Fair Process Notice East Berkshire CCG

How Your Information is Used – Fair Processing Notice

Who we are

NHS East Berkshire Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.

For further information please refer to the ‘About Us’ page on our internet:

About us

What is this Fair Processing Notice about?

This Fair Processing Notice (also known as a Privacy Notice) is part of our programme to make the data processing activities we are carrying out in order to meet our commissioning obligations transparent.

This notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.

It covers information we collect directly from you or receive from other individuals or organisations.

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to this email address:

Eastberksccgs.enquiries@nhs.net , or by post to:

East Berkshire Clinical Commissioning Group (CCG)
King Edward VII Hospital
St Leonard’s Road

Reviews of and Changes to our Fair Processing Notice

We will keep our Fair Processing Notice under regular review. This notice was last reviewed in September 2016.

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

NHS East Berkshire CCG is a Data Controller under the terms of the Data Protection Act 1998. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the 8 Data Protection Principles.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is A8265660 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as:

  • You have given us permission;
  • To protect children and vulnerable adults;
  • When a formal court order has been served upon us;


  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
  • Emergency Planning reasons such as for protecting the health and safety of others;
  • When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on- going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.

Overseas Transfers

Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.

Your Rights

You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.

You have the right to privacy and to expect the NHS to keep your information confidential and secure.

You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.

These are commitments set out in the NHS Constitution, for further information please visit https://www.gov.uk/government/publications/the-nhs-constitution-for-england

You have the right to withdraw consent to us sharing your personal information if you do not wish us to process or share your information.

If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.

You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact the CCGs Patient Advice and Liaison Service, CSCSU.PALSCOMPLAINTS@nhs.net. Telephone: 0300 123 6258.

What is the patient opt-out?

The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own direct care and treatment and to have your objections considered”.

Direct care is defined as a clinical, social or public health activity concerned with the prevention, investigation and treatment of illness and the alleviation or suffering of individual.

Indirect care is defined as work within the health and social care which does not involve the direct treatment or support of individuals e.g. research, commissioning and much of the work done in public health.

There are several forms of opt-outs available at different levels. These include for example:

A. Information directly collected by the CCG:

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation.

B. Information not directly collected by the CCG, but collected by organisations that provide NHS services:

Type 1 Opt-Out

If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 Opt-Out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register an opt-out at their GP practice.

Records for patients who have registered a ‘Type 1 Opt-Out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

Type 2 Opt-Out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.

To support NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a ‘Type 2 Opt-Out

If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 Opt-Out’ with your GP practice.

Patients are only able to register an opt-out at their GP practice.

Further Information and Support about Type 2 Opt-Outs:

For further information and support relating to Type 2 Opt-Outs, please contact NHS Digital Contact Centre at enquiries@hscic.gov.uk referencing ‘Type 2 Opt-Outs – Data Requests’ in the subject line; or

Alternatively, call NHS Digital on (0300) 303 5678; or

Visit the website http://digital.nhs.uk/article/7092/Information-on-type-2-opt-outs

There may be occasions when it is not possible to exercise your right to “Opt Out”, this will be in situations such as when we have an obligation by law or for the purposes of safeguarding.

It is also important to note that by exercising your right to “Opt Out”, there could be consequences. These situations will be discussed with you by your GP or by NHS Digital depending on whether you choose Type 1 Opt-Out or Type 2 Opt-Out.

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

Subject Access Requests

Individuals can find out if we hold any personal information by making a ‘Subject Access Request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • Give you a description of it;
  • Tell you why we are holding it;
  • Tell you who it could be disclosed to;
  • Let you have a copy of the information in an intelligible form; and
  • Correct any mistakes to information held

For further information on how to make a request go to:

Freedom of Information

If you require further advice, you can contact us on: 01753 636872 or via email: eastberksccgs.enquiries@nhs.net or put your request in writing to:

The FOI Coordinator,
NHS East Berkshire Clinical Commissioning Group,
King Edward VII Hospital,
St. Leonards Road,

Confidentiality Advice and Support

The CCG has an Executive Directior responsible for protecting the confidentiality of patient information. This person is called the Caldicott Guardian who oversees the arrangements for the use and sharing of patient identifiable information. The Guardian plays a key role in ensuring that the NHS, Councils with Social Services and Public Health responsibilities and Partner Organisations satisfy the highest practical standards for handling patient identifiable information. Acting as the ‘conscience’ of the organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share and advises on options for lawful and ethical processing of information.

The Caldicott Guardian for this organisation is:

Sarah Bellars
Director of Nursing and Quality
Telephone: 01753 860441

Personal Information we collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • If you have made a complaint to us about healthcare that you have received and we need to investigate
  • If you ask us to provide funding for Continuing Healthcare services
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or Service User or Patient Participation
  • Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.

Our records may be held on paper or in a computer system. The types of information that we may collect and use include the following:

Information Table

Our Uses of Information

Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information:

Risk Stratification.1
Risk Stratification.2
Invoice Valadation
Patient Public Involvement
Primary And Secondary Care
Cabinet Office

Support Services

The CCG will use other organisations to provide us with support services. These organisations will process information on our behalf. These organisations are known as “data processors” and will provide additional expertise to support the work of East Berkshire CCG:

Legal Basis
East Berkshire CCG are committed to ensure that a legal basis is identified for all flows of personal identifiable to external organisations.

The CCG ensures that this is supported by use of an NHS Standard Contract which is mandated by NHS England for use by commissioners for all contracts for healthcare services other than primary care. The NHS Standard Contract covers:

• confidential information of all parties (Section: GC20),
• patient confidentiality, data protection, freedom of information and transparency (Section: GC21)

In addition a Data Sharing Framework Contract (DSFC) and Data Sharing Agreement (DSA) are in place with NHS Digital for the release of patient level data and Service Level Agreements are in place with NHS South Central and West Commissioning Support Unit (SCWCSU) for the services they provide.

The below tables outline the organisations we use, services they provide and legal basis for processing your information:


Data Linkage

Data may be de-identified and linked by organisations so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E). In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychological Therapies, district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data.

Data Retention

East Berkshire CCG will approach the management of its business records in line with the Information Governance Handbook – Records Management Policy which sets out roles and responsibilities for records management and the key operating principles for record keeping across the business and manages records in line with the Records Management NHS Code or Practice for Health and Social Care which sets the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice.

The CCGs records shall not be retained indefinitely. At the end of the retention, records shall be disposed of. In most cases this will mean controlled destruction; a small percentage of records may become archived meaning that they will be retained indefinitely under the Public Records Act.

Information Governance

Information Governance is to do with the way organisations ‘process’ or handle information. It covers personal information relating to patients, service users, employees, and corporate information (financial and accounting records.)

The Organisations that we do business with are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.

Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose. All organisations are required to complete a Department of Health Information Governance Toolkit which draws together the legal rules and central guidance and presents them in a single standard set of information governance requirements which covers management structures and responsibilities, confidentiality, data protection and information security. All organisations are required to achieve a Level 2 score which demonstrates that organisations can be trusted to maintain the confidentiality and security of personal information and in-turn increases public confidence that the NHS and its partners can be trusted with personal data.

Contact us

If you have any questions or concerns regarding how we use your information, please contact us at:
East Berkshire Clinical Commissioning Group (CCG)
King Edward VII Hospital
St Leonard’s Road

Tel: 01753 636840
Email: Eastberksccgs.enquiries@nhs.net

Independent Advice

For independent advice about data protection, privacy and data-sharing issues, you can contact the:
Information Commissioner Wycliffe House, Water Lane, Wilmslow,
Cheshire, SK9 5AF.
Phone: 08456 306060 or 01625 545745
Website: www.ico.org.uk

Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in:

• The NHS Care Record Guarantee: This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

• The NHS Constitution: The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively

• To share or not to share? Information Governance Review: This was an independent review of information about service users shared across the health and care system led by Dame Fiona Caldicott and was conducted in 2012.

• NHS Commissioning Board – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets: Provides further information about the data flowing within the NHS to support commissioning.

• NHS Digital – Guide to Confidentiality NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system.

• Information Commissioner’s Office (ICO): The ICO is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.

• Health Research Authority:
The HRA protects and promotes the interests of patients and the public in health and social care research.