This Privacy Notice sets out how we use this information in the best possible way.
What is this Privacy Notice about?
Our Privacy Notice provides a summary of how we use your information. Here, we’ll tell you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.
It is part of how we ensure we are open and transparent in the data processing activities we carry out in order to meet our commissioning obligations. It covers information we collect directly from you or receive from other individuals or organisations.
We will keep our
privacy notice under regular review. This privacy notice was last reviewed in July
You can contact us if you have any questions or concerns about how we use your information.
Our Commitment to Data Privacy and Confidentiality
We are committed to protecting your privacy and will only process personal confidential data in accordance with the General Data Protection Regulation 2016 and Data Protection Act 2018 (Data Protection Legislation).
Somerset and South Gloucestershire CCG is a Data Controller under the terms of
the Data Protection Legislation. We are legally responsible for ensuring that
all personal information that we process i.e. hold, obtain, record, use or
share about you, is processed in compliance with the Data Protection
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is ZA325479 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential.
The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and support your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We only share information that identifies you when we have a fair and lawful basis.
- for the purposes of the provision of health or social care or treatment or
the management of health or social care systems
- when we are lawfully able to for example in order to carry out our official
functions as a CCG and in the public interest
- when we are lawfully required to report certain information to the
appropriate authorities e.g. to prevent fraud or a serious crime
- to protect children and vulnerable adults
- you have given us permission
- when a formal court order has been served
- emergency planning reasons such as for protecting the health and safety
- when permission is given by the Secretary of State or the Health Research Authority to process confidential information without the explicit consent of individuals.
In general the CCG will only rely on consent where it is clearly necessary in law. Where we have a legal basis for sharing and using data without consent we will do so. This notice informs individuals about their information is shared.
All information that we hold about you will be held securely and confidentially.
We use administrative and technical controls to do this including strict procedures and encryption. We use strict controls to ensure that only authorised staff are able to see information that identifies you. This means a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities. Our staff have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only use the minimum amount of information necessary about you.
We will only keep information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016. When appropriate we will confidentially and securely dispose of information in accordance with the Code of Practice.
Your information will not be sent outside of the United Kingdom where
the laws do not protect your privacy to the same extent as the law in the UK.
We will never sell any information about you.
You have certain legal rights, including a right to have your information processed fairly and lawfully. These rights are:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and
You have the right to privacy and to expect the NHS to keep your information confidential and secure.
You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Any individual has the right to register for a national data opt-out, to make such a request, please follow the link to the NHS Digital website. These are commitments set out in the NHS Constitution.
can contact us if you have any questions or concerns about your data protection rights.
We’ll discuss alternative arrangements you can make and explain the
Complaints and suggestions
We try to meet the highest standards when collecting and using personal information. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We also welcome any suggestions for improving our procedures. Please see our Customer Services page for more information.
The Bristol, North Somerset and South Gloucestershire CCG Data Protection Officer (interim) is Thom Manning who can be contacted by email at email@example.com.
You can contact the Information Commissioner's Office (ICO) for independent advice about data protection, privacy and data-sharing issues.
Post: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
Phone: 08456 30 60 60 or 01625 54 57 45.
Subject access requests
Individuals can find out if we hold any personal information by making a subject access request under the Data Protection legislation. If we do hold information about you we will:
- confirm that we are processing your personal data
- provide a copy of your personal information
- provide additional information, such as the reason why we hold your information, who we may have shared information with, how long we hold information.
If you would like to receive a copy of information we hold about you your request should be made in writing by post or email to:
Post: NHS Bristol, North Somerset and South Gloucestershire CCG, South Plaza, Bristol BS1 3NXEmail: firstname.lastname@example.org
Confidentiality advice and support
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of service user and service user information, as well as enabling appropriate and lawful information-sharing.
Our Caldicott Guardian
is Dr Martin Jones, Medical Director for Commissioning and Primary Care. Feel
free to contact Dr Jones if you need advice or support about data protection.
Personal information we collect and hold
As a commissioner, we do not routinely hold or have access to your
medical records. However, we may need to hold some personal information about
you, for example:
- if you have made a complaint to us about healthcare that you have received and we need to investigate
- if you ask us to provide funding for Continuing Healthcare services
- if you are using our referral support service
- if you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
- if you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user groups.
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you, or from health professionals and other staff directly involved in your care and treatment.
Our records may be
held on paper or in a computer system. The types of information that we may
collect and use include:
- Personal data: is defined in Data Protection Legislation as data or information about a living person, which also identifies that person or allows that person to be identified when combined with other information held by the organisation. Identifying information includes name, address, date of birth, postcode and NHS number.
- Special Category Data: is defined in Data Protection Legislation as information about an identifiable individual’s: race, ethnic origin. Politics, religion, trade union membership, genetics, biometrics, health, sex life, sexual orientation. Criminal offence data will also be included.
- Confidential Information: including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ this also includes ‘special category data’ as defined in the Data Protection Legislation.
Personal Confidential Data may include: your name, address, postcode, date of birth and NHS number; information about your appointments and clinic visits; reports and notes about your health, treatment and care; relevant information about people who care for you, such as next-of-kin and other health professionals.
- Pseudonymised Information: this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
- Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification.
The data used may relate to Primary or Secondary care. Primary Care data relates to primary care services such as GPs, pharmacists and dentists, including military health services and some specialised services.
Secondary care services include planned hospital care, rehabilitative care, urgent and emergency care community health services, mental health services and learning disability services.
Data Protection Impact Assessments
Data Protection Impact Assessments (DPIAs) help organisations identify, assess and mitigate or minimise privacy risks with data processing activities. They’re particularly relevant when a new data processing process, system or technology is being introduced.
The table below shows the Data Protection Impact Assessments that have been completed in the first quarter of 2019/20.
|Reference number||Title||Date approved by Senior Information Risk Owner (SIRO)|
|A49||Telederm - Dermatology Advice Service||18/05/2018|
|A61||EMIS Search & Report||03/09/2018|
|A85||Referral Service - Postal Solutions||17/12/2018|
|A58||Health Care Associated Infections (HCAI) Investigation||29/05/2019|
|A98||Implementation of ScriptSwitch||06/06/2019|
|A102||Learning Disabilities Mortality Review (LeDeR)||06/06/2019|
Please contact us for details of a specific DPIA.
Please contact us if you have any questions or concerns about how we use your information.
For independent advice about data protection, privacy and data-sharing issues, you can contact the Information Commissioner's Office (ICO). You can also complain directly to the ICO.
You can find further information about how the NHS uses personal confidential data and your rights in:
- The NHS Care Record Guarantee
- The NHS Constitution
- An independent review of information about service users is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012. The report, Information: To share or not to share? The Information Governance Review.
- Please visit the NHS Digital website for further information about their work. The Guide to Confidentiality provides a useful overview of the subject.
- The Information Commissioner’s Office is the Regulator for the Data Protection Act 1998.
- The NHS Health Research Authority (HRA) protects and promotes the interests of patients and the public in health and social care research.