This privacy notice tells you about information we obtain, hold and use about you. It describes what we do with it, how we will look after it and who we share it with. It covers information we collect directly from you as well as information we may get from other individuals or organisations.
This notice does not provide exhaustive detail. However, we keep and maintain accurate and detailed records about how your information is used. We can provide further detail and explanation outside of this information should it be requested and without charge. Contact details for us can be found at the end of this page.
Any requests for further information should be sent to the contact address at the bottom of this page.
- Who we are
- The sorts of information we use
- Information we collect
- Reasons we might need to use personal information
- Finance/validating invoices
- Risk stratification and proactive care management
- The legal basis for data flows
- Section 251 of the NHS Act 2006
- How long we hold information for and our destruction arrangements
- Sharing your information with other organisations or individuals (third parties)
- Other organisations that provide services for us
- Protecting your privacy
- Your rights
- Subject access requests and requests to correct errors
- Our contact details
Who we are
NHS Greater Nottingham Clinical Commissioning Group Partnership is made up of Nottingham City CCG, Nottingham North and East CCG, Nottingham West CCG and Rushcliffe CCG.
The Partnership has many different roles and responsibilities. A major part of our work is effective planning, buying and monitoring of services from healthcare providers, such as hospitals and GP Practices in the local area. This means making sure that the NHS services that people need in the Nottingham area are available as well as making sure that those services are high quality and value for money. This is known as “commissioning”.
For more information please see our About us section.
The sorts of information we use
For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the NHS.
Read more: The sorts of information we use
Information we collect
We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information.
Read more: Information we collect
Reasons we might need to use personal information
The areas where we use personal information are:
- Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS.
- Continuing Healthcare Assessments (a package of care for those with complex medical needs).
- Responding to your queries, concerns or complaints.
- Incident investigations.
- Assessment and evaluation of safeguarding concerns for individuals.
- If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations.
- Staff personal confidential information for employment purposes (see below for further information about staff personal information use).
Read more: Reasons we might need to use personal information
Invoice validation is an important process in ensuring that patient care is paid for correctly. It involves using a patient’s NHS number to check which is the CCG responsible for paying for their treatment. We can also use a NHS number to check that care has been funded through specialist commissioning, which NHS England pays for.
The process makes sure that the organisations providing care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment within the CCG. The use of personal data by CCGs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and it is anticipated this will be in place until at least end of September 2018. This approval provides the legal basis for the CCGs to process personal data for invoice validation purposes.
Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.
The CCGs use risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCGs do not have access to person identifiable data. The information is pseudonymised.
The legal basis for data flows
The CCGs process personal data under a variety of legal bases depending on the data being processed and the purposes it is processed.
Read more: The legal basis for data flows
Section 251 of the NHS Act 2006
The Secretary of State for Health gives limited permission for CCGs (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation.
This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group.
Read more: Section 251 of the NHS Act 2006
How long we hold information for and our destruction arrangements
All records held by the CCGs will be kept for the duration specified by national guidance from NHS Digital (Information Governance Alliance), found in the Records Management Code of Practice for Health and Social Care 2016.
In all circumstances data will be retained in accordance with data protection requirements and ‘kept for no longer than is absolutely necessary’.
Once data is no longer required it will be destroyed securely:
- Paper records will be destroyed in line with international standards. Where external confidential waste suppliers are used these will be under contract and assurance that destruction meets the necessary legal requirements and standards.
- For digital media permanent destruction will be achieved by over writing the media a sufficient number of times or physical destruction of media by breaking it up into small pieces.
Sharing your information with other organisations or individuals (third parties)
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
Read more: Sharing your information with other organisations or individuals (third parties)
Other organisations that provide services for us
We have entered into contracts with other NHS organisations to provide other services for us. These include holding and processing data including patient information on our behalf in provision of Information Technology (IT) services or providing human resources services for our staff. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained, that procedures are in place to keep information secure and protect privacy.
Read more: Other organisations that provide services for us
Protecting your privacy
We are committed to protecting your privacy and will only process personal information in accordance with GDPR/ data protection law, the Human Rights Act 1998 and the Common Law Duty of Confidence.
Read more: Protecting your privacy
You have certain legal rights, including:
- to have your information processed fairly and lawfully
- to request access any personal information we hold about you
- the right to privacy, and to expect the NHS to keep your information confidential and secure
- to request that your confidential information is not used beyond your own care and treatment and to have your objections considered
- to request that any inaccurate data that we hold about you is corrected
- in some circumstances to have data erased
These are commitments set out in the NHS Constitution.
Subject Access Requests and requests to correct errors
Individuals can access personal information about them by making a ‘subject access request’ under the EU General Data Protection Regulation.
Read more: Subject Access Requests and requests to correct errors
If you do not wish us to share or process your information for purposes beyond your direct care, or have any concerns then please let us know. We may need to explain the possible impact this could have on our ability to help you, and discuss the alternative arrangements that are available to you.
Read more: Opting out
Staff related information
Job Applications, Current and Former Employees
When individuals apply to work at Greater Nottingham Clinical Commissioning Partnership, we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference we will not do so without informing them beforehand unless the disclosure is required by law.
Read more: Staff related information
The links below give more information about your rights and the ways that the NHS uses personal information:
- NHS Care Record Guarantee
- NHS Constitution
- Confidentiality: The NHS Code of Practice
- Health Research Authority’s Confidentiality and Advisory Group
- An independent review named Information: To share or not to share? The Information Governance Review was conducted in 2012.
- Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides more information about the data used to support commissioning
- NHS England advice for CCGs and GPs on information governance and risk stratification
- NHS Digital
- The Information Commissioner (the Regulator for the Data Protection Act 2018, who can offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information)
If you have any questions or concerns regarding how we use your information or wish to submit a Subject Access Request for access to personal information, please contact us at:
NHS Greater Nottingham CCGs Partnership
Rm 3.05 1 Standard Court, Park Row, Nottingham NG1 6NG
Telephone: 0115 883 9508
The contact details for the Greater Nottingham CCGs' Caldicott Guardian who is the most senior person in the organisation responsible for patient confidentiality are:
Nichola Bramhall, Chief Nurse & Director of Quality: Nichola.Bramhall@nhs.net
Data Protection Officer
NHS Greater Nottingham Clinical Commissioning Partnership
Rm 3.05 1 Standard Court, Park Row, Nottingham NG1 6NG
Telephone: 0115 883 9508