How we use your information

We are commissioners of health services for the people of Bristol, North Somerset and South Gloucestershire. This means we use information about you to help us do our work effectively, efficiently and safely.

This Privacy Notice sets out how we use this information in the best possible way.

National Fraud Initiative – Privacy Notice

As part of the fair processing notification, participating organisations are required to publish a privacy notice.

  • File type:pdf
  • File size:187.1 KB
  • Download

What is this Privacy Notice about?

Our Privacy Notice provides a summary of how we use your information. Here, we’ll tell you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It is part of how we ensure we are open and transparent in the data processing activities we carry out in order to meet our commissioning obligations. It covers information we collect directly from you or receive from other individuals or organisations.

We will keep our privacy notice under regular review. This privacy notice was last reviewed in July 2019.

You can contact us if you have any questions or concerns about how we use your information.

Our Commitment to Data Privacy and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 (Data Protection Legislation).

Bristol, North Somerset and South Gloucestershire CCG is a Data Controller under the terms of the Data Protection Legislation. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is processed in compliance with the Data Protection Principles.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZA325479 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential.

The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and support your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We only share information that identifies you when we have a fair and lawful basis.

This includes:

  • for the purposes of the provision of health or social care or treatment or the management of health or social care systems
  • when we are lawfully able to for example in order to carry out our official functions as a CCG and in the public interest
  • when we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime
  • to protect children and vulnerable adults
  • you have given us permission
  • when a formal court order has been served
  • emergency planning reasons such as for protecting the health and safety of others
  • when permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals.

In general the CCG will only rely on consent where it is clearly necessary in law.  Where we have a legal basis for sharing and using data without consent we will do so.  This notice informs individuals about their information is shared.

All information that we hold about you will be held securely and confidentially.

We use administrative and technical controls to do this including strict procedures and encryption. We use strict controls to ensure that only authorised staff are able to see information that identifies you. This means a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. Our staff have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

We will only keep information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. When appropriate we will confidentially and securely dispose of information in accordance with the Code of Practice.

Overseas transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Your rights

You have certain legal rights, including a right to have your information processed fairly and lawfully.  These rights are:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling

You have the right to privacy and to expect the NHS to keep your information confidential and secure.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Any individual has the right to register for a national data opt-out, to make such a request, please follow the link to the NHS Digital website. These are commitments set out in the NHS Constitution.

You can contact us if you have any questions or concerns about your data protection rights. We’ll discuss alternative arrangements you can make and explain the consequences.

Complaints and suggestions

We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures. Please see our Customer Services page for more information.

The Bristol, North Somerset and South Gloucestershire CCG Data Protection Officer (interim) is Thom Manning who can be contacted by email at

You can contact the Information Commissioner's Office (ICO) for independent advice about data protection, privacy and data-sharing issues. 

Post: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Phone: 08456 30 60 60 or 01625 54 57 45.

Subject access requests

Individuals can find out if we hold any personal information by making a subject access request under the Data Protection legislation. If we do hold information about you we will:

  • confirm that we are processing your personal data
  • provide a copy of your personal information
  • provide additional information, such as the reason why we hold your information, who we may have shared information with, how long we hold information.

If you would like to receive a copy of information we hold about you your request should be made in writing by post or email to:

Post: NHS Bristol, North Somerset and South Gloucestershire CCG, South Plaza, Bristol BS1 3NX


Confidentiality advice and support

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of service user and service user information, as well as enabling appropriate and lawful information-sharing.

Our Caldicott Guardian is Dr Martin Jones, Medical Director for Commissioning and Primary Care. Feel free to contact Dr Jones if you need advice or support about data protection.


Personal information we collect and hold

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • if you have made a complaint to us about healthcare that you have received and we need to investigate
  • if you ask us to provide funding for Continuing Healthcare services
  • if you are using our referral support service
  • if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user groups.

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you, or from health professionals and other staff directly involved in your care and treatment.

Our records may be held on paper or in a computer system. The types of information that we may collect and use include:

  • Personal data: is defined in Data Protection Legislation as data or information about a living person, which also identifies that person or allows that person to be identified when combined with other information held by the organisation. Identifying information includes name, address, date of birth, postcode and NHS number.
  • Special Category Data: is defined in Data Protection Legislation as information about an identifiable individual’s: race, ethnic origin. Politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation. Criminal offence data will also be included.
  • Confidential Information: including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ this also includes ‘special category data’ as defined in the Data Protection Legislation.

Personal Confidential Data may include: your name, address, postcode, date of birth and NHS number; information about your appointments and clinic visits; reports and notes about your health, treatment and care; relevant information about people who care for you, such as next-of-kin and other health professionals.

  • Pseudonymised Information: this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
  • Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification.

The data used may relate to Primary or Secondary care. Primary Care data relates to primary care services such as GPs, pharmacists and dentists, including military health services and some specialised services.

Secondary care services include planned hospital care, rehabilitative care, urgent and emergency care community health services, mental health services and learning disability services.

Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced.

The table below shows the Data Protection Impact Assessments that have been completed in the first quarter of 2019/20.

Reference number Title Date approved by Senior Information Risk Owner (SIRO)
A49 Telederm - Dermatology Advice Service 18/05/2018
A51 Carnall Farrar 14/06/2018
A61 EMIS Search & Report 03/09/2018
A43 Onefront door 03/10/2018
A85 Referral Service - Postal Solutions 17/12/2018
A58 Health Care Associated Infections (HCAI) Investigation 29/05/2019
A98 Implementation of ScriptSwitch 06/06/2019
A102 Learning Disabilities Mortality Review (LeDeR) 06/06/2019

Please contact us for details of a specific DPIA.

Contact us

Please contact us if you have any questions or concerns about how we use your information.

For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner's Office (ICO). You can also complain directly to the ICO.

Further information

You can find further information about how the NHS uses personal confidential data and your rights in: