Data protection

About this notice

The purpose of this notice is to tell you what information we (Birmingham and Solihull Clinical Commissioning Group) collect and hold about you, what we do with it, how we will look after it and who we may share it with. We also explain your rights in respect of your information and the choices you can make about the way your information is used and how you can opt out of any sharing arrangements that may be in place.

The notice covers information we collect directly from you, or collect indirectly from other people or organisations for people who are registered with a Birmingham and Solihull CCG practice.

This information is not exhaustive. We are happy to provide any additional information or explanation needed.  Please see the section entitled Birmingham and Solihull CCG contacts below.

Letting you know when things change

We check these details regularly to make sure that they are up to date and tell you how we are using your information. The last time these details were checked was March 2018.

Who we are and what we do

Birmingham and Solihull CCG is responsible for designing, securing, planning, buying, monitoring and improving the quality of healthcare for people who are registered with one of over 200 Birmingham and Solihull CCG practices. This is known as commissioning.

The services we commission include: planned and emergency hospital care, mental health services, rehabilitation and most community services, but we don’t provide care directly. We are also responsible for monitoring the performance of the non-care services we provide directly, and those which we have paid for, which includes responding to any concerns raised by our patients. 

The CCG was established on 1 April 2018 following the merger of Birmingham CrossCity, Birmingham South Central and Solihull CCGs and is clinically led by doctors, nurses and other professionals.  The work of the CCG is overseen by NHS England.

The CCG has a legal duty to ensure that it makes arrangements for the provision of high quality, safe, effective and efficient healthcare for people who are registered with one of its member practices where this is not purchased centrally by NHS England. The CCG also has a duty to ensure that patients have equal access to services and are able to achieve the same outcomes, regardless of differences in their personal situation. The CCG has a duty to involve patients, their relatives and carers in any decisions about the prevention and diagnosis of illness and their care and treatment and, wherever possible, enable patients to make choices about the healthcare provided to them. Further information on the duties and powers of the CCG can be found by reading Duties and Powers of Clinical Commissioning Groups.

Birmingham and Solihull CCG contacts

Although all NHS staff have a legal duty to keep your personal information confidential, the CCG has identified specific people who are responsible for making sure that your information is handled properly and your rights and wishes are respected. If you have any concerns or queries about how we collect, use and share your information, you can contact the people below:

Caldicott Guardian

A Caldicott Guardian is responsible for making sure that your information is handled properly in line with your rights and the law. Birmingham and Solihull CCG’s Caldicott Guardian is:

  • Dr Richard Mendelsohn, Birmingham and Solihull CCG, Bartholomew House, 142 Hagley Road, Birmingham, B16 9PA. Call 0121 255 0700 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

The details below apply to all information about you, held by the CCG, whether you are a patient, service user, or member of the public.

Senior Information Risk Officer (SIRO)

A Senior Information Risk Officer (known as a SIRO) is responsible for ensuring that your information is handled securely. Birmingham and Solihull CCG’s SIRO is:

  • Phil Johns, Birmingham and Solihull CCG, Bartholomew House, 142 Hagley Road, Birmingham, B16 9PA. Call 0121 255 0700 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Data Protection Officer

We have a Data Protection Officer (known as a DPO) who is a Data Protection and Information and Cyber Security expert, reporting directly to the highest level of management within the CCG.

The DPO acts independently and is responsible for informing and advising the CCG and our staff of their obligations under the existing and forthcoming Data Protection related law. The DPO is also responsible awareness-raising, staff training, the provision of advice and monitoring the CCG’s compliance with all European and UK data protection law and the CCG’s data protection related policies. Birmingham and Solihull CCG’s DPO is:

  • Paul Sherriff, Birmingham and Solihull CCG, Bartholomew House, 142 Hagley Road, Birmingham, B16 9PA. Call 0121 255 0700 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Information Governance team

The Information Governance team is responsible for supporting the Caldicott Guardian, Senior Information Risk Officer and the Data Protection Officer in ensuring that your personal information is collected, used and shared appropriately, securely and in line with the law.

  • Information Governance, Birmingham and Solihull CCG, Bartholomew House, 142 Hagley Road, Birmingham, B16 9PA. Call 0121 255 0860 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

Complaints

The Complaints team is responsible for handling any complaints or concerns you may have about the handling of your information.

  • Complaints, Birmingham and Solihull CCG, Bartholomew House, 142 Hagley Road, Birmingham, B16 9PA. Call 0121 255 0848 or email This email address is being protected from spambots. You need JavaScript enabled to view it.

How we use your information

So that we can commission services for you, ensure that they are safe, efficient, effective and of good quality, we need to use certain information about you.

We make sure that any information we collect and use about you is protected and used in line with our duties under the Human Rights Act 1998, the Common Law Duty of Confidentiality and the Data Protection Act 1998.

From 25 May 2018 onwards the Data Protection Act 1998 will be replaced with the Data Protection Act 2018 and the General Data Protection Regulations.

The CCG uses different types of data/information which are:

  • Personal confidential data/identifiable – containing details that tells us who you are
  • Pseudonymised data/information – data which is about you, but does not tell us who you are because any identifiers will have been replaced with something which would not identify you
  • Anonymised data – all data or information which could identify who you are will have been removed
  • Aggregated data / information – data or information is grouped together so that it does not identify any person.

Birmingham and Solihull CCG is registered as a Controller with the Information Commissioners Office. A Controller is an organisation which is responsible for deciding how your information is handled and making sure that your information is protected and used appropriately. The Information Commissioner’s Office is the organisation which makes sure that your information is handled properly.

Our Data Protection Registration Number is ZA318600. You can view our Data Protection Registration by searching here.

How we make sure that your information is protected

Keeping your information safe and secure

We do a number of things to make sure that your information is safe, this includes controlling access to our building, making sure that the people we employ are honest and trustworthy and understand how they should handle your information safely.

We ensure that all laptops are encrypted, which means that any information held on them is scrambled so that someone who does not have the key cannot gain access to it.

We make sure that the computer systems we use are secure and protected against people who should not have access to your information being able to see it.

Monitoring

We also carry out regular checks to make sure that the protection we have put in place is working properly and that your information is safe and secure.

External organisations

We also make sure that any organisations who provide services to us, or who we work with are honest and trustworthy and have the same sort of protection in place as we do, including making sure that the people they employ are fully trained and that checks have been made to make sure that they are trustworthy and honest before they are employed.

Sharing information with external health and social care organisations

The Health and Social Care Act (2012) requires health and social care organisations to work collaboratively to ensure you receive the best possible service from different organisations. To achieve this, we need to ensure that relevant information is shared securely and in a timely manner between different health and social care organisations that provide you with care.

Information Sharing Agreements and contracts will be in place ensuring these arrangements meet the requirements of the Health and Social Care Act 2012, the Data Protection Act 1998 (and the General Data Protection Regulations (from 25 May 2018) and the Data Protection Act 2018 (when it is given Royal Assent on 1 April 2018), the Common Law Duty of Confidence and the Human Rights Act 1998 so that your confidentiality, data protection and human rights are not breached. 

Whenever we make a new arrangement to share information externally, we will undertake a Privacy Impact Assessment (PIA), to ensure that a legal basis has been identified for sharing the information; the PIA will highlight any risks attached to the sharing of your information.

Sharing information with external third party suppliers

We will also, in the course of our business, engage with third party suppliers to process information on our behalf. The CCG will work with partner organisations to ensure that appropriate Data Processing and contracts are in place, setting out the security standards and legal obligations required to be met to protect your information. Only the minimum necessary information for the purpose will be shared, and only where pseudonymised/anonymised data cannot be used. Further details of the information we collect and use and the external organisations we work with can be found in the section entitled “Why we collect and use information” below.

NHS staff duties

Everyone working for the NHS is required to comply with the Data Protection Act 1998, the Human Rights Act 1998 and the Common Law Duty of Confidence.

Information provided to us in confidence will only be used for the purposes stated and where you have given your consent, unless there are other circumstances covered by the law.

Under the Data Protection Act 1998, all of our staff have to protect your information, inform you of how your information will be used, and let you decide if and how your information can be shared. Any decisions you make about how we can use information we hold about you will be recorded along with that information.

Securely destroying your information when it is no longer needed

We only keep your information for as long as we need it to provide the service or comply with a legal obligation. When we no longer need to keep your information, we will securely destroy it.

If we have your information on paper, it will be stored in locked confidential waste bins. The confidential waste is then collected and securely shredded on site by a commercial company. Once your information is shredded, we receive a certificate to conform that your information has been securely destroyed.

If we have your information on a computer system, all copies will be deleted. Before any electronic storage devices are disposed of by Midlands and Lancashire Commissioning Support Unit, who are our Information Technology services supplier, they will either physically destroy the device, so that information cannot be retrieved from it, or they will overwrite the information held on the device multiple times, which results in the deleted information being completed removed from the device.

Information we may share

Sharing with other NHS organisations

We may share your information with other NHS services who are involved in your direct care (for example when you see a nurse or a doctor), this might include hospital and community trusts, GPs, ambulance services and other clinical commissioning groups, where joint commissioning takes place.

We may also need to share your information with other organisations who buy services for you so that we can, for example, manage a complaint or investigation.

We also buy services from other organisations, for example data analysis and information technology services. In these cases, we ensure that these organisations handle your information under strict conditions in line with the law.

Sharing with non-NHS organisations

For your benefit, we may also need to share information we hold about you with other non-NHS organisations that are providing care to you, such as external organisations providing healthcare services to the NHS. We may also share your information, subject to strict agreements with social services, education services, local authorities and voluntary sector providers. We will not share your information with anyone else without your specific consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk, or where the law requires.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always ask for your agreement prior to any information being shared. If you choose not to agree to this when asked, we will record your decision to ensure that we do not share your information with that organisation in future.

If information is shared, we will only share the minimum amount of information necessary for them to provide the service or comply with their legal duty. We also ensure that an agreement is put in place which tells them what they can and can’t do with your information and how they must protect it.

Further information about what information we may share is provided in the individual sections under the section entitled “Why we collect and use information” below.

How long we keep your information

We only keep your information for as long as is necessary for the purpose we have collected. This will vary, depending upon the reason we have collected the information from you. We have provided information about the length of time we keep your information in each of the sub-sections under “Why we collect and use information” below, which is in line with the NHS Records Management Code of Practice for Health and Social Care 2016.

I have given consent for you to use my information and have changed my mind

If you have previously told us that we can use your information and you have now changed your mind, you can tell us using the Information Governance team contact details above. We will discuss this with you, to make sure that you understand how this will affect you.

What to do if you are unhappy with the way we use your information

If you are concerned, or not happy with the way we have collected or used your information, you can contact the Data Protection Officer, or the Information Governance Team using the contact details above.

You can also raise a complaint with our Complaints team.

You can also tell the organisation which is responsible for making sure that your information is handled properly:

Requesting access to your information

You are entitled to ask for a copy of the information we hold about you, or you can ask someone else to ask for a copy on your behalf. This is known as a Subject Access Request.

A parent, guardian, a personal representative or someone appointed by the court can also request a copy.

Please note: The CCG does not directly provide healthcare services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal healthcare records, you will need to apply to your GP practice, the hospital or NHS organisation which provided your care.

How to request a copy of your records

If you want to obtain a copy of any records we hold about you, you will need to make a written request, providing enough information to help us find the records you are asking for. If you want to request certain parts of your record, for example, records relating to a specific period of time, please tell us when you request your records.

To make sure that we don’t give your information to someone else, we will also need you to provide us with proof of your identity which needs to be either:

  • Two forms of photo ID (for example a current passport and photo driving licence) and one official document confirming your current address (for example a utility bill (not a mobile phone bill), letter from HMRC or DWP, which must be dated within the last six months), (or council tax bill, or mortgage statement, which must be dated within the last 12 months), or;
  • One form of photo ID (see examples above) and two official documents confirming your current address (see examples above).

Please contact us at by calling 0121 255 0718 or email This email address is being protected from spambots. You need JavaScript enabled to view it. for a full list of acceptable identification.

As you will be sending your original identification documents to us, along with your request, we would advise that you send them to us using Royal Mail Special Delivery, as this provides better protection when sending identification documents, than the normal mail service. Once we have confirmed your identity, we will return the documents to you using Royal Mail Special Delivery, which will require your signature.

Please send requests to the Information Governance team using the postal address, or email contact details above.

If you are unable to put your request in writing, please call 0121 255 0718, so that we can make alternative arrangements for you.

For further information on the process we follow, please see our Standard Operating Procedure for the Management of Subject Access Requests.

How much does it cost?

Currently the amount we are able to charge under the Data Protection Act 1998 will be between £10 and £50, depending upon whether your records are held in wholly electronic form, or whether they are held in paper form, or a combination of both paper and electronic form. Charges made will include the cost of postage, packaging and printing.

Following 25 May 2018, there will be no charge for access to your records, unless the request is repeated or manifestly unfounded, in which case we can charge a reasonable fee to cover the costs of providing the information request, or alternatively refuse the request.

How long will it take?

The law gives us 40 calendar days to provide you with the information you have requested, but we will provide you with the information you have requested within 21 calendar days unless the amount of information is particularly large, or the request is complex, in which case we may need to extend the response time to a maximum of 40 calendar days.

If we do need to extend the response time beyond 21 calendar days, we will contact you to let you know. The response time is counted from the date we receive enough information to help us identify the records you have requested, proof of your identity and payment of the fee.

Following 25 May 2018, we must provide you with the information you have requested within one month, unless it is complex, or if there a large number of requests, in which case, we are able to extend the time we have to respond up to a period of a further two months. If this is the case, we will tell you within one month of receiving your request, telling you why the extension is necessary.

Withholding information about you

We will not give you parts of your information which we believe could cause you, or someone else serious physical or mental harm. We will not provide you with parts of your information which relates to someone else, unless they are a healthcare professional who has provided care to you.

Correcting inaccurate information

We have to ensure that your information is correct and up-to-date. It is important that you tell us about any changes, for example if you move house, or change your telephone number.

If you believe that any information we hold about you is wrong, it is not complete, or is out of date, please contact us. If we agree that the information is wrong or not complete, we will put it right. If we do not agree that the information is wrong, we will make a note on your record that you believe that the information is wrong, not complete, or is out of date.

Further information

If you have any queries, or want to know more about the way we use your personal information, or if you don’t want us to use your information in any of the ways listed below, please contact us using the details for the Information Governance team.

The types of information we can collect and use

Information which tells us who you are

We can only collect, use and share information which tells us who you are, such as your name, date of birth, address (known as personal data) and information about your healthcare, your gender, your religion for example (known as sensitive personal data), if:

  • It relates to one of our duties or powers and;
  • We have specific consent from you, or;
  • The law tells us that we can or;
  • We are concerned about someone’s safety, or;
  • To prevent or detect serious crime, or;
  • It is in your best interests, or;
  • We have permission from the Secretary of State for Health to use your confidential healthcare information when it is necessary for our work, or;
  • We need to use it to make sure that we have plans in place to deal with emergencies when the health and safety of people are at risk.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.

Information which does not tell us who you are

We can also receive information where it does not tell us who you are (known as anonymised information), or where your personal details have been changed to an alias, so that we don’t know who you are (known as pseudonymised information).

Some information we use is linked (using the alias) with other information about you.  This means that we can make sure that any new services which we are testing are resulting in improved care for you across all areas of your healthcare.

Sometimes we use information about many people, which is grouped into categories and only shows total numbers, or total financial figures (this is known as aggregated information). Before we receive this information, steps are taken to make sure that we can’t tell who you are from it, for example by grouping everyone’s information into age bands, rather than showing specific ages and grouping everyone’s information into broad postcode areas, for example everyone in postcode area B90, rather than showing specific postcodes.

We can use information which does not tell us who you are, to enable us to plan and improve services, and check that hospitals and other healthcare providers we buy your care from are providing the care we have paid for.

Primary care and secondary care information

There are two types of information which are collected and used to provide you with healthcare. The first is primary care information, this is information which is collected and used when you visit your GP, pharmacy, dentist and optician for example. The second is secondary care information; this is information which is collected when you go to hospital for an outpatient appointment, x-rays or other tests, when you are admitted to hospital, if you go into a rehabilitation unit, or if you are admitted as an emergency to hospital for example.

We do not normally have access to primary or secondary care information which identifies you, the main reasons we may need to see this type of information in a way which tells us who you are is for one of the following reasons:

  • If you, your GP or consultant make requests for treatments not normally funded by the NHS (known as Individual Funding Requests)
  • If you, someone who represents you, or your consultant makes a request for an assessment of suitability for packages of care for people with complex medical needs (known as Continuing Healthcare)
  • So that we can check that healthcare providers are paid correctly for the care and treatment they have provided to you
  • If you make a request to access information about yourself.

How we store your information

We keep your information as paper records, or on a computer system.

Why we collect and use information

We collect and use information for the reasons listed below. You can find out more in the sections below:

  • If you visit our website
  • If you, your GP or consultant make requests for treatments not normally funded by the NHS (known as Individual Funding Requests)
  • If you, someone who acts for you, or your consultant makes a request for an assessment of suitability for packages of care for people with complex medical needs (known as Continuing Healthcare)
  • To tell you about changes to your GP practice
  • If you want to raise a query or concern, or if you want to make a complaint
  • If we have received concerns about the safety of you or someone else, known as safeguarding
  • If we need to investigate a serious incident
  • So that we can check that healthcare providers are paid correctly for the care and treatment they have provided to you
  • To help us identify high risk groups of patients, for example, patients who may have falls and have to be admitted to hospital as an emergency. This will enable their doctors and other people caring for them to take action to prevent this happening. This is known as risk stratification.
  • To help us make sure that the healthcare services we buy are of good quality and are safe
  • To enable research to be carried out
  • To enable clinical audit to be carried out
  • If you make a request to access information about yourself, about a deceased patient, or about how our organisation is run, how much money it spends, or the decisions we make.

If you visit our website

The first time you visit our website, you will be asked if you want to accept cookies.  A cookie is a small text file which contains the name of our website. You can choose whether you want to accept cookies or not. If you have chosen to accept cookies, the small text file will be saved to your PC. The next time you view our website, your PC will check the cookie to see if you have been to our website before. If you have, your PC sends the information from the cookie back to our site. The site will then know that you have visited it before. If you have, your PC sends the information from the cookie back to our site. The site will then know that you have visited it before and may change what you see on the screen, based on things you have looked at before.

When you visit our website, we collect information about how you use the site, including which parts of the site you visit. We are not able to tell who you are from this information, but it helps us to improve the site. We use a service called Google Analytics to help us do this. We will not, and we will not allow Google to try to find out who visits our website from the information we collect. You can opt out of Google Analytics by downloading the Google Analytics Opt Out Browser which can be downloaded directly from Google’s website here.

If we do want to collect any information about you which would tell us who you are, we will tell you about it. We will also tell you why we want to collect the information and how we intend to use it.

Online surveys

Sometimes we run surveys on our website so that we can get feedback from you. If we were thinking about changing existing services, or if we are thinking about adding new services, or if we want to find out which services need to be made better, we may run a survey to find out what you think.

When we run surveys on our website, we make sure that we cannot tell who you are.  Sometimes, we might ask if we can contact you if we want to ask you some more questions, or if we want to understand what you think better. We will tell you how your information will be used on the first page of the survey.

Our website is run by Midlands and Lancashire Commissioning Support Unit and we use Survey Monkey to provide our surveys.

Individual Funding Requests

When you, your GP or consultant makes a request for us to pay for treatments or drugs which are not normally paid for by the NHS, but which they feel is the best treatment for you, we need information to help us to decide whether you are eligible for the requested funding.

This may include information you have told us and healthcare information which we request from healthcare professionals, including GPs, hospitals and other organisations who have been involved in your care to help us come to a decision.

The information used for this purpose tells us who you are, but we also use information where anything which tells us who you are has been removed, so that we can plan, report on trends, or calculate the amount of money we have spent.

Information which would identify you

We will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode
  • Date of birth

Legal basis for collection

The legal basis for us to collect and use your information for this purpose is specific consent from you (known as explicit consent), unless you are not able to provide consent yourself, if this is the case, someone acting for you, your GP or another healthcare professional may make a decision to put in a request on your behalf because it is in the interests of your health and well-being.

 

How long we keep your information

Where a request for funding has been rejected, your information will be kept for two years following the date of rejection, it will then be reviewed to confirm whether there is any need to keep it for a long period.

Where a request has been approved, your information will be kept for eight years after approval, it will then be reviewed to confirm whether there is any need to keep it for a longer period.

Organisations we share your information with

Individual funding requests are handled on our behalf by an organisation called Arden and GEM Commissioning Support Unit. We have a contract in place with Arden and GEM which tells them how they have to protect and use your information and checks are made to make sure that they are protecting your information properly. Information about how Arden and GEM Commissioning Support Unit use your information can be found here.

Withdrawing consent

If you tell us that you have changed your mind and do not want us to use your information to ask for funding, we may not be able to decide you are eligible to receive funding for the drug or treatment you had asked for.

Continuing Healthcare

When you, or someone who is acting for you, have asked us to decide whether we can pay for a package of care to meet your complex health needs (known as Continuing Healthcare), we need information which allows us to know who you are, so that we can come to a decision.

If you agree, we will also contact other care providers who have been involved in your care and ask them to provide us with information about your healthcare to help us decide what type of care you need and whether we can pay for your care.

The information used for this purpose tells us who you are, but we also use information where anything which tells us who you are has been removed so that we can plan, report on trends, or calculate the amount of money we have spent.

 

Information which would identify you

We will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode
  • Date of birth

Legal basis for collection

The legal basis for us to collect and use your information for this purpose is specific consent from you (known as explicit consent), unless you are not able to provide consent yourself, if this is the case, someone acting for you, your GP or another healthcare professional may make a decision to put in a request on your behalf because it is in the interests of your health and well-being.

How long we keep your information

Where a request for funding has been rejected, your information will be kept for two years following the date of rejection, it will then be reviewed to confirm whether there is any need to keep it for a long period.

Where a request has been approved, your information will be kept for eight years after approval, it will then be reviewed to confirm whether there is any need to keep it for a longer period. Once records have reached their retention period they will be securely disposed of.

Organisations we share your information with

Arden and GEM Commissioning Support Unit

Continuing Healthcare requests are handled on our behalf by our organisation called Arden and GEM Commissioning Support Unit. We have a contract in place with Arden and GEM which tells them how they have to protect and use your information and checks are made to make sure that they are protecting your information properly.  Information about Arden and GEM Commissioning Support Unit use your information can be found here.

Local authority social services

The Arden and GEM assessment team will collect share and securely information with Birmingham City Council and Solihull Metropolitan Borough Council social services to inform the Continuing Healthcare Assessment process.

Other organisations or individuals

The Arden and GEM assessment team will also share your information with other organisations or individuals who are who are directly or indirectly involved in your assessment.

Withdrawing consent

If you tell us that you have changed your mind and do not want us to use your information to ask for funding, we may not be able to decide whether you are eligible to receive funding for the continuing Healthcare you had asked for.

To tell you about changes to your GP practice

If a change is going to be made to your GP practice, for example, if it is going to close down, we need to contact you to tell you and to advise you how to register with another GP practice. We will need your contact details so that we can write to you.

When we do this, the practice you’re currently registered with will securely share your name and address information with the company which we have contracted with to print the letters, so that they can print and send the letter to you.

Information which would identify you

We will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode

Legal basis for collection

The legal basis for us to use your information for this purpose is that we have a duty under the NHS Act 2006 Section 14Z2 to consult with you and information you of changes.

How long we keep your information

The company we have contracted with to print and send the letters are required to securely destroy your name and address information two weeks after your letter has been sent out.

When you reregister with a new GP practice, your GP healthcare information will be transferred to your new GP by your old GP.

Organisations we share your information with

The printing and sending of letters for this purpose will be provided by a commercial organisation. Checks will be made to make sure that the organisation we use keeps your information safe and secure. We will put an agreement in place to make sure that the commercial organisation we select only uses your information to send you the letter and protects your information in the same way as we do. Once the letters have been sent out, we will check that the organisation has met the terms of the agreement.

Withdrawing consent

We have a legal obligation to tell you about changes to your GP practice. If you told us not to contact you for this purpose, you may not be aware of changes which are to take place in your practice which may affect you.

If you want to raise a query or concern, or if you want to make a complaint

Queries, concerns and complaints about secondary care

When you tell us about a query, concern or complaint you have about a service we provide directly, or about a service which we have paid for, such as hospital care, mental health services, out-of-hours services and community services such as district nurses, we will need information which tells us who you are so that we can find out what has happened, sort it out for you and make sure that it doesn’t happen again in future.

Queries, concerns and complaints about primary care

If your query, concern or complaint is about a GP practice, optician or dentist, you will need to contact the GP practice, optician or dentist directly, or contact NHS England, details of how to contact NHS England to make a complaint can be found here.

To help us learn from queries, concerns and complaints

When a complaint has been upheld, user stories will be reviewed during our Governing Body Meeting, without them knowing who you are. This gives our Governing Body a summary of your concern, any improvements to services which have been identified and how well the complaints procedure has been applied. This will help our Governing Body to make sure that the complaints process is working correctly.

Information which would identify you

Depending upon your query, concern or complaint we will be using the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode

Depending upon the situation, we may also use information which tells us who other people involved in the complaint are.

If a service user’s story is being used within our Governing Body’s Meeting, the information given to them will include what the concern was, what improvements have been made to the service as a result of the concern being raised.

Legal basis for collection and use

The legal basis for us to collect and use your information for this purpose is specific consent from you (known as explicit consent), unless you are not able to provide consent yourself, if this is the case, you can agree to someone acting for you.

If we want to include a service user story in our Governing Body’s Meeting which includes information about you, we will ask you for your specific consent (known as explicit consent) first, before any of your information is shared with them, or published on our website.

How long we keep your information

We will keep information about your complaint, including your contact details, information about what has happened, information which we have found out which relates to your complaint and the outcome of your complaint is kept for ten years after your complaint has been closed.

Organisations we share your information with

We may need to contact and obtain information from other organisations and people who were either witnesses or who have been involved in your complaint so that we can understand what has happened and sort it out for you. We will only do this once you have provided your specific consent (known as explicit consent).

Individuals we may share your information with

Where you have made a complaint about another person, we are normally required to disclose who you are, as the person who has made the complaint, to the person who has been complained about, this likely to be the case where someone’s record of events is in dispute.

Publication of upheld complaints via the Governing Body

We may wish to include a service user story in our Governing Body’s Meeting, which includes information about you. The minutes of all Governing Body Meetings are published on our website and will be available to anyone who wants to see them.   

Withdrawing consent

If you tell us that you have changed your mind and do not want us to use your information in order to investigate a complaint about care you have received, we may not be able to investigate your complaint. If you tell us that you do not want us to use your information in order to investigate a complaint you have made on behalf of someone else, this may impact on our ability to investigate the complaint, particularly, if you were a witness to the care being complained about.

If we have received concerns about the safety of you or someone else, known as safeguarding

We may receive information relating to concerns about the safety of you or someone else. This information might be from you directly, your relatives or through other health and social care organisations. 

All health and social care professionals have a legal duty to share information with appropriate agencies where safeguarding concerns about children or adults have been received. 

Where it is appropriate to do so the sharing organisations will keep you informed of when information is required to be shared to provide you with assurance that the information will be shared securely, and the benefit to you or the person you are raising safeguarding concerns about. Access to this information is strictly controlled and where there is a requirement to share information, for example with police or social services, all information will be transferred safely and securely ensuring that only those with a need to know about those concerns are appropriately informed.

Information which would identify you

Depending on the concerns raised, we may need to use the following information to identify you or the person you are concerned about:

  • NHS number
  • Name
  • Address
  • Postcode

Legal basis for collection

We have a legal duty under the Children Act 1989/2004 and the Care Act 2014 to use and share information relating to Safeguarding concerns with Safeguarding Boards and Multi-Agency Safeguarding Hubs where all members sign confidentiality agreements.

How long we keep your information

We will keep information about the concerns raised, including your contact details, information about what has happened, information which we have found out which relates to those concerns for eight years after we are sure that the person is safe.

Organisations we share your information with

If we are told about someone who may be at risk of harm, we have a legal duty to share that information with Safeguarding Boards and Multi-Agency Safeguarding Hubs.

Withdrawing consent

We have a legal requirement to provide information where there are safeguarding concerns due to public interest issues, for example, to protect the safety and welfare of vulnerable children and adults.

If we need to investigate a serious incident

Information is sent to us when you have been involved in a serious incident, for example when you have been in hospital, or when you have visited your GP, dentist or optician. This may be because you were directly involved in the incident, or if you witnessed it. This information is provided as part of a Serious Incident Report sent to us by primary and secondary care providers to make sure that incidents are handled properly and lessons are learned from them.

When we receive the Serious Incident Form, any information which would tell us who you are will have been removed, unless you have agreed that we can receive it, or there is a legal reason which allows us to know who you are.

You will be told what requirements we have to meet and you will be asked for your consent if we want to share your information externally.

Information which would identify you

Depending on the incident, we may need to use the following information to identify you:

  • NHS number
  • Name
  • Address
  • Postcode

Legal basis for collection

We are legally required to investigate all serious incidents and in many cases we will need your specific agreement (known as explicit consent) before we can be told who you are, but there may be times when we are legally allowed to be provided with information which enables us to identify you.

How long we keep your information

We will keep information about serious incidents, including your contact details, information about what has happened, information which we have found out which relates to the serious incident for 20 years after the incident has been reported.

Organisations we share your information with

Arden and GEM Commissioning Support Unit and Midlands and Lancashire Commissioning Support Unit process information about Serious Incidents on our behalf.

If we are required to share incident reports externally

If we are required to provide incident reports outside of the CCG, all of the data or information which could identify you will have been removed (known as anonymised). We will tell about the requirements that we have to meet and will ask you for your specific agreement (explicit consent) if we need to share your information outside of the CCG in a way which will identify you.

Withdrawal of consent

We have a legal duty to investigate all serious incidents relating to secondary care, however, in the majority of cases we are only able to see information which identifies you if you have agreed. If you say that you do not want your information to be passed to us as part of the investigation, this may mean that we cannot properly investigate the incident. There may be times when the law allows us to be provided with your information, for example where the information is vital to the investigation of an incident which has, or is very likely to have serious impacts on the health and wellbeing of one or more people.

So that we can check that healthcare providers are paid correctly for the care and treatment they have provided to you

We aim to spend public money wisely, so we need to ensure that we are paying the right amount of money for the right services to the right people. Before we pay for care, we may ask for evidence of treatment or on the outcome of the care. Invoices are checked within a special secure area known as a Controlled Environment for Finance (CEfF) to make sure that the right amount of money is paid, by the right organisation, for the treatment provided.

The process followed makes sure that only the minimum amount of information about you is used, and by a limited number of people. The process is designed to protect your confidentiality. The process is known as invoice validation.

Organisations that provide treatment submit invoices to us for payment.

The secure area (Controlled Environment for Finance, provided by Arden and GEM CSU) receives additional information, including the NHS number, or occasionally the date of birth and postcode, from the organisation that provided treatment.

The information is then checked and any discrepancies are investigated and sorted out between the Controlled Environment for Finance and the care provider. The invoices will be paid when the checks are completed. We do not receive any identifiable information for the purpose of Invoice Validation, but we do receive reports to help with financial management.

Information which would identify you

We use the following information to check that we are paying for your care correctly

  • NHS number, or;
  • Date of birth, and;
  • Postcode.

Legal basis for collection

We have approval from the Secretary of State under Section 251 of the National Health Service Act 2006, through the Confidentiality Advisory Group of the Health Research Authority which enables the Arden and GEM CSU Controlled Environment for Finance to use identifiable information without consent for the purposes of checking that we are paying for your care correctly (this is known as invoice validation). This work is carried out within a Controlled Environment for Finance – CAG 7-07(a)(b)(c)/2013. The Regulations that enable this power are called the Health Service (Control of Patient Information) Regulations 2002. The Health Research Authority (HRA) took on responsibility for Section 251 in April 2013, establishing the Confidentiality Advisory Group (CAG) function.

A Controlled Environment for Finance is a protected group of staff and systems which are separated from other parts of Arden and GEM CSU who are allowed to handle your information. Strict security protection is in place to make sure that only staff who are approved to use your information are allowed to access it.

How long we keep your information

We will keep information about invoices and the checks made for six years after the end of the financial year they relate to.

Organisations we share your information with

Arden and GEM CSU uses your information for invoice validation on our behalf.  Information about how Arden and GEM Commissioning Support Unit uses your information can be found here.

Information about how NHS Digital uses your information can be found here.

Opt out details

Type 2 opt out applies, please see “Your right to opt out of sharing some types of information” below.

Additionally, your GP can apply a code which will stop your identifiable information being used for this purpose. Additional information is also available from NHS England here.

If you were to opt out of sharing your information for this purpose, we would not be able to confirm that we are correctly paying for your care.

Risk stratification

Risk stratification is a process for identifying and caring for patients with long term health conditions and patients who are at high risk of emergency hospital admission.

NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions, such as chronic obstructive pulmonary disease (COPD) and diabetes, to help prevent hospital admissions that could have been avoided. As well as helping GPs to provide Direct Care support, risk stratification is used by the CCG to support planning and commissioning, for example, understanding the numbers of patients in the region who require services to support COPD will enable us to commission the right services to better manage periods of ill health and to improve the quality of the services we are able to offer you.

Risk stratification tools use a mix of historic information about patients such as age, gender, diagnoses and patterns of hospital attendance and admission, as well as data collected in general practice.

NHS Digital provides information, identifiable by your NHS number only, about hospital attendances. GPs provide information from GP records also identifiable by your NHS number only. Both sets of information are sent via secure transfer to the risk stratification system where they are immediately pseudonymised and linked to each other. The risk stratification system uses a formula to analyse the pseudonymised data to produce a risk score. These risk scores are available to the General Practice you are registered with, where authorised staff who are responsible for providing direct care for you are able to see these scores in a format that identifies you. This will help the clinical team make better decisions about your future care, for example you may be invited in for a review or if they think you may benefit from a referral to a new service they will discuss this with you. We are provided with reports containing aggregate information, which does not identify you, to ensure we are commissioning and planning for these services as required by the population we serve.

Information which would identify you

We use the following information to identify you and to enable linking data from different sources:

  • NHS number

Legal basis for collection

The use of identifiable data for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority (known as Section 251 approval under the National Health Service Act 2006, Section 251). The power is enabled under the Health Service (Control of Patient Information Regulations 2002).  The Health Research Authority took on responsibility for Section 251 approvals in April 2013, establishing the Confidentiality Advisory Group (CAG) function. 

Further information on Section 251 of the National Health Service Act 2006 can be obtained here. The reference number for the risk stratification approval is CAG7-04(a)/2013. This approval allows your GP or staff within your general practice who are responsible for providing your care, to see information that identifies you, but the CCG staff will only be able to see information in a format that does not reveal your identity.

How long we keep your information

We will keep information about risk stratification for ten years after death.

Organisations we share your information with

Arden and GEM CSU uses your information for risk stratification on our behalf.  Information about how Arden and GEM Commissioning Support Unit uses your information can be found here.

Information about how NHS Digital uses your information can be found here.

Opt out details

Type 1 and type 2 opt outs apply, please see “Your right to opt out of sharing some types of information” below. Additionally, your practice can apply a code which will stop your identifiable information being used for this purpose. Additional information is also available from NHS England here.

If you choose to opt out of Type 1 and 2 processing, this means that your GP may not be able to provide you with the same level of support for long term health conditions, or take action to reduce the potential for you being admitted to hospital as an emergency in the future. It may also mean that we would not have sufficient information to enable us to effectively plan and buy appropriate healthcare services for the people we serve.

To help us make sure that the healthcare services we buy are of good quality and are safe

Hospitals and community organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve. This information is known as commissioning information. We obtain this information from NHS Digital which relates to patients registered with our general practices. This enables us to plan, design, purchase and pay for the best possible care available for you.

Different types of commissioning information are legally allowed to be used by different organisations within, or contracted to, the NHS:

  • Information from which we can tell who you are (known as identifiable information) – when disclosed from Primary and Secondary Care Services to NHS Digital
  • Summary information (known as Aggregated information) – we can only receive this information in aggregated form which does not identify you.

The datasets we receive from NHS Digital are in a format that does not directly identify you. The information may include your age, ethnicity and gender as well as coded information about clinic or accident and emergency attendances, hospital admissions and treatment. We also receive information from the General Practices and other local providers within the CCG; this information does not identify you. We use these datasets for:

  • Contract/performance management
  • Reviewing the care delivered by providers, to ensure quality and cost effective care
  • Providing statistics on NHS performance, to understand health needs and to help service re-design, modernisation and improvement
  • Planning future services to ensure they continue to meet local population needs
  • Reconciling claims for services received in your General Practice
  • Auditing NHS accounts and services.

Legal basis for collection

The law allows NHS digital to provide pseudonymised data to the CCG under the Health and Social Care Act 2012, Sections 261(1) and 261(2)(b)(ii).  There is no requirement for a legal basis for use of the aggregated information which is available to the CCG, as this does not identify individuals.

How long we keep your information

We keep commissioning information for six years after the end of the financial year it relates to.

Organisations we share your information with

Arden GEM Commissioning Support Unit and Midlands and Lancashire Commissioning Support Unit process commissioning data on our behalf.

Information about how NHS Digital uses your information can be found here.

Opt out details

Type 1 and Type 2 opt outs apply. Additionally, your GP can apply a code which will stop your identifiable information being used for this purpose. The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on NHS Digital website. More information about how this data is collected and used by NHS Digital is available here. If you choose to opt out of providing your information for this purpose, this may result on us not being able to adequately ensure that all services we buy are safe and of good quality.

To enable research to be carried out

Research can provide direct benefit to patients who take part in medical trials, and indirect benefits to the population as a whole.  Information can be used to identify people, and to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.

Where identifiable information is needed for research, you will be approached by the organisation where you were treated, to ask if you wish to participate in the research study. You will be provided with information about the research, and the way in which your identifiable information will be used and kept safe and secure, before you are asked to provide explicit consent to take part. Where a Section 251 approval has been granted, you will be informed of the project and will be able to make a decision as to whether you wish to opt out. Information related to research projects will be kept safe and secure with access limited to authorised research team members only.

Information which would identify you

Depending upon the type of research and the legal basis we are relying upon, we may use any of the following information to identify you:

  • NHS number
  • Name
  • Address
  • Post Code
  • Date of birth.

Legal basis for collection

Where identifiable information is being used your explicit consent will be gained. Where gaining consent from all patients is not appropriate, e.g. for large-scale, nationwide projects, a Section 251 approval from the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority is required. The approval ensures that security processes are in place, and that only the required information is used for the purpose specified.  Research activities using anonymised information do not require your consent.

How long we keep your information

We will keep research information for no more than 20 years.

Organisations we share your information with

Arden and GEM Commissioning Support Unit and Midlands and Lancashire Commissioning Support Unit provide the information for us.

Opt out details

Type 1 and Type 2 opt outs apply. Additionally, your GP can apply a code which will stop your identifiable information being used for this purpose. The specific terms and conditions and security controls that we are obliged to follow when using those commissioning datasets can also be found on NHS Digital website. More information about how this data is collected and used by NHS Digital is available here.

Where consent is required to take part in a research project, you will also be provided with details by the organisation holding your records on how to opt out at any time.

Where s251 approval has been granted you can request that your identifiable information is not included. The Register of current s251 approval across England and Wales can be found here.

The organisation holding your records will provide notices on their premises and websites about any research projects being undertaken which will provide opt out details.

Your general practice can apply a code which will stop your identifiable information being used for this purpose.

If you choose to opt out, this would mean that you would not be invited to be involved in clinical trials which may relate to a medical condition you have.  This may also impact on improvements and benefits which may be achieved for other patients.

To enable clinical audit to be carried out

Clinical audit is a process by which the care provided to you is reviewed, to make sure that it meets the standards of quality we expect it to. It also helps us to identify any areas where improvement should, or could be made. Effective clinical audit can provide direct benefit to you as a patient and to the people who the CCG buys services for. Clinical audit makes sure that the services we plan and commission offer high quality and effective care.

Information which would identify you

When the CCG undertakes an audit of your care, we are not allowed to use any information which tells us who you are, unless we have specific agreement from you (this is known as explicit consent). 

We can carry out a clinical audit using information which does not tell us who you are (known as anonymised data), or we can buy the services of an external auditor to do the work on our behalf.

If we need to use information which tells us who you are, to be able to carry out the clinical audit, we will ask you for your specific agreement (known as explicit consent).  Because each type of clinical audit is different, we will tell you what information we need, why we need it, what we are going to do with it, who we are going to share it with, how long we are going to keep it and the rights you have over it, when we ask you for your consent. This is known as a Privacy Notice.

Legal basis for collection

When we use information which does not tell us who you are, we do not need your consent, but if we need to use information which tells us who you are, we will ask you for your specific agreement (known as explicit consent).

How long we keep your information

When we use information which tells us who you are (with your specific agreement), we will keep this for five years from the date we start the audit.

Organisations we share your information with

Midlands and Lancashire Commissioning Support Unit provide the information for us. 

Withdrawal of consent

If you have previously agreed to let us use information which tells us who you are to perform a clinical audit, but you have since changed your mind and do not want us to use your information for this purpose, contact the Information Governance team using the contact details above.

If you make a request to access information about yourself, about a deceased patient, or about how our organisation is run, how much money it spends, or the decisions we make

Asking for your own information

If you ask for a copy of your own information, for example your health record, we will ask you to provide your name and contact details and any other information to help us find the information you want us to provide. We will need to see various forms of identification such as your passport, your birth certificate, a utility bill for example.  When we are processing your request, we will also use your health record.

The legal basis for us providing you with a copy of your information is specific consent (known as explicit consent), in addition to our legal duty under the Data Protection Act 1998 to provide a copy of your information in response to a request.

Where the information requested relates to Continuing Care Records, or Individual Funding Request, Arden and GEM Commissioning Unit will provide them to us.

If you change your mind and decide that you do not wish to receive a copy of your records, we will close off your request.

In all circumstances we will to keep your information for three years after we have closed it. If you have appealed our decision, we will keep the information for six years after we have closed it.

If you are requesting information relating to visits to your GP, to a hospital or another healthcare provider, you will need to approach each of the healthcare providers you visited in order to request your records from them. The CCG does not hold patient records, with the limited exceptions of the circumstances included in this Privacy Notice, for example, Continuing Healthcare Requests, Individual Funding Requests etc.

Asking for information about deceased patients

If you ask for a copy of a deceased patient’s health records, we will ask you to provide your name and contact details and any other information to help us find the information you want us to provide. We will need to see various forms of identification such as your passport, your birth certificate, a utility bill for example and evidence that you have a right of access to the deceased patient’s information. When we are processing your request, we will also use the deceased patient’s health record.

The legal basis for us to use your information is specific consent (known as explicit consent), in addition to our legal duty under the Access to Health Records Act 1990 to provide a copy of a deceased patient’s health record to people who can prove that they have a right of access.

Where the information requested relates to Continuing Care Records, or Individual Funding Request, Arden and GEM Commissioning Unit will provide them to us.

If you change your mind and decide that you do not wish to receive a copy of the deceased patient’s health records, we will close off your request.

In all circumstances we will to keep your information for three years after we have closed the request.

Asking for information about how the CCG is run

If you send us a request for information about how we are run, how we make decisions, how much we spend for example, we will need to know your name and contact details, so that we can respond to your request.

The legal basis that allows us to use your information for this purpose is the Freedom of Information Act 2000 and the Environmental Information Regulations 2003, which obligates us to respond to your request for information.

If you change your mind and do not wish us to provide the information you have requested, we will close the request. 

We will keep information about the request, including your name and contact details for three years following closure of your request.

If we receive an appeal about a decision we have made to withhold information, we will keep this information, including your contact details for six years following closure of your request.

Withdrawal of consent

If you choose to withdraw consent for us using your personal information for handling requests for information, we will be unable to provide you with the information requested, as we are required by law to collect specific information about applicant, for example, name, address and where the request relates to information about yourself or a deceased person, we will also need to see proof of your identity.

Your right to opt out of sharing some types of information

Your information may be used in a variety of ways for a variety of purposes. You are able to opt out of some of these purposes, but remain ‘in’ for others. 

For example, you may not want a part of your information to be used for clinical audit purposes (which is a process used to improve the quality of healthcare services), but you may be happy for a version of your information which doesn’t say who you are (known as anonymised information) to be used for research purposes, so you wouldn’t opt out of this. 

You can talk about this with your GP who will explain the choices you have. There are different levels of opt-out available:

Type 1 opt-out

GPs are required by law to provide confidential patient data to an organisation called NHS Digital, who are responsible for collecting information from across health and social care systems in organisations where you may be receiving care, such as hospitals and community services. Strict controls are used to make sure that your information is protected, that it is kept secret and is only available to a small number of staff who have been approved and who have a legal reason to access it.  Steps have been taken to make sure that this information is transferred to NHS Digital safely, securely and confidentially.

If you do not want your information to be shared outside of your GP practice for purposes other than your direct care, you can choose to register a Type 1 Opt Out with your GP. This will stop confidential information which tells us who you are, being used outside of your GP Practice, except for purposes which are legally required, such as in the case of a public health emergency, like an outbreak of a pandemic disease.

You can only register to opt out at your GP practice.

Type 2 opt-out

Patients in England can stop information which says who they are, being shared by NHS Digital for purposes other than their own direct care, this is known as a Type 2 Opt Out. 

Please see further information about this in the NHS Digital Fair Processing Notice, which can be found here.

Further information and support about type 2 Opt Outs can be obtained from:

  • NHS Digital, or by calling 0300 303 5678 or emailing This email address is being protected from spambots. You need JavaScript enabled to view it. referencing ‘Type 2 opt outs Data Requests in the subject line of the email.

Further information about your rights

Further information about how the NHS uses and your information and the rights you have to control how it is used and protected can be found in the links below: