Privacy Notice  

The Derbyshire Clinical Commissioning Groups (CCGs) are responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. We need to use information about you to enable us to do this effectively, efficiently and safely. As Data Controllers, we are responsible for how your information is used and explaining that to you. The Derbyshire CCGs (NHS Erewash, NHS Hardwick, NHS North Derbyshire and NHS Southern Derbyshire) share responsibility for commissioning services across the County and these are referred to as the lead commissioner.

Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation.  This includes the General Data Protection Regulation (EU) 2016/679  (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time. 

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations..

Why we process your information
Depending on the service, this could include:

  • Processing applications for funding treatments
  • Dealing with complaints
  • Processing Safeguarding referrals
  • Continuing Healthcare
  • Risk Stratification
  • Patient & public involvement
  • National registries
  • Clinical audit
  • Investigating and managing serious incidents

Sharing your personal information
We may share your information with other organisations:

  • as required by law
  • to prevent and detect fraud and mistakes
  • to make payments to NHS Service providers
  • to secure the effective and efficient delivery of NHS and related services
  • for benefits and tax administration
  • as part of an appeal

Your information will not be transferred outside the European Economic Area, unless this is stated in the privacy notice of the service you use.

Keeping your personal information
Your personal data will be deleted or anonymised when we no longer need to be able to identify you from that information.

You can ask for access to the information we hold on you
In cases where we hold your data to provide a service to you we would normally access that data when discussing your needs with you or as part of delivering that service.

However, you also have the right to ask for all the information we have about you and the services you receive from us also known as a Subject Access request (SAR). When we receive a request from you in writing, we must give you access to everything we’ve recorded about you unless an exemption applies. If you wish to make a Subject Access Request then please write to the address at the end of this notice.

You can ask to change information you think is inaccurate
You should let us know if you disagree with some information we hold about you.

We may not always be able to change or remove that information but we’ll correct factual inaccuracies and may include your comments in the record to show that you disagree with it.

You can ask to delete information (right to be forgotten)
In some circumstances you can ask for your personal information to be deleted, for example:

•           Where your personal information is no longer needed for the reason why it was collected in the first place

•           Where you have removed your consent for us to use your information (where there is no other legal reason us to use it)

•           Where there is no legal reason for the use of your information

•           Where deleting the information is a legal requirement

Where your personal information has been shared with others, we will inform them if we are erasing any data we have shared with them.

Please note that we can’t delete your information where:

•           we are required to have it by law

•           it is used for freedom of expression

•           it is used for public health purposes

•           it is for, scientific or historical research, or statistical purposes where it would make information unusable

•           it is necessary for legal claims

You can ask to limit what we use your personal data for
You have the right to ask us to restrict what we use your personal information for where:

•           you have identified inaccurate information, and have told us of it

•           where we have no legal reason to use that information but you want us to restrict what we use it for rather than erase the information altogether

When information is restricted it can’t be used other than to securely store the data and with your consent to handle legal claims and protect others, or where it’s for important public interests of the UK.

Where restriction of use has been granted, we’ll inform you before we carry on using your personal information.

You have the right to ask us to stop using your personal information for any CCG service. However, if this request is approved this may cause delays or prevent us delivering that service.

Where possible we’ll seek to comply with your request, but we may need to hold or use information because we are required to by law.

Information not directly collected by the CCG, but collected by organisations that provide NHS services.

Type 1 opt-out
If you do not want personal confidential data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Type 2 opt-out: information held by NHS Digital
Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.

From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-Out.

The template privacy notice text can be found at:

You can ask to have your information moved to another provider

(data portability)

You have the right to ask for your personal information to be given back to you or another service provider of your choice in a commonly used format. This is called data portability.

However this only applies if we’re using your personal information with consent (not if we’re required to by law) and if decisions were made by a computer and not a human being.

It’s likely that data portability won’t apply to most of the services you receive from the CCGs.

You can ask to have any computer made decisions explained to you, and details of how we may have ‘risk profiled’ you.

You have the right to question decisions made about you by a computer, unless it’s required for any contract you have entered into, required by law, or you’ve consented to it.

You also have the right to object if you are being ‘profiled’. Profiling is where decisions are made about you based on certain things in your personal information, e.g. your health conditions.

If and when the CCG uses your personal information to profile you, in order to deliver the most appropriate service to you, you will be informed.

If you have concerns regarding automated decision making, or profiling, please contact the Data Protection Officer who’ll be able to advise you about how we using your information.

Types of Data We Use

Personal Data


Data from which you can be personally identified


  • Name
  • Date of Birth
  • Address
  • Contact Details
  • NHS number


Sensitive Personal Data or ‘Special Category Data’


‘Special Categories are:

  • Race
  • Ethnic Origin
  • Politics
  • Religion
  • Trade Union Membership
  • Genetics
  • Biometrics (where used for ID purposes)
  • Health
  • Sex Life;or
  • Sexual Orientation


Anonymised Data


Contains no identifiable data that has the capability to trace back to you.

(Anonymised data does not fall under the scope of Data Protection Legislation)


Pseudonymised Data



the processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organizational measures to ensure non-attribution to an identified or identifiable individual”


Aggregated Data


Statistical information about individuals that has been combined to show general trends or values without identifying individuals within the data.

How each of our services uses your information
You can view the privacy notices for each of our services:

  1. Complaints & PALS
  2. Individual Funding Requests
  3. Patient & Public Involvement
  4. Personal Health Budgets
  5. Risk Stratification
  6. Care Homes
  7. Safeguarding
  8. Staff – Past, Present & Future
  9. Brain Injury
  10. Specialist Hospital Funding
  11. Transforming Care
  12. Medicines Management
  13. Medicines Order Line
  14. Treatment Reviews
  15. Procedures of Limited Clinical Value
  16. Continuing Healthcare
  17. Finance – Invoice Validation
  18. Special Educational Needs and/Or Disabilities 
  19. Commissioning Purposes 
  20. National Fraud Initiative         

Our Data Processors 

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The CCG remains the data controller (the organisation responsible for determining the purposes for which and the manner in which personal data is used under Data Protection Legislation) of such information at all times. Please click here for a list of our Data Processors 

Request a copy of your personal information

Write to us to request a copy of your information. To make sure it’s you and protect your data we may undertake some identity checks. We follow a procedure when we receive your request and will respond within 1 month. If you aren’t happy with our response, you can ask for a review.

Contact us
If you have any queries, concerns or want to request that we change or delete your information you may contact the Derbyshire CCGs at the following address:

Data Protection Officer
Toll Bar House
1 Derby Road


Data Protection Officers are responsible for upholding your rights and making sure we process your information correctly. 

Concerns about how we are using your information
If you have any concerns about the processing of your information you may also contact the Data Protection Regulator:

Information Commissioner’s Office
Wycliffe House