This site uses cookies. By continuing to browse this site you are consenting to our use of cookies. For more information see our cookies policy.

currently under review in light of GDPR implementation

What we do

Our CCG is a membership organisation comprising of 35 GP practices within the CCG’s geographical boundaries and is responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers such as hospitals and GP practices for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

How we use your information

Our CCG holds some information about you and this document outlines how that information is used, who we may share that information with, how we keep it secure (confidential) and what your rights are in relation to this.

Records are retained in accordance with the retention and disposal schedule in the Records Management Code of Practice for Health and Social Care 2016. Further information is available here.  

Destruction of personal confidential information

It is the responsibility of all staff to ensure information they are handling is destroyed effectively and securely in line with current data protection law as well as in compliance with the British Security Industry Association code (BS15713) for the secure destruction of confidential waste best practice guidelines. 

All paper records that have reached the end of their life cycle (see Records Management and Information Lifecycle Policy) should be destroyed using one of the following methods:-

What kind of information we use

We use three types of information/data:

Anonymised data, which is data about you but from which you cannot be personally identified. Anonymised data is any personal data which has been processed so that all identifiers (such as name or NHS number) are removed  minimising the likelihood that the data will identify individuals.

Pseudonymised data is any personal data which has been processed so that all identifiers such as name, address, date of birth and NHS number is removed and replaced with a code which makes it anonymous to the CCG, but would allow others such as those responsible for providing care to identify an individual. 

Personal data, is data which relates to a living individual who:

Sensitive information/data 

Sensitive personal data is personal data which also contains one or more of the following:

What do we use anonymised data for?

We use anonymised data to plan health care services. Specifically we use it to:

What do we use your sensitive and personal information for?

There are some limited exceptions where we may collect, hold and use sensitive personal information about you. For example the CCG has been required by law to perform certain services that involve the processing of sensitive personal information

The areas where we regularly use sensitive personal information (details such as your name, address, date of birth and NHS Number along with information relating to your health) include:

More detail on the type of areas where sensitive personal information may be used is set out below:

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 1998. The Data Protection Act requires us to have an appropriate justification (lawful basis) if we wish to use/process any personal information. This means that we cannot collect information without the purpose of this being clearly identified and we can only do this where a law that gives us permission to do this.

Within the health sector, we also have to follow the common law duty of confidence, which means that identifiable information about you provided or collected during your care should be treated as confidential and only shared for the purpose of providing direct care. We handle information in accordance with the Confidentiality NHS Code of PracticeNHS Digital Guide to ConfidentialityCaldicott Principles and professional standards in addition to the above legal requirements.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).  All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

The CCG has an executive director responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian, they can be contacted using the details below.

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website.

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law provides some NHS bodies, particularly NHS Digital, ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

Data may be linked and de-identified by these special bodies so that it can be used to improve health care and develop and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with secondary care SUS (secondary uses service) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as IAPT, district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a pseudonym in the form of a unique code as the CCG does not have any access to patient identifiable data.

We may also contract with other organisations to process data. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

Currently, the external data processors we work with include (amongst others):

What are your rights?

You have the right to have information about you processed fairly and lawfully, and to be able to access any personal information about you held by the NHS. You also have the right to privacy, and can expect the NHS to keep information confidential and secure. You have the right to request that your confidential information is not used for purposes other than your own care and treatment, and to have your objections considered. These rights are set out in the NHS Constitution.

Opt-out of (stop) information about you being processed

If you do not want the NHS to use information about you, collected by your GP then you can opt out by completing an opt-out form and returning it to your GP practice. There are different types or levels of opt-out available, further information about these types are explained below:

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital for purposes other than for your direct care you can register a type 2 opt-out with your GP practice.

Depending on the type of opt out you may choose, this will prevent your information being shared outside of your GP practice or NHS Digital for purposes beyond your direct care (except in special circumstances allowed by law, such as when there is a public health emergency or safeguarding issue).

Please be aware that the CCG does not hold or commission the retention of identifiable historical data (such as a data warehouse) and therefore any opt-out will be applied to the data provided by NHS Digital and the Data Services for Commissioner’s Regional Office (DSCRO).

It is entirely up to you whether the NHS can use your information or not – and if you choose to opt out this will not in any way affect the care or treatment you receive as a patient.

Please note that you may opt-out of your information being used for Risk Stratification. However, where this could affect your direct care (through case management, where this data assists GPs to identify the care needs of their patients), you will need to discuss this with your GP to be clear of the possible consequences.

Please contact your GP practice, the hospital or healthcare provider if you wish for them to stop processing information about you that is not for your direct care.

How to view the information we hold about you (Subject Access Request)

The CCG does not directly provide health care services and therefore you may need to contact your GP Practice or healthcare provider to see or be provided with copies of your medical record.

You can view or request copies of the records about you that we may hold (by making a “Subject Access Request”) by using the contact details below. If you wish to have a copy of the information we hold about you, please note that there may be a charge for this (up to a maximum of £50).

Request updates or corrections be made to the information held about you

You can request information is corrected which is factually inaccurate or incorrect.

Withdraw your consent to information being processed about you

You are able at any time to withdraw any previous consent you gave to permit the CCG to process information about you.

If you wish for the CCG to stop processing information about you or require any information as to how information is used then please contact us, marking your message for the attention of the Caldicott Guardian, who is responsible for protecting the confidentiality of a patient and service-user information and enabling appropriate information-sharing.

For independent advice, you can visit the Information Commissioners Office (ICO) website here. The ICO is the UK's independent body set up to uphold information rights.

Data Protection Officer

The CCG has appointed Susan Hall, Information Governance Specialist Lead at Audit Yorkshire as our Data Protection Officer.  Susan can be contacted by emailing