StaffZone | Accessibility | Font size: A- A+

Your Health Records

Your Information and how we use it

Fair Processing Notice – Data Protection Act 1998

Glossary of terms
A full glossary of any legal terms used can be found in Appendix A - Glossary. If you require anything
explained in further detail, please use the ‘further information’ section.
Who we are
As a commissioning organisation, our purpose is not to provide direct care and so we do not routinely hold or receive information about patients and service users in a format from which they can be identified, however, in certain circumstances we may require some patient data which is explained in this document. The CCG has various roles and responsibilities, but a major part of our work involves making sure that:

  • contracts are in place with local health service providers;
  • routine and emergency NHS services are available to patients;
  • those services provide high quality care and value for money; and
  • paying those services for the care and treatment they have provided.

This is called “commissioning” and is explained in more detail on our website at: 

Accurate, timely and relevant information is essential for our work to help us to design and plan current and future health and care services, evidence and review our decisions and manage budgets. The following information explains why we use information, who we share it with, how we protect your confidentiality and your legal rights and choices.

We are committed to protecting your rights to confidentiality

We want patients to understand:

  • How the CCG uses and shares information
  • How GPs use and share your information
  • Your health record, what it contains and how you can access it
  • When you can choose to opt-out of your personal information being collected or shared and what this will mean to you.

Why we collect information about you

Information about your health and care held in your health records is confidential and not routinely shared with the CCG for direct health care purposes. However, there may be times when we need to
hold and use certain information about you, for example:

  • Individual Funding Requests - a process where patients and their GPs or Consultants can request treatments not routinely funded by the NHS
  • Assessments for continuing healthcare assessments (a package of care for those with complex medical needs)
  • The management of referrals from GP Practice to another care provider
  • Responding to your queries, concerns or complaints
  • Assessment and evaluation of safeguarding concerns for individuals
  • Incident investigations

This may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

We may also hold identifiable information, at the level of NHS number, or use de-identified or anonymised information for non-direct health care purposes such as:

  • determining the general health needs of the population
  • ensuring that our services meet future patient needs
  • teaching and training healthcare professionals
  • investigating complaints, legal claims, etc.
  • conducting health research and development
  • preparing statistics on NHS performance
  • auditing NHS accounts and service
  • paying your health care provider

Access to the identifiable information is strictly controlled and it is only used when it is absolutely necessary to use identifiable information. The CCG currently pseudonymises this information for non-direct health care purposes.

In the circumstances where we are required to hold or receive personal information we will only do this if:

  • The information is necessary for the direct healthcare of patients
  • We have received explicit consent from individuals to be able to use their information for a specific purpose
  • There is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order or legislation)
  • We have permission to do so from the Secretary of State for Health to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care.

The Health and Social Care Information Centre (Now known as NHS Digital) has published a guide to confidentiality in health and social care that explains the various laws and rules about the use and sharing of confidential information. A table showing the legal basis for our data use can be found in Appendix B - Legal basis. Please note that this list is not exhaustive and for any further information please contact the CCG directly using the contact details in ‘Further Information’

How we use your information

Investigating complaints

In order to accurately investigate complaints we will need to access certain identifiable information about yourself, we will seek your explicit consent to do this.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that, however, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with NHS Retention. Details can be found in the section - How long do we keep your information for?

  • It will be retained in a secure environment and access to it will be restricted according to a ‘need to know’ basis.
  • If you wish to make a complaint, please contact the CCG directly using the contact details in the ‘further information’ section.

Invoice validation

Invoice validation is an important process. It involves using your NHS number to check that we are the CCG that is responsible for paying for your treatment. Eastern Cheshire is an accredited Controlled Environment for Finance (CEfF) under a Section 251exemption which enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7-07(a)(b)(c)/2013.

We can also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly.

Risk stratification

Risk stratification is a process GPs use to help them to identify and support patients with long-term conditions and to help prevent un-planned hospital admissions or reduce the risk of certain diseases developing such as type 2 diabetes. This is called risk stratification for case-finding.

The CCG also uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning.

Risk stratification tools use historic information about patients, such as age, gender, diagnoses and patterns of hospital attendance and admission collected by NHS Digital from NHS hospitals and community care services. This is sometimes linked to data collected in GP practices and analysed to produce a risk score.

GPs are able to identify individual patients from the risk stratified data when it is necessary to discuss the outcome and consider preventative care. Where the risk stratification process has linked GP data to health data obtained from other sources i.e. NHS Digital or other health care provider, the GP will ask for your permission to access the details of that information.

How we use information provided by NHS Digital

We use information collected by NHS Digital from healthcare providers such as hospitals, community services and GPs, which includes information about the patients who have received care and treatment from the services that we fund.

The data we receive does not include patients’ names or home addresses, but it may include information such as your NHS number, postcode, date of birth, ethnicity and gender as well as coded information about your visits to clinics, Emergency Department, hospital admissions and other NHS services.

The Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work and whilst changes are made to our systems that ensure de-identified information is used for all purposes other than direct care. This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the advice of the Health Research Authority’s Confidentiality and Advisory Group.

In order to use this data, we have to meet strict conditions that we are legally required to follow, which includes making a written commitment to NHS Digital that we will not use information in any way that would reveal your identity. These terms and conditions can be found on the NHS Digital website.

How GP Practices use information about your health and care

Your GP keeps information about your health and the care and treatment you receive in your health record. This information is used by your doctor, nurse and other healthcare professionals to assess
your health and, together with you, decide the appropriate care for you.

With your agreement, your GP may refer you to other services such as community care, Out of Hours or hospital. Your GP will share information about you only with the healthcare professionals involved in providing your care. Other services and health care providers will normally tell your GP surgery about the treatment they provide you and your GP or nurse will include this in your record. Further details can be found below in the section on Sharing & Consent. 

You have the right to see information your GP practice holds about you. They may charge for this.Please ask them about this.

It may also be necessary to share your information with non-NHS services or health providers but only in accordance with the rights of the individual and statutory obligations or by law.

How we keep your records confidential

Everyone working for the NHS is required to comply with the Data Protection Act 1998 or, in circumstances when this is not applicable, is subject to the Common Law Duty of Confidence.Information provided to us in confidence will only be used for the purposes stated and where youhave given your consent, unless there are other circumstances covered by the law.

Under the Data Protection Act 1998, all of our staff are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. Any decisions you make about how we can use information we hold about you will be recorded along with that information.

We also take relevant organisational and technical measures to ensure the information we hold is secure.

All NHS organisations must comply with the NHS Care Records Guarantee. The document sets out the rules that govern how patient information is used in the NHS and what controls a patient can have over this.

It covers people's access to their own records; controls on others' access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves.

How long do we keep your information for?

Information in the CCG is held for a specific length of time depending on the type of information it is.The length of time we retain your information for is defined by the NHS retention schedule which can be viewed online here: NHS Digital Records Management Code of Practice for Health and SocialCare 2016.

Once information has been reviewed and is no longer required to be kept by a retention period theinformation will be securely destroyed.

Other NHS organisations with whom we share your Personal Information 

We may share your information with other NHS services who are involved in your direct care, such as Hospital and Community Trusts, General Practitioners (GPs) or Ambulance Services.

We may need to share your information with other commissioning organisations to allow us to effectively support the purpose for which you have provided the information, for example to manage a complaint or investigation.

Some of the services outlined above in the section “Why we collect information about you” are provided by Midlands and Lancashire Commissioning Support Unit, acting as a data processor on behalf of the CCG.

We also contract with other organisations to provide a range of services to us such as data analysis, Human Resource and IT services. In these instances we ensure that our partner agencies handle our
information under strict conditions and in line with the law.

A list of organisations who we process data on our behalf can be found in Appendix C - Data Processors.

Information Sharing with Non-NHS Organisations

For your benefit, we may also need to share information we hold about you with other non-NHS organisations from which you are also receiving care, such as Social Services. However, we will not disclose any information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of others is at risk or where the law requires it.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always seek consent prior to any information being shared. If you choose not to consent to this when asked, then that decision will be recorded and upheld.

Your rights under the Data Protection Act

Patients and service users, as data subjects, have a number of rights under the Data Protection Act, including a general right of access to personal data (electronic or paper) held about them.

Right of Access

You can make your own application to see the information we hold about you, or you can authorise someone else to make an application on your behalf. A parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to access your personal data, then please write to:

NHS Eastern Cheshire Clinical Commissioning Group New
Alderley House Victoria Road Macclesfield Cheshire SK10 3BL
T: 01625 663477

In order to fulfil our responsibilities under the Act, you may be asked to provide proof of your identity, and any further information required to locate the record you have requested.

Objections and “opting out”

At any time you have the right to refuse/withdraw consent, in full or in part, to the sharing or processing of information from which you could be identified. If you wish to do so, the possible consequences of opting out will be fully explained to you to allow you to make an informed decision.

If you wish to discuss what the potential consequences or impact may be on yourself or services by opting out, please contact the CCG via the details in the ‘Further Information’ section.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. These commitments are set out in the NHS Constitution.

If you do not want your personal information to be shared and used for purposes other than your care and treatment, then you should contact the GP Practice you are registered with and ask for further information about how to register your objections. This should not affect the care and treatment you receive. See section on Patient Control of Information for further details.

Patient control of information 

You may want to prevent confidential information about you from being shared or used for any purpose other than providing your care unless one of the following criteria applies which means that it isn’t possible to opt out of having your information shared:

  • The information is used to support your direct care and treatment
  • You have consented to the use of your information (whether before or after registering their type 2 opt-out) for a specific purpose such as a research study
  • A mandatory legal requirement (such as a court order) exists.
  • The information released is not considered to be identifiable personal confidential data
  • The information is made available in anonymised form
  • The information is used to support the management of communicable diseases and other risks to public health under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002

There are two choices available to you:

  • You can object to information about you leaving a GP Practice in an identifiable form for purposes other than your direct care, which means confidential information about you will not be shared with the CCG, NHS Digital or other organisation for any non-direct care purpose. This is referred to as a 'type 1' objection; In addition.
  • You can object to information about you leaving NHS Digital in identifiable form, which means confidential information about you will not be sent to anyone outside NHS Digital. This is referred to as a 'type 2' objection.
    Information from other places where you receive care, such as hospitals and community services is collected nationally by NHS Digital.

If you do not want information that identifies you to be shared outside your GP practice, please speak to a member of staff at your GP practice to ask how to “opt-out”.

The Practice will add the appropriate code to your records to prevent your confidential information from being used for non-direct care purposes. Please note that these codes can be overridden in special circumstances required by law, such as a civil emergency or public health emergency.

If you do not want your personal confidential information to be shared outside of NHS Digital for purposes other than for your direct care you can register a type 2 opt-out with your GP practice. If you wish to discuss what the potential consequences or impact may be on yourself or services by opting out, please contact the CCG via the details in the ‘Further Information’ section.

Please note that you are only able to register the opt-out at your GP practice.

For further information and support relating to type 2 opt-outs please contact the NHS Digital contact centre at  referencing 'Type 2 opt-outs - Data requests' in the subject line; call NHS Digital on (0300) 303 5678; or alternatively visit the website .In both cases, it is still necessary for NHS Digital to hold information about you in order to ensure data is managed in accordance with your expressed wishes. Please see “Patient Objections Management” on the NHS Digital website for further information.

Further information about your right to opt-out from the NHS programme will be posted here shortly when it is available from NHS England.

If you have questions about this, please speak to staff at your GP practice, check NHS Digital frequently asked questions, or call their dedicated patient information line on 0300 456 3531.

Withholding information about you

Information may be withheld if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld.

Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

Correcting inaccurate information

We have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you. 

If your information is not accurate and up-to-date, you can ask us to correct the record. If we agree that the information is inaccurate or incomplete, it will be corrected. If we do not agree that the
information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention.

Further Information and Complaints

If you would like to know more about how we use your information, if (for any reason) you do not wish to have your information used in any of the ways described above, or if you would like to make a complaint about how the CCG uses your data, please contact:

NHS Eastern Cheshire Clinical Commissioning Group New
Alderley House Victoria Road Macclesfield Cheshire SK10 3BL
T: 01625 663477

For confidentiality advice and support the CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service users and service user information and enabling appropriate and lawful information sharing. The contact details of our Caldicott Guardian are as follows:
Mike Purdie
Corporate Programmes and Governance Manager
T: 01625 663470

For independent advice about data protection, privacy and data-sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane
Phone: 08456 30 60 60 or 01625 54 57 45

Data Protection Statement 

Eastern Cheshire CCG is a ‘Data Controller’ under the Data Protection Act 1998. This means we are legally responsible for ensuring that all personal data that we hold and use is done so in a way that meets the data protection principles. We must also tell the Information Commissioner about all of our data processing activity. Our registration number is Z3583640 and our registered entry can be found on the Information Commissioner’s website.

All of our staff receive training to ensure they remain aware of their responsibilities. They are obliged in their employment contracts to uphold confidentiality, and may face disciplinary procedures if they do not do so. A limited number of authorised staff have access to personal data where it is appropriate to their role.

We have entered into contracts with other organisations to provide services for us. These organisations include:

  • Midlands and Lancashire Commissioning Support Unit - Risk Stratification Invoice Validation,Commissioning Intelligence analysis, HR
  • Arden and GEM CSU - DSCRO
  • Salford Royal NHS Foundation Trust hosting: Advancing Quality Alliance (AQuA)
  • Salford Royal NHS Foundation Trust hosting: Academic Health Sciences Network (Utilisation Management Team)
  • Shared Business Service / St Helens and Knowsley NHS Trust –Staff Payroll
    Hill Dickinson – Legal Claims
  • NHS Litigation Authority – Legal Claims
  • Cheshire East Council – Safeguarding adults and children

This includes holding and processing data including patient information on our behalf. These services are subject to the same legal rules and conditions for keeping personal information confidential and
secure. We are responsible for making sure that staff in those organisations are appropriately trained and that procedures are in place to keep information secure and protect privacy. These conditions are written into legally binding contracts, which we will enforce if our standards of information security are not met and confidentiality is breached.

We will not share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the Data Protection Act (Principle 8).

Appendix A – Glossary

• Identifiable information
Information which the CCG could potentially identify a person from, such as information containing an NHS number, postcode or a set of information which would identify an individual. This may apply if the person is living or deceased.
• De-identified or anonymised information:
Information which would could not be used to identify a person. This kind of information is still required by a CCG for planning, commissioning or research purposes. Anonymised data must comply with the ICO's Anonymisation: managing data protection risk code of practice
• Pseudonymised Information
Information which by itself is not identifiable but contains information or a code which can be combined with other information held by the same organisation or another organisation to identify an individual from it.
• Risk stratified data
Data which has been provided from a GP to NHS Digital or local provider to identify the patients who are at high risk, so advance better care or support can be provided to the patient.
• Direct health care
Direct care of a patient is provided personally by a health professional. Direct patient care may involve any aspects of the health care of a patient, including treatments, counselling, self-care, patient education and administration of medication.
• Primary Care Data
This is data from Primary Care Services which is identifiable medical information - In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists.
• Secondary Care Data
Secondary Care Data is used for the national reporting of secondary care activity which is either NHS funded, and/or provided by NHS organisations. Datasets are securely submitted to the Secondary Users Service (SUS). Secondary Care Data allows CCGs to design better services for patients.

More information on SUS data can be found on the NHS Digital Website: 

Appendix B – Legal basis 


Purpose of

Data required

Reason for the data

Legal basis


We receive identifiable personal information direct from yourself along with any data from other sources which you give us permission to access to allow us to process and investigate your complaint. The CCG will only hold the minimum information required to process your complaint.

To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Explicit consent is provided to action complaints containing your identifiable information

Individual Funding Requests (IFR)

The initial information comes from Primary Care. To continue with using this information for your IFR request we require further information from yourself, along with any data from other sources which you give us permission to access to allow us to process your request

When we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts.

The initial assessment is carried out by a health professional then explicit consent will be gained to continue

Continuing Healthcare

The initial information comes from Primary Care. To continue with using this information for your CHC request we require further information from yourself, along with any data from other sources which you give us permission to access to allow us to process your request

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.

The initial assessment is carried out by a health professional then explicit consent will be gained to continue



The information may be primary care data or may be information provided from a member of the public or staff

We will need to collect and process identifiable information where there are specific safeguarding concerns

It is not always possible to rely on explicit consent to process information for safeguarding purposes. Where consent cannot be gained we will use a statutory basis

Risk stratification

The data is initially primary care data. This data is then provided to the risk stratification provider (as detailed in appendix C) who will cross reference the information to give a risk score for patients. The CCG will not see identifiable primary care data.

Identifying patients who are at a high risk of hospital admission. The risk stratification tool used utilises primary care data from GPs or people who have not made a Type 1 objection. This data is pseudonymised and linked with data from NHS Digital to provide a risk score for each patient. The CCG will not see the identifiable data within this process.

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority under S251 and this approval has been extended to April 2017.

Invoice Validation

The Invoice validation process involves using your NHS number and occasionally your postcode or date of birth to establish which NHS organisation is responsible for paying for your treatment. The information is only accessible by named staff in a controlled environment.

Information is used within a controlled setting (known as a Controlled Area for Finance) to ensure that organisations have provided the correct care and can be paid.

Eastern Cheshire CCG is an accredited Controlled Environment for Finance (CEfF) under a Section 251 exemption which enables us to process patient identifiable information without consent for the purposes of invoice validation – CAG 7-07(a)(b)(c)/2013.


 Secondary Use data is available to the CCG as a dataset from NHS Digital.

The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding.

The dataset information is not identifiable. They do not include your name, home address, NHS number, post code or date of birth.

Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

To collect and report NHS data we are responsible for

We are required to provide NHS Digital with certain datasets of information. The legal basis is for this is statutory.

Further details can be found here: SUS data

The data comes from NHS Digital and relates to service users who are registered to a GP in a CCG area. The datasets are used in a format which does not directly identify individuals.

Patient and public involvement 

We receive identifiable information direct from yourself

If you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us

Explicit consent is required to use your information for these purposes

For other organisations we have commissioned

We share the minimum information necessary to allow the data processors to act on our behalf. Each contract will have a specific list of information to be shared and the legal basis allowing us to legitimately share the information.

We commission some services to be provided on our behalf. These are known as ‘data processors’.



We will hold some information in anonymised form to complete research projects. If the research requires identifiable or pseudonymised primary care data then you will be contacted for consent before the information is accessible to the CCG.

You can object to your information being used for research purposes in identifiable or non-identifiable form.

Please speak to your GP if you wish to notify your objections.

To support and conduct research proposals and activities

We will seek explicit consent for research requiring identifiable information.

Some research will be conducted using anonymised information. We will not require consent for these purposes.


Appendix C – Data Processors

These are details of our data processors and the function that they carry out on our behalf. All organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

  • Risk Stratification Invoice Validation, Commissioning Intelligence analysis, HR Midlands and Lancashire Commissioning Support Unit (CSU) Kingston House, 438-450 High Street, West Bromwich, West Midlands, B70 9LD
  • Staff Payroll Shared Business Service / St Helens and Knowsley NHS Trust
  • DSCRO: Provision of data management services on behalf of NHS Digital NHS Arden and Greater East Midlands (GEM) Commissioning Support Unit (CSU) St John’s House, East Street, Leicester, LE1 1NB
  • Advancing Quality Alliance (AQuA) Salford Royal NHS Foundation Trust hosting: Salford Royal NHS Foundation Trust hosting: Academic Health Sciences Network (Utilisation Management Team)
  • Legal Claims Hill Dickinson and NHS Litigation Authority
  • Safeguarding adults and children Cheshire East Council