that these are correctly identified and made available and effective.
We may keep your information in written form and/or in digital form. The records may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments.
How your Information is used –
Your records are used in many ways and in different environments to guide healthcare professionals in the care you receive:
(see also risk stratification)
Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future.
The CCG does not currently complete risk stratification and will update this notice if this decision changes
Risk Stratification is a process that helps your family doctor (GP) help you manage your health. By using selected information such as age, gender, diagnoses and patterns of hospital attendance and admission collected by the HSCIC (NHS Digital) from NHS hospitals and community care services. This is linked to data collected in GP practices and analysed to produce a risk score. . A secure NHS computer system will look at recent treatments you have had in hospital or in the surgery and any existing health conditions that you have. This will help your doctor judge if you are likely to need more support and care from time to time. The team at the surgery will use this information to help you get early care and treatment where it is needed.
Risk stratification is used in the NHS to
If you have a complaint about the CCG or a service that we commission, we will use your information to communicate with you and to investigate any concern that you raise with the CCG in line with its complaint policy.
See our complaints section for more information.
Where the CCG is investigating a complaint then the information provided by the complainant (including personal details like for example name, address) may need to be shared as appropriate in order for the complaint to be investigated.
The CCG uses NHS NEL Commissioning Support Unit to administer the complaint process as per the information in our complaints section
Detection of Fraud
The Audit Commission conducts data matching exercises to assist in the prevention and detection of fraud. This is one of the ways in which the Audit Commission meets its responsibility of promoting economy, efficiency and effectiveness in the use of public money.
For further information on this please see the separate Audit Commission Fair Processing information on the gov.uk pages.
Data matching by the Audit Commission is subject to a Code of Practice. This may be found at www.audit-commission.gov.uk/national-fraud-initiative/code-of-data-matching-practice/
For further information on the Audit Commission's legal powers and the reasons why it matches particular information, see www.audit-commission.gov.uk/national-fraud-initiative/fair-processing-notice-full-text/. For further information on data matching at this authority please contact:
If you make an application for CHC funding the CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.
Personal Health Budgets
A Personal Health Budget is an amount of money to support the identified healthcare and wellbeing needs of an individual, which is planned and agreed between the individual, or their representative, and the CCG. To support this process, the CCG will process personal confidential data including sensitive data to evaluate, agree and monitor any personal health budgets
Handling individual funding requests (IFR) applications
If you make an Individual Funding Request (IFR) to fund specialist drugs or rare treatments, the CCG will use the information you provide and, where needed, request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.
The CCG will use both electronic and manual mechanisms to process personal confidential information relating to its employees and visitors to our sites and services. This is based on explicit consent provided by each employee at the time of joining and updated when any changes are made through internal communications.
The CCG hosts the Norfolk & Suffolk Primary & Community Care Research Office providing research design, management and delivery services for the local CCGs in Norfolk & Suffolk, as well as practices within the CCGs. If identifiable information is required for research either explicit consent or a section 251 approval needs to be obtained from the Heath Research Authority to view this information.
A Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available
Where care is provided that the CCG is responsible for, it will need to provide payment to the care provider. In most cases limited data such as the practice code is used to make such payments. In some instances where this is not possible a partial post code is used , n to confirm that you are registered at a GP Practice or live within the CCGs area and therefore correctly assigned to the correct CCG for payment. . This is done in line with the Who Pays Invoice Validation Guidance. And completed on the CCGs behalf by NHS NEL Commissioning Support Unit (CSU) as data processors for the CCG
The CSU completes this task using a section 251 exemption, A section 251 is where The Secretary of State for Health and Social Care has approved NHS England’s application for support to establish a temporary lawful basis for ‘necessary’ Personal Confidential Data to be used to validate invoices,
More information on Section 251s are available via the Health Research Authority
Advice and guidance will be provided to care providers to ensure that adult and children’s safeguarding matters are managed appropriately.
Access to identifiable information will be shared in some limited circumstances where it is legally required for the safety of the individuals concerned.
CCGs support local GP practices with prescribing queries that generally don’t require identifiable information.
Where specialist support is required for example to order a drug that comes in solid form in gas or liquid, the medicines management team will order this on behalf of a GP Practice to support your care.
The CCG will on occasion will use information to assess the effectiveness and appropriateness of its services such as ensuring that patient journeys have been conducted. You will be asked as part of this process for your agreement to be contacted
Using information for purposes other than direct healthcare
Your information may be used to help assess the needs of the general population and make informed decisions about the provision of future services. Information can also be used to conduct health research and development, monitor NHS performance, to help the NHS plan for the future and to investigate complaints in respect of the services we commission.
In addition, healthcare organisations, such as your GP Practice or the hospital that you visit, hold information about you in order to support the treatment that is provided. There are measures outlined in law which protect the information that is held by these organisations. These measures ensure that information is only shared appropriately and in line with your wishes.
Organisations will use this information to support you with any treatment or contact that you may have, which is known as for “direct care purposes”. It helps them provide the most appropriate care for you as an individual and they may share information with other health professionals to ensure that they can make informed decisions. Where this information is shared, your confidentiality and privacy will be protected. To make sure this takes place, there are clear rules in our own procedures as well as national legislation.
As well as this information supporting your care, reports are produced which contain information to help plan future healthcare services, which is termed as for non-direct care purposes. This information is used to identify areas where our services need to expand, to improve & to change, in order to support our population fully and also to support the flow of funding from one NHS organisation to another. There are clear processes in place to say how this information can be used and what safeguards must be in place to protect patients. The ways in which information should be made anonymous are governed by the Department of Health.
What kinds of information we use
NHS South Norfolk Clinical Commissioning Group can hold various different types of information and you may hear many different terms used the following are those that the CCG uses
- Identifiable information – containing details that identify individuals. We may use personal information about you such as your name and address or other times we use more sensitive information about your health.
The CCG only has access to identifiable information where a legal basis exists to hold that information. These are outlined in the How your information is used by the CCG section of this document.
- Person confidential data – information which on its own or with other information can identify you.
Personal Confidential Data - This is a term used in the Caldicott Information Governance Review and describes personal information about identified or identifiable individuals, which should be kept private or secret and includes dead as well as living people.
- Anonymised information – about individuals but with identifying details removed and so cannot be tracked back to you. Where unique identifiers such as your name and full address have been removed so the information is no longer ‘person identifiable ‘This information is used to plan health care services. Specifically, it is used to:
- Check the quality and efficiency of the health services that the CCG commissions
- Prepare performance reports on the services commissioned
- Work what illnesses people will have in the future, so the CCG can plan and prioritise services and ensure these meet the needs of patients in the future.
- Review the care being provided to make sure it is of the highest standard
- Pseudonymised data – where personal information about you is replaced with a code. Which allows the CCG to map your treatment through the health care system but only allows the provider / organisations providing treatment to identify you. This can also be shared with third parties who without the key would not be able to identify you. This is often used for example, when information is needed for research purposes.
- Aggregated information – anonymised information grouped together so that it cannot easily be put back together in order to identify individuals.
Where possible, we ensure your information is anonymised / aggregated or pseudonymised (especially when using information for purposes other than for direct patient care).
Organisations that share information with NHS South Norfolk Clinical Commissioning Group
In order for SNCCG to perform its commissioning functions, information is shared from various organisations, which include: general practice, acute and mental health hospitals, other CCGs, the North East London Commissioning Support Unit who process data on our behalf, community services, walk in centres, nursing homes, directly from service users and many others.
Information may also need to be shared for your benefit with other non-NHS organisations, from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with third parties, we will not disclose any health information without your explicit consent unless there are exceptional circumstances such as when the health and safety of others is at risk, where the law required it or to carry out a statutory function.
Where information sharing is required with third parties, we will always have a relevant data sharing agreement in place. We would not share any detailed health information without your explicit consent unless there are exceptional circumstances.
In those exceptional circumstances we do not require your explicit consent to share information. This would be in cases for example, notification of new births, a public interest issue, when the health and safety of others is at risk, fraud, protecting children and vulnerable adults from harm or where the law requires it (a formal court order has been served requiring us to do so).
In these cases, permission to share must be given by our Caldicott Guardian, who is the senior person in the CCG responsible for ensuring the protection of confidential patient and service user information. We are obliged to tell you that we have shared your information unless doing so would put you or others at risk of harm.
The law provides some NHS bodies, particularly the Health and Social Care Information Centre (NHS Digital), with permission to collect and use patient data to help commissioners to design and procure the combination of services that best suit the population that they serve. The patient data that is supplied is not in a form that will identify you.
What safeguards are in place
It is everyone’s legal right to expect that information held and used about you is safe and secure, and is only used for the agreed purpose(s).
The CCG only uses information that may identify you in accordance with the Data Protection Act 1998. This requires that we process personal data only if there is a legitimate basis for doing so and that any such processing is fair and lawful.
Confidentiality and security of information
Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidence. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access. Under the NHS Digital Code of Practice on confidential information , all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.
The CCG, working with our service provider, North East London Commissioning Services Unit (NELCSU), ensure that information is held in secure locations with restricted access to authorised persons only. We protect any personal information that is held on our systems with encryption so that it cannot be accessed by those who do not have access rights.
Your Rights & Access to your Information
The CCG is registered with the Information Commissioners Office (ICO) as a data controller to collect information (data) for a variety of purposes. A copy of the registration is available through the ICO website link to ICO register of data controllers (search by CCG name).
Retention and destruction of records
All records held by the CCG will be kept for the duration specified by National guidance for whichever speciality or area it was required from the Department of Health, and the Information Governance Alliance Records Management Code of Practice and in line with local CCG Information Governance Policies.
All and any data which has reached its maximum time to be kept specified in the guidance with be disposed of confidentially in line the CCG records management policy.and above IGA guidance.
The NHS Care Record Guarantee is a commitment that all NHS organisations (and other organisations which provide NHS-funded care) will use your records in ways that respect your rights and promote your health and wellbeing.
The NHS Constitution establishes the principles and values of the NHS in England. It provides a summary of your legal rights and contains pledges that the NHS is committed to achieve, including certain rights and pledges concerning your privacy and confidentiality.
Under the Data Protection Act 1998 you have the general right to see or be given a copy of personal data held about you. This right can be exercised via submission of a Subject Access Request (SAR) to NHS SNCCG.
The CCG does not directly provide healthcare services and as such does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal healthcare records you will need to apply to your GP Practice, the hospital or the NHS organisation which provided your healthcare.
Everyone has the right to see, or receive a copy of information held that can identify them, with some exceptions. You do not need to give a reason to see your information, but you may be charged a fee.
Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): https://ico.org.uk/for-the-public/personal-information/
Any requests made will be jointly managed by both the CCG and NHS North East London Commissioning Support Unit staff unless you specifically state in your request that you do not wish this to happen. You do not need to give a reason.
If you want to access your records/ information you should make a written request to:
NHS NEL Commissioning Support Unit
We are able to charge a reasonable fee for the administration of the request; however these fees are set down in law as follows:
We may charge between £10 & up to £50 for complying with a SAR relating to health records if the information dependent on how if those records are held either wholly or partly in non-electronic form.
Further information on Subject Access Requests can be found via the Information Commissioners Office (ICO): https://ico.org.uk/for-the-public/personal-information/
Your right to opt-out of information sharing
The CCG will not publish any information that identifies you or routinely disclose any information about you without your express permission.
You have the right to consent / refuse / withdraw consent to information sharing at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision.
There are currently two types of opt-out that you can make. There are two choices available to you:
- You can object to information about you leaving a GP Practice in an identifiable form for purposes beyond your direct care, which means confidential information about you will not be shared with the CCG, the Health and Social Care Information Centre (NHS Digital) or other organisation for any non-direct care purpose. This is referred to as a 'type 1' objection.
- You can object to information about (from any health & social care setting) leaving the HSCIC in an identifiable form, for the purposes beyond your direct care. This is referred to as a 'type 2' objection.
Information from other places where you receive care, such as hospitals and community services is collected nationally by the Health and Social Care Information Centre. (NHS Digital)
If you do not want information that identifies you to be shared outside of your GP practice and/or with the HSCIC, please speak to a member of staff at your GP practice to ask how to “opt- out”.
The Practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or public health emergency.
In both cases, it is still necessary for the HSCIC to hold information about you in order to ensure data is managed in accordance with your expressed wishes. Please see Patient Objections Management on the HSCIC website for further information.
If you have questions about this, please speak to staff at your GP practice
Withdrawing your consent
We may be asked to share basic information about you, such as your name and address which does not include sensitive information. This would normally be to assist planning of services or assisting other provider organisations to carry out their statutory duties under the Data Protection Act. Your explicit consent is required if information about you is to be shared for purposes not directly related to your direct care. You have a right to inform us if you do not want information about you to be shared or used for this purpose.
If you have already given consent for your information to be shared, you have the right to change your mind and withdraw this consent at any time. The possible consequences will be fully explained to you, such as potential delays in receiving care where a CCG is required to make a funding decision.
If your wishes cannot be followed, you will be told the reasons (including the legal basis) for that decision.
There may be circumstances where we are required to share information about you owing to a legal obligation, such as for the benefit of public health in the event of a pandemic. Anyone who receives information from us is also under a legal duty to keep this information confidential.
Freedom of Information
The Freedom of Information Act 2000 means everyone has the right to ask public bodies for non-personal public information. The person asking has a right for this information within 20 working days.
There are some reasons information cannot be given, such as detail covered by data protection, that which is confidential or commercially sensitive.
To make a request for information under the Freedom of Information Act,
Email: nelcsu.foi [at] nhs.net
- Write to: NHS South Norfolk CCG, Lakeside 400, Old Chapel Way, Broadland Business Park, Norwich, NR7 0WG
A log of FOI requests and the CCG's responses are available on the Disclosure Log page.
The CCG has published a guide to the information it routinely publishes - NHS South Norfolk CCG Publication Scheme
Complaints / Appeals
In the event that you believe the NHS SNCCG has not complied with the Data Protection Act, either in responding to a Subject Access Request or in the way we have processed your personal information, you have the right to make a complaint by contacting the Head of Governance at:
NHS NEL Commissioning Support Unit
Telephone: 01603 595857
E-mail: nelcsu.angliacomplaints [at] nhs.net
If you wish to raise a complaint or make an appeal to an independent body, you may do so by contacting the Information Commissioner's Office in writing to the following address:
Information Commissioners Office
Enquiry Line: 01625 545700
Key Roles in the CCG
The CCG have a number of key roles which support the protection of your data:
Caldicott Guardian - The CCGs Caldicott Guardian is Dr Tony Palframan, GP Governing Body Member who is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. The Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information. The Caldicott Guardian can be contacted by calling 01063 257182 or using the contact us section of the website
Senior Information Risk Owner (SIRO) – A SIRO is a CCG Executive Director or member of the Senior Management Board of an organisation with overall responsibility for an organisation's information risk policy. The SIRO is accountable and responsible for information risk across the organisation. The SIRO ensures that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately. The SIRO can be contacted by calling 01063 257182 or using the contact us section of the website
If you would like to know more about how SNCCG uses your information please use the
Contact Us section of our website.
Further information can also be obtained from any of the following links:
- Data Protection Act 1998
Care Record Guarantee; and
NHS Confidentiality Code of Practice
- HSCIC (NHS Digital) Guide to confidentiality in health and social care
- Information Commissioners Office
- Health Research Authority
- NHS England
- NHS Constitution