Privacy And Cookies

Privacy And Cookies

How your information is used
Who we are 
NHS Southern Derbyshire Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. We need to use information about you to enable us to do this effectively, efficiently and safely. 

For further information please refer to the ‘about us’ page here.  

How we use your information
This Privacy Notice tells you about the information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It also explains the choices you can make about the way in which your information is used and how you can opt-out of any sharing arrangements that may be in place. 

It covers information we collect directly from you or collect indirectly from other individuals or organisations for the CCG’s registered population. 

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Please contact:

CCG IG Lead – Stuart Fletcher, Governance Manager
T: 01332 888 255

This Privacy Notice applies to all information held by the CCG relating to individuals, whether you are a patient, service user or a member of staff. 

General Data Protection Regulation (GDPR)  
The General Data Protection Regulation (GDPR) will be implemented in to UK law by the Data Protection Bill which will supersede the Data Protection Act 1998.  The new law will extend the rights of individuals and require organisations holding personal data to comply with a new stricter set of rules.  

The GDPR comes into effect on 25 May 2018. Click here for more information about GDPR and the changes that the four Clinical Commissioning Groups in Derbyshire are making to ensure that they comply with the new legislation.  

Reviews of and Changes to our Privacy Notice
We will keep our privacy notice under regular review. This privacy notice was last reviewed in January 2018. 

Types of Information we collect and hold about you
We need to use information in various forms about you and will only use the minimum amount of information necessary for the purpose. Where possible, we will use information that does not identify you. 

The CCG processes several different types of information: 

  1. Identifiable – containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth
  2. Pseudonymised information - individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity
  3. Anonymised – about individuals but with identifying details removed
  4. Aggregated – statistical information about several individuals that has been combined to show general trends or values without identifying individuals within the data. 

Our records may be held on paper or in a computer system. 

While we have made this Privacy Notice as easy to read and understandable for you as we can there are some legal concepts / terms which will be used further in the Privacy Notice which may require some further explanation throughout this Privacy Notice are explained here

Legal obligations to collect and use information
In the circumstances where we are required to use personal identifiable information we will only do this if: 

  •  The information is necessary for your direct healthcare   

  • We have received explicit consent from you to use your information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation)
  • We have permission to do so from the Secretary of State for Health to use certain confidential patient identifiable information when it is necessary for our work
  • Emergency Planning reasons such as for protecting the health and safety of others. Typically these relate to severe weather, outbreaks of diseases (e.g. flu) and major transport incidents.

Primary and Secondary Care Data
The NHS provides a wide range of services which involve the collection and use of information. Different care settings are considered as either ‘primary care’ or ‘secondary care’. Primary care settings include GP practices, pharmacists, dentists and some specialised services such as including military health services. Secondary care settings include local hospitals, rehabilitative care, urgent and emergency care (including out of hours and NHS 111), community and mental health services.  

Throughout this Privacy Notice you will see reference to an organisation called NHS Digital who is the national provider of information, data and IT systems for commissioners (such as the CCG), analysts and clinicians in health and social care. NHS Digital provides information based on identifiable information passed securely to them by Primary and Secondary Care Providers who are legally obliged to provide this information. The way in which NHS Digital collect and use your information can be found here

Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only process personal confidential data in accordance with the
Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.  The various laws and rules about using and sharing confidential information, with which the CCG will comply, are available in “A guide to confidentiality in health and social care” which is published on the NHS Digital website. 

NHS Southern Derbyshire CCG is a Data Controller and under the terms of the Data Protection Act 1998 we are legally responsible for ensuring that all personal confidential data that we collect and use i.e. hold, obtain, record, use or share about you is done in compliance with the 8 Data Protection Principles.  

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3616698 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing. 

All identifiable information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis. All health and social care organisations are required to provide annual evidence of compliance with applicable laws, regulation and standards through the Information Governance Toolkit, which show our current level of compliance as ‘satisfactory’ providing assurance to you of how we protect your information. The individual requirements we must provide evidence for can be found here. Further information regarding Information Governance and the Information Governance Toolkit can be found on page 3 of this document

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. All staff are trained to ensure they understand how to recognise and report an incident ensuring that the organisation’s procedure for investigating, managing and learning lessons from incidents.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. The CCG’s Records Management Policies include guidance around the secure destruction of information in line with the Code of Practice. 

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.  

Confidentiality Advice and Support 
The CCG has a
Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing. Further information about the role of the Caldicott Guardian can be found on page 3 of this document.  

Your Rights 
You have certain legal rights, including a right to have your information processed fairly and lawfully and a
right to access any identifiable information we hold about you.  

You have the right to privacy and to expect the NHS to keep your information confidential and secure.  

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.  

If we do hold identifiable information about you, you can ask us to correct any mistakes by contacting the CCG IG Lead: 

CCG IG Lead - Stuart Fletcher, Governance Manager
T: 01332 888 255

You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. Details of the national opt-out programme can be found on page 1 of this document.

We have provided details of information collected and used for specific purposes with information on how to withdraw consent specific to each purpose and details of the possible impact this may have on you if you are to opt-out.  

These are commitments set out in the NHS Constitution, for further information please visit:  


The CCG try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. Contact details for complaints to NHS Southern Derbyshire CCG can be found in the Complaints Handling Policy, or raising a concern directly with the ICO can be found here

Details of information collected and used for specific purposes
Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information. For each purpose we have provided information for you on the purpose, including benefits to you as a patient; the type of information used (see definition above); the legal basis identified for the collection and use of information; how we collect and use the information required; data processing activities – listing any third parties we may use for each purpose and information on how to opt out of your information being used for each purpose. 

  • Complaints

  • Funding Treatments
  • Continuing Healthcare
  • Safeguarding
  • Risk Stratification
  • Patient and Public Involvement
  • National Registries
  • Research
  • Serious Incident Reports
  • Clinical audit 

Most websites you visit will use cookies in order to improve your user experience by enabling that website to ‘remember’ you. Cookies do lots of different jobs, like letting you navigate between pages efficiently, storing your preferences and generally improving your experience of a website. Cookies make the interaction between you and the website faster and easier. 

Cookies may be set by the website you are visiting or they may be set by other websites who run content on the page you are viewing.

What is in a cookie?
A cookie is a simple text file that is stored on your computer or mobile device by a website’s server and only that server will be able to retrieve or read the contents of that cookie. Each cookie is unique to your web browser. It will contain some anonymous information such as a unique identifier and the site name and some digits and numbers. It allows a website to remember things like your preferences or login.

What to do if you don’t want cookies to be set
Some people find the idea of a website storing information on their computer or mobile device a bit intrusive, particularly when this information is stored and used by a third party without them knowing. Although this is generally quite harmless you may not, for example, want to see advertising that has been targeted to your interests. If you prefer, it is possible to block some or all cookies, or even to delete cookies that have already been set; but you need to be aware that you might lose some functions of that website. If you have any concerns about cookies, let us know

Google Analytics
NHS Southern Derbyshire CCG’s website uses Google Analytics, a third party web analytics service provided by Google, Inc. ("Google").When someone visits www.southernderbyshireccg.nhs.ukGoogle Analytics collects standard internet log information and details of visitor behaviour patterns. We do this to monitor the number of visitors to various parts of the site. This information is only processed - does not identify individuals. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Google Analytics uses cookies, which are text files placed on your computer, to help the website analyse how users use the site.

By using this website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

Search engine on our website
Search queries results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either ICO https://ico.org.uk/ or any third party.

Links from our website
NHS Southern Derbyshire CCG’s website contains links to other websites of interest. However, once you have used these links to leave this website, you should note that we do not have any control over that other website. We cannot be responsible for the protection and privacy of any information which you provide while visiting such websites, and such websites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question. We recommend that you review the websites privacy policy as a precautionary measure. The trust does not endorse any external sites and is not responsible for their content.

Apps for mobile phones 
The applications (apps) that are created by NHS Southern Derbyshire CCG use analysis software which collects information about usage, downloads and page views. The information is not user identifiable and NHS Southern Derbyshire CCG does not make any attempt to find out the identities of the user. This information ensures that the user is receiving the most out of their app experience.