Terms Of Use Overview

How we use your information

This privacy notice explains why the Clinical Commissioning Group (CCG) collects information about you, and how that information may be used. 

Clinical Commissioning Groups have fair processing responsibilities under the Data Protection Act 1998.  This means ensuring that your personal data are handled in ways that are transparent and that you would reasonably expect.  The Health and Social Care Act 2012 changes the way that confidential data are processed it is important that you are made aware of these changes, understand that you can object to certain uses, and how to do so.

The health care professionals who provide you with care maintain records about your health and treatment.  These records may be electronic, paper, or both and various measures are employed to ensure the security of your records.  The information contained in the records is used for your direct care and kept confidential.  However, we may be required to disclose your personal information if it is required by law, is justified in the public interest, or when you consent for the use for other purposes.

Your data may also be shared with other healthcare professionals who provide you with care through local integrated care services.  Your permission to share your data between the services will be requested, although refusing permission may impact your care.  If this is the case your doctor will be able to explain how this could affect your care.

We process personal information to enable us to support the provision of healthcare services to patients, maintain our own accounts and records, promote our services and to support and manage our employees. We also need information about the services provided to patients and service users in order to

  • Monitoring how well we are doing in terms of providing a service and the quality of the services
  • Enabling health and social care services to be planned
  • Comparing care received in one area with another to determine what has worked best
  • Supporting ethically approved research
  • Making sure the NHS received the correct payment for the services it provides
  • Determining where improvements may be needed to deliver highest quality care.

We will use anonymised data that cannot be linked back to your information wherever possible for uses not linked directly to your care.  Under the Health and Social Care Act 2012 the Health and Social Care Information Centre can request personal confidential information from your GP practice without asking for your consent first. 

We are committed to protecting your privacy and will only use data collected lawfully in accordance with the Data Protection Act 1998, Human Rights Act, the Common Law Duty of Confidentiality, and the NHS Codes of Confidentiality and Security.  The only staff who have access to your data are those with a legitimate reason to do so, and is controlled by multiple levels of security. 

Individual will be allowed to prevent their confidential information from being used for any purpose other than supporting the provision of direct care.  If you do not want your information to be shared outside the GP practice, you can contact the practice who will make a record of your objections.

The Data Protection Act 1998 gives you the right to view or access information held about you.  This is known as ‘the right of subject access’.  Under this right you are entitled to have a description of the information, explanation of why it is held, who it could be disclosed to, and you are entitled to a copy of the information. 

If you would like further information about how your information is used click on the link below for more detailed information.

Please read the following terms and conditions, which apply to any use made by you of information or other material contained on this website. The use of this website is subject to the following terms and conditions. In entering our site you, as a user, are accepting our terms and conditions. They take effect from the date on which you first use this website.

Information we hold about you and how we use it

This privacy notice tells you what to expect when we collect personal information. It applies to information we collect about:

  • complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry

  • people who use our services, e.g. who subscribe to our newsletter or request a publication from us

  • information that we may hold in relation to services that you have asked us to provide.

This privacy notice does not provide exhaustive detail of all aspects of our collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

We keep our privacy notice under regular review. This privacy notice was last reviewed in July 2014.

Who we are

NHS Southern Derbyshire Clinical Commissioning Group (CCG) is a clinically-led CCG which has many different roles and responsibilities. A major part of our work is the effective ‘commissioning’ of services - this means ensuring we have the NHS services that people need and making sure they are high quality and value for money.

For further information please refer to the ‘who we are’ page. 

You and your NHS data

Organisations providing NHS services keep records that contain information about you and your health, and the care and treatment they have provided or plan to provide to you. This information is held as either paper or computerised records and is used to support decisions made by you and the healthcare professionals looking after you to make sure your care is safe and effective.

GPs, hospitals and community organisations that provide NHS-funded care must submit certain information to the Health and Social Care Information Centre (HSCIC) to be used for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population and to gain evidence that will improve health and care through research. The CCG uses this Secondary Use Services (SUS) data and the information below explains what we use it for and your rights in respect of your personal data.  More information about how your data is collected and used by the Health and Social Care Information Centre (HSCIC) is available on their website http://www.hscic.gov.uk/home

Information will not be shared between NHS organisations unless you give each organisation you have contact with permission to share information about you.  We cannot access any general practice information unless you give us permission. 

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee provides a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

How we use your data

Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health services, rehabilitation and community services. We therefore also need to use information to enable us to do this effectively, efficiently and safely.

As a commissioner, we do not routinely hold or have access to your medical records but we may need to hold information about you,
for example if it relates to a complaint or other purpose where you have asked for our help or involvement, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts.   

This may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

We will only use the minimum amount of information about you but when it becomes necessary for us to know personal information about you and we will only do this when we have either a legal basis or your explicit consent. If you do not agree to certain information being shared with us or have any concerns then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.

We also use information collected by the Health and Social Care Information Centre (HSCIC) and from other places where you receive care, such as hospitals, community services and GPs. The information that we use is known as Secondary Uses Service data (SUS data) and includes information about the patients who have received care and treatment from those services that we are responsible for funding. The data provided to us does not include your name and home address, but it may include information such as your NHS number, post code, date of birth, ethnicity and gender as well as coded information about your clinic or accident and emergency attendances, hospital admissions and treatment. 

We use the SUS data for a number of purposes as follows:

  • To performance manage contracts and review the care delivered by providers to ensure effective care pathways and use of resources and capacity;

  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;

  • To help us plan future services to ensure they continue to meet our local population needs;

  • To audit NHS accounts and services; and

  • To pay services for the care they provide.

We will use anonymised data that cannot be linked back to your identity (de-identified data) wherever possible, however, due to changes arising from the Health and Social Care Act 2012 that led to the re-structuring of the NHS from 1st April 2013 and the establishment of the CCGs, some of the old systems we inherited need to change to support the flow of anonymised data from the HSCIC for commissioning purposes.     

In order to ensure that the NHS continues to function lawfully and efficiently, the Secretary of State for Health has given permission for us (and other NHS Commissioners) to use certain personal information from SUS without consent until November 2014, but only when it is absolutely necessary for certain specified purposes. This approval is given upon the strict advice of the Health Research Authority’s Confidentiality and Advisory Group under conditions set out in section 251 of the NHS Act 2006.  The specific terms and conditions that we are obliged to follow when using SUS data can be found on the HSCIC website.   

Sharing your information with other organisations

We share anonymised information with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. We would not share information about you unless: 

  • You have asked us to and given us permission;

  • W are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;

  • To protect children and vulnerable adults;

  • When a formal court order has been served upon us; and/or

  • The health and safety of others, for example to report an infectious disease like meningitis or measles

Sharing and linking data

NHS patients and social care service users may receive care and treatment from a number of different places.  It is necessary to link this information together to provide the full picture needed to support the activities listed above. In effect, sharing information enables the NHS to improve its understanding of the most important health needs and the quality of the treatment and care we provide to you

We have entered into contracts with other NHS organisations to provide some services to us, which includes processing data on our behalf, including patient information and to provide Human Resources services for our staff. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure and the CCG is responsible for ensuring their staff are appropriately trained and that technical and operational procedures are in place to keep information secure and protect privacy.

The Caldicott Guardian  is the senior person in the CCG responsible for protecting the confidentiality of patient and service user information and enabling appropriate and lawful information-sharing. There are specific processes which are followed to ensure the continuing security and confidentiality of the information and we are obliged to tell you that we have shared your information in all but very exceptional circumstances.

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. Unless required to do so by law, we will not share, sell or distribute any of the information you provide to us with any third party organisations/individuals without your explicit consent.

We may also hold your demographic information i.e. your contact details including your name and address, that you have provided to us where you have asked us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved  in our engagement and consultation activities or patient participation groups. 

We are committed to protecting your rights to confidentiality

 We are committed to protecting your privacy and will only process personal information in accordance with the Data Protection Act 1998, the Human Rights Act 1998 and the common law duty of confidentiality.

NHS Southern Derbyshire CCG is a Data Controller under the terms of the Data Protection Act 1998 we are  legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is done in compliance with the 8 data protection principles. All data controllers must notify the Information Commissioner’s Office of all personal information processing activities. Our registration number is Z3616698 and our entry can be found on the Information Commissioner’s Office website: http://ico.org.uk/

 All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis.

In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies. You can also get further information on:

  •  Agreements we have with other organisations for sharing information;

  • Circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;

  • Our instructions to staff on how to collect, use and delete personal data; and

  • How we check that the information we hold is accurate and up to date.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

We will publish patient stories, following upheld complaints, anonymously via our governing body.  The patient stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied.  Consent will always be sought from the service user and carer or both before we publish the patient story.

Complaints or queries

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.


Invoice Validation

Invoice validation is an important process which the CCG carries out. This involves using your NHS number to establish which NHS organisation is responsible for paying for your treatment. . The process also ensures that those who provide you with care are reimbursed correctly for the care and treatment they have provided.   We have commissioned Greater East Midlands Commissioning Support Unit to provide this service for us. 

Risk stratification


Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission. Typically this is because patients have a long term condition such as COPD or cancer.NHS England (the national Commissioning Board) encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance and admission and primary care data collected in GP practice systems. The CCG will use anonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality. The use of personal data by CCGs and GPs for risk stratification has been approved by the Confidentiality Advisory Group of the Health Research Authority and it is anticipated this will be in place until at least April 2015. There is currently a national consultation in progress which is seeking feedback on the requirements, use and sharing of personal data by commissioners, the CCG will adopt and work in line with nationally agreed ways of working and rules regarding the sharing of data.   

National Registries

National Registries (such as the Cancer registry) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold patient identifiable information without the need to seek informed consent from each individual patient; patients are free to opt-out should they wish.  The policies and procedures governing the data holding at the Registries have been approved by the Ethics and Confidentiality Committee on behalf of the National Information Governance Board and are reviewed annually.


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.  Patient records can also be used to identify people to invite them to take part in clinical trials and other interventional studies. Where identifiable data is needed for research, patients will be approached to participate in research studies by their clinicians, but patients and public will be asked for their consent before their identifiable information is disclosed for a given piece of research

Your Rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal information we hold about you. You have the right to privacy and to expect the NHS to keep your information confidential and secure. You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. These are commitments set out in the NHS Constitution, for further information please visit


Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

     give you a description of it;

     tell you why we are holding it;

     tell you who it could be disclosed to; and

     let you have a copy of the information in an intelligible form.

To make a request to any personal information we may hold you need to put the request in writing to the address provided. If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Information Governance department.

We will only retain information for as long as necessary. Records are maintained in line with the NHS England retention schedule which determines the length of time records should be kept. 

Related links

HSCIC Code of Confidentiality


Caldicott Review



Records Management

Records Management - NHS Code of Practice

Data Sharing

Data Sharing Code of Practice

Advice and Guidance on the Law and Personal Data

The Information Commissioner's Office


Information Security

Information Security Management: NHS Code of Practice

Anonymising Information

Pseudonymisation Implementation Project

Requesting Information Under the Data Protection Act

Information Commissioners Guidance on Subject Access

The Care Record Guarantee

National Care Record Guarantee  

Health research Authority

Confidentiality Advisory Group


Use of website

The website is maintained for your personal use and viewing. You agree to use this site only for lawful purposes, and in a manner that does not infringe the rights of, or restrict or inhibit the use and enjoyment of this site by any third party. Such restriction or inhibition includes, without limitation, conduct which is unlawful, or which may harass or cause distress or inconvenience to any person, and the transmission of obscene or offensive content or disruption of normal flow of dialogue within this site. You also agree that you shall not make any use of the website such that the whole or part of the website is interrupted, damaged, rendered less efficient, or the effectiveness or functionally of the website is in any way impaired and that you will not use the website for the transmission or posting of any computer viruses.


The material on this site is subject to copyright protection of NHS Southern Derbyshire Clinical Commissioning Group (CCG) unless otherwise indicated. This copyright-protected material may be reproduced free of charge in any format or medium for the purposes of research, private study or for internal circulation within an organisation. This is subject to the material being reproduced accurately and not used in a misleading context.

Where any of the items on this site are being republished or copied to others, the source of the material must be clearly identified and the copyright status acknowledged.

The permission to reproduce the CCG’s copyright protected material does not extend to any material on this site that is identified as being the copyright of a third party. Authorisation to reproduce such material must be obtained from the copyright holders.

The names, images, and logos within website are the proprietary marks of the NHS. Copying and using our logos or any other third party logos accessed via this website is not permitted without the prior approval of the relevant copyright owner.

Links from 

The website contains links to various websites that are operated by third parties over whom we have no control. Links are provided for information and convenience only. We cannot accept responsibility for the sites linked to, or the information found there. We cannot guarantee that these links will work all of the time and we have no control over the availability of the linked pages. A link does not imply the endorsement of a site; likewise, not linking to a particular site does not imply lack of endorsement. We therefore do not make any representation – and do not accept any liability – in respect of the content, products or services available from such websites, or the business of such third parties. Any dealings with advertisers and merchants accessed using the CCGs websites shall be entirely at your own risk.

Links to

The CCG encourages users to establish hypertext links to the site. However, we do not permit our pages to be loaded into frames on another site. The pages must load into the user’s entire window.


We endeavor to ensure that the information contained in this website is both accurate and complete. However, we accept no responsibility for any damages or loss arising from the use of this information. We endeavor to ensure content on the website could not be deemed offensive to an individual or a collection of individuals, and that content adheres to common principles of decency and taste.


We cannot guarantee uninterrupted access to this website, or the sites to which it links.

Virus protection

We make every effort to check and test material at all stages of production. It is always wise for you to run an anti-virus program on all material downloaded from the internet. We cannot accept any responsibility for any loss, disruption or damage to your data or your computer system that may occur while using material derived from this website.

Privacy statements

This system will record your email address and other information if volunteered to us by you. This information shall be treated as proprietary and confidential. It may be used for internal review and, if requested, to notify you about updates to the website.

The CCG will treat personal information sent via this website as confidential. No personal information, including email addresses, will be shared with third parties or commercial organisations for the purposes of advertising or data warehousing.

We do not use cookies to collect any private or personally identifiable information. However, we do use them to enhance the functionality of our website. Find out more

Feedback form

If you would like to get in touch with us using our feedback form, we recommend that you do not include any sensitive information which would identify you or anyone else, such as details of health problems, in your message.


The information on these pages is intended as a guide only. Whilst we endeavor to keep such information as up to date as possible, we make no claim as to its total accuracy or completeness. Information is liable to change, and such changes may not be mirrored in this site. The CCG does not accept liability for any loss or damage resulting from use of this site or reliance on its content. External links lead to sites and pages over which we have no control, and which we cannot verify for accuracy or content. The inclusion of a link on this website should not be taken as an endorsement of the linked website, nor of the accuracy or quality of the information on such sites.

This website is provided for information only. It is not intended to replace a consultation with an appropriately qualified medical practitioner. The CCG cannot accept responsibility for any loss, damage or injury that arises from the use of this website.



Last modified: 07/08/2014