Who we are
NHS Chiltern Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely.
For further information please refer to our ‘About Us’ page.
What is this Privacy Notice about?
This Privacy Notice is part of our programme to make the data processing activities we are carrying out in order to meet our commissioning obligations transparent.
This Privacy Notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with.
It covers information we collect directly from you or receive from other individuals or organisations.
This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to this email address: firstname.lastname@example.org or by post to:
Chiltern Clinical Commissioning Group
Chiltern District Council Offices
King George V Road
Telephone: 01494 586700
Reviews of and Changes to our Privacy Notice
We will keep our privacy notice under regular review. This privacy notice was last reviewed in September 2016.
Our Commitment to Data Privacy and Confidentiality Issues
We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 1998, the Common Law Duty of Confidentiality and the Human Rights Act 1998.
NHS Chiltern CCG is a Data Controller under the terms of the Data Protection Act 1998. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the 8 Data Protection Principles.
All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Register number is Z3616576 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.
Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.
We would not share information that identifies you unless we have a fair and lawful basis such as:
- You have given us permission;
- To protect children and vulnerable adults;
- When a formal court order has been served upon us;
- When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime;
- Emergency Planning reasons such as for protecting the health and safety of others;
- When permission is given by the Secretary of State or the Health Research Authority on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals
All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.
All of our staff, contractors and committee members receive appropriate and on- going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
We will only use the minimum amount of information necessary about you.
Retention of Records
We will only retain information in accordance with the schedules set out in the Records Management Code of Practice for Health and Social Care 2016.
Destruction of Paper Records
The normal destruction method used within the CCG for confidential / sensitive information is by shredding. All confidential waste will be placed in the allocated “PHS Data Shred” consoles or confidential waste bins / sacks. Shredding of confidential information is carried out on site using an accredited mobile shredding company, a certificate is issued once completed.
Your information will not be sent outside of the United Kingdom where the laws do not protect your privacy to the same extent as the law in the UK. We will never sell any information about you.
You have certain legal rights, including a right to have your information processed fairly and lawfully and a right to access any personal confidential data we hold about you.
You have the right to privacy and to expect the NHS to keep your information confidential and secure.
You also have a right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered.
These are commitments set out in the NHS Constitution, for further information please visit www.gov.uk/government/publications/the-nhs-constitution-for-england.
You have the right to withdraw consent to us sharing your personal information if you do not wish us to process or share your information.
If you do not agree to certain information being processed or shared with us, or by us, or have any concern, then please let us know. We may need to explain the possible impact this could have on our ability to help you and discuss the alternative arrangements that are available to you.
You have the right to refuse/withdraw consent to information sharing at any time. The possible consequences can be fully explained to you and could include delays in receiving care. If you wish to discuss withdrawing consent please contact CCG’s patient services at this email address:
Tel: 0800 328 5640
What is the patient opt-out?
The NHS Constitution states “You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”.
There are 2 types of opt-out:
- A type 1 opt-out prevents information being shared outside a GP practice for purposes other than direct care.
- A type 2 opt-out prevents information being shared outside of NHS Digital (formerly the Health and Social Care Information Centre – HSCIC) as for purpose beyond direct care.
Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is no overriding legal obligation.
Type 1 opt-out
If you do not want personal confidential data information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Patients are only able to register the opt-out at their GP practice.
Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.
Type 2 opt-out
NHS Digital (formerly known as The Health and Social Care Information Centre – HSCIC) collects information from a range of places where people receive care, such as hospitals and community services.
To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a ‘Type 2 opt-out’
If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.
There may be occasions when it is not possible to exercise your right to “opt-out”, this will be in situations such as when we have an obligation by law or for the purposes of safeguarding.
It is also important to note that by exercising your right to “opt-out”, there could be consequences. These situations will be discussed with you by your GP or by NHS Digital depending on whether you choose Type 1 or Type 2 opt-out.
Patients are only able to register the opt-out at their GP practice.
Further Information and Support about Type 2 opt-outs:
For further information and support relating to Type 2 opt-outs please contact NHS Digital contact centre at email@example.com referencing ‘Type 2 opt-outs – Data requests’ in the subject line; or
Alternatively, call NHS Digital on (0300) 303 5678; or
Alternatively visit the website.
Complaints or questions
We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.
To make a complaint or bring concerns to our attention, please contact us in writing:
email address: firstname.lastname@example.org or by post to:
Chiltern Clinical Commissioning Group Ground Floor Chiltern District Council Offices King George V Road Amersham Buckinghamshire HP6 5AW
By Telephone: 01494 586700
The information we will require when you make a complaint will be:
- Your name, address and contact telephone number and those of the person that you may be complaining for; including their date of birth and NHS Number.
- A summary of what has happened, giving dates where possible.
- Which organisation provided the care or service.
- A list of things that you are complaining about.
- What you would like to happen as a result of your complaint
Subject Access Requests
Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:
- Give you a description of it;
- Tell you why we are holding it;
- Tell you who it could be disclosed to; and
- Let you have a copy of the information in an intelligible form
To make a request for any personal information we may hold you need to put the request in writing to our contact address provided further below.
If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting us at the contact address further below.
Confidentiality Advice and Support
The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user and service user information and enabling appropriate and lawful information-sharing.
The contact details of our Caldicott Guardian are as follows:
Karen West, GP Clinical Director
email@example.com, Tel: 01296 585900
Personal Information we collect and hold about you
As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:
- If you have made a complaint to us about healthcare that you have received and we need to investigate
- If you ask us to provide funding for Continuing Healthcare services
- If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care.
- If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user/Patient Participation
Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.
Our records may be held on paper or in a computer system. The types of information that we may collect and use include the following:
Identifiable: This is data which contains details which can identify individuals such as name, address, date of birth, postcode
Pseudonymised Information: This is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data.
Anonymised Information: This is data rendered into a form which does not identify individuals and where there is little or no risk of identification (identification is not likely to take place).
Aggregated: This is anonymized data which is grouped together so that it does not identify an individual
Personal Confidential Data: This term describes personal information about identified or identifiable individuals, which should be kept private or secret. For the purposes of this notice ‘personal’ includes the Data Protection Act definition of personal data, but it is adapted to include dead as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ and is adapted to include ‘sensitive’ as defined in the Data Protection Act and is used interchangeably with ‘confidential’ in this document.
Sensitive Personal Data: The Data Protection Act defines “sensitive personal data” as information about an individual’s: racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; sexual life; alleged criminal activity; or court proceedings.
Our Uses of Information
Although this is not an exhaustive detailed listing, the following table lists key examples of the purposes and rationale for why we collect and process information:
We collect and process your personal information if it relates to a complaint where you have asked for our help or involvement.
We will need to rely on your explicit consent to undertake such activities.
Complaint Processing Activities
When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.
We will only use the personal information we collect to process the complaint and to check on the level of service being provided.
We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.
If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.
We will keep personal information contained in complaint files in line with NHS retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
We may use service user stories, following upheld complaints, but always anonymously, via our Quality and Performance Committee. The service user stories will provide a summary of the concern, service improvements identified and how well the complaints procedure has been applied. Consent will always be sought from the service user and carer or both before we use the service user story.
We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This may be called an “Individual Funding Request” (IFR). The Individual Case Review Panel (ICRP) considers IFRs and the panel is administered by the NHS South and West Commissioning Support Unit on behalf of the Clinical Commissioning Groups across Thames Valley.
The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care, and gain your explicit consent
Continuing Health Care
We have commissioned NHS Arden & GEM Commissioning Support Unit to collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages.
The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care and gain your explicit consent.
We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.
Because of public Interest issues, e.g. to protect the safety and welfare of vulnerable children and adults, we will rely on a statutory basis rather than consent to process information for this use.
Risk stratification is a process for identifying and managing patients who are at high risk of a number of factors such as ‘risk of emergency hospital admission’.
Data Processing activities for Risk Stratification
Risk stratification tools use various combinations of historic information about patients, for example, age, gender, diagnoses and patterns of hospital attendance, admission and primary care data collected in GP practice systems.
The CCG will use pseudonymised versions of this information to understand the local population needs, whereas GPs will be able to identify (by NHS number) which of their patients are at risk in order to offer a preventative service to them.
The CCG has commissioned SCWCSUs in house tool known as Integrated Population Analytics, or IPA to conduct risk stratification on behalf of itself and its GP practices.
NHS South, Central and West Commissioning Support Unit (SCW) – DSCRO work with Graphnet Health Limited to extract Primary Care data and the SCWCSU process this data on behalf of the CCG for Risk Stratification purposes.
This processing takes place under contract following the below steps:
- NHS Digital provides data identifiable by your NHS Number about your acute hospital attendances for risk stratification purposes and has signed a Data Sharing Contract for the Secondary Use Services data.
- The SCWCSU contract Graphnet Health Limited to extract primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or where no Type 1 objection has been made by an individual. The data containing the same verified NHS numbers are then stored within a secure sever owned and managed by SCWCSU which is then processed through the risk stratification algorithms and the output made available in the IPA user interface.
- Within the landing stage, the risk stratification system automatically links and pseudonymises the identifiable data from GP’s and NHS Digital. No identifiable data of any patient is seen by the CCG.
SCWCSU has set up a formula to analyse the data in pseudonymised form to produce a risk score for each patient. This information is available to SCWSCU DSCRO.
The risk scores are only made available to authorized users within the GP Practice where you are registered via a secure portal managed by SCWCSU.
This portal allows only the GPs to view the risk scores for the individual patients registered in their practice in identifiable form. The outputs can be made available if Practices are working as a locality, federation or super practice and this access is agreed by the Caldicott Guardian for each Practice.
If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.
Further information about risk stratification is available from: https//www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/
Further information about Integrated Population Analytics is available from: https://www.scwcsu.nhs.uk/ipa
NHS England has gained approval from the Secretary of State, through the Confidentiality Advisory Group, for its application for the disclosure of commissioning data sets and GP data for risk stratification purposes to data processors working on behalf of GPs which provides a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.
CCGs and GPs use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions. Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.
Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.
The process ensures that those who provide you with care and treatment can be paid.
NHS Shared Business Services & NHS South Central and West CSU process invoices on behalf of NHS Chiltern CCG. They do not require and should not receive any patient confidential data to provide their services.
There are situations where patient identifiable data is required to ensure that the correct service provider is paid.
In such cases service providers are required to send patient identifiable data to a Controlled Environment for Finance (CEfF) which is a secure restricted area within SCWCSU who process this data on our behalf and indicate which invoices we can validate (authorise) for payment .
NHS England has published guidance on how invoices must be processed.
Commissioners have a duty to detect report and investigate any incidents of where a breach of confidentiality has been made.
The legal basis for SCWCSU to receive personal identifiable data for the purposes of invoice validation is provided by Section 251 of the NHS Act 2006.
The invoice validation process supports the delivery of patient care by ensuring that:
- service providers are paid for patients treatment,
- enables services to be planned, commissioned,
- managed and subjected to financial control,
- enables commissioners to confirm that they are paying appropriately for the treatment of patients for whom they are responsible
- fulfilling commissioners duties of fiscal probity and scrutiny
enables invoices to be challenged and disputed or discrepancies resolved.
Primary and Secondary Care
We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS.
Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists.
Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care.
These organisations may share identifiable, pseudonymised, anonymized, aggregated, personal confidential and sensitive personal data information with us for the following purposes:
- To look after the health of the general public such as notifying central NHS groups of outbreaks of infectious diseases
- To undertake clinical audit of the quality of services provided
- To carry out risk profiling to identify patients who would benefit from proactive intervention
- To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
- To report and investigate, complaints, claims and untoward incidents
- To prepare statistics on our performance for the Department of Health
- To review our care to make sure that it is of the highest standard
Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.
Your information is only accessed by authorized persons and not disclosed unless necessary. We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.
Patient and Public Involvement
If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.
We will rely on your consent for this purpose.
Where you submit your details to us for involvement purposes, we will only use your information for this purpose. You can opt out at any time by contacting us using our contact details provided.
To collect NHS data about service users that we are responsible for.
Our legal basis for collecting and processing information for this purpose is statutory.
Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our service users.
This information is generally known as commissioning datasets. The CCG obtains these datasets from NHS Digital and they relate to service users registered with GP Practices that are members of the CCG.
These datasets are then used in a format that does not directly identify you, for wider NHS purposes such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.
The datasets include information about the service users who have received care and treatment from those services that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.
The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found on the NHS Digital website.
More information about how this data is collected and used by NHS Digital is available on their website.
We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this datasets for a number of purposes such as:
- Performance managing contracts;
- Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;
- To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement;
- To help us plan future services to ensure they continue to meet our local population needs;
- To reconcile claims for payments for services received in your GP Practice;
- To audit NHS accounts and services.
If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.
Sharing Information Provided to us with other Bodies
The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for; auditing, or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.
The Cabinet Office is responsible for carrying out data matching exercises.
Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it may indicate that there is an inconsistency which requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.
We participate in the Cabinet Office’s National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise, as detailed here.
The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under the Data Protection Act 1998.
Data matching by the Cabinet Office is subject to a Code of Practice.
View further information on the Cabinet Office’s legal powers and the reasons why it matches particular information.
For further information on data matching at this authority contact
email address: firstname.lastname@example.org or by post to:
Chiltern Clinical Commissioning Group Ground Floor Chiltern District Council Offices King George V Road Amersham Buckinghamshire HP6 5AW
By Telephone: 01494 586700
For Other Organisations to Provide Support Services for us
The CCG will use the services of the additional data processors, who will provide additional expertise to support the work of the CCG:
We have entered into contracts with other NHS organisations to provide some services for us or on our behalf.
These organisations are known as “data processors”.
Below are details of our data processors and the function that they carry out on our behalf:
- NHS South, Central and West Commissioning Support Unit: Risk Stratification, Commissioning Intelligence analysis, Individual Funding Requests, Complaints processing. (add value to the analyses of data that does not directly identify individuals)
- SEAP (Support Empower Advocate Promote): works closely with the CCG in patient complaints process
- Oxford Academic Health Sciences Network (OHSN)(hosted by Oxford Health NHS Foundation Trust: Commissioning Intelligence analysis (add value to the analyses of data that does not directly identify individuals)
- Internal Audit: (RSM) Audit our accounts and services (add value to the analyses of data that does not directly identify individuals)
- External Audit (Ernst and Young) audit our accounts and services (add value to the analyses of data that does not directly identify individuals)
- NHS Litigation Authority – Claims Management (we rely on your consent)
- PHS Data Shred: Confidential Waste Disposal Company used by the CCG to shred information in a secure environment.
- NHS Shared Business Service and NHS South Central and West CSU –Invoice Validation
- NHS Arden & Greater East Midlands Commissioning Support Unit – rends Continuing Health Care function to the CCG (identifiable data is shared but most often consent has been obtained from the data subject)
- Optum – health services company which manages contracts with London NHS providers on behalf of the CCG.
- NHS England.
- Chiltern District Council.
- Aylesbury Vale District Council
|OPTUM HEALTH SOLUTIONS (UK) LTD|
|Purpose||Type of Data||Legal Basis|
|Processing of pseudonymised SUS data and local data flows to provide contract management for London Providers commissioned by the group of CCGs known as The London Focus Group.||Pseudonymised SUS data and local flows from London Providers (Admitted patient Care, A&E, Outpatients and Critical Care data extracts).||S251 NHS Act 2006
Health and Social Care Act 2012
· Legal Basis is identified for data flows
· NHS National Standard Contract
· Achieved full ISO 27001 Accreditation
· Information Governance Toolkit Level 2 Compliance (ODS Code: 8GW39)
· Service Contract and Data Processing Agreement between CCGs and Optum.
These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us.
Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
The CCG maps each individual data flow in and out of the organisation in order to understand what data it holds and processes. These data flow maps are reviewed and updated annually as part of the requirement to complete an Information Governance Toolkit. Data Flow Maps are available on request from the CCG.
Tel: 01494 586700
National Registries (such as the Learning Disabilities Register) can collect and hold service user identifiable information without the need to seek informed consent from each individual service user. This is permitted by statute under Section 251 of the NHS Act 2006.
To support research oriented proposals and activities in our commissioning system.
Your consent will be obtained by the organisation holding your records before identifiable information about you is disclosed for any research.
Sometimes research can be undertaken using information that does not identify you. The law does not require us to seek your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.
Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.
Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.
Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.
If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.
Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found in:
- The NHS Care Record Guarantee: This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.
- Information: To share or not to share? The Information Governance Review: An independent review of information about service users is shared across the health and care system led by Dame Fiona Caldicott was conducted in 2012.
- The NHS Commissioning Board – NHS England – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets provides further information about the data flowing within the NHS to support commissioning.
- The Information Commissioner’s Office is the Regulator for the Data Protection Act 1998 and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.
- The NHS Constitution: The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.
- NHS Digital: NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system.
- Health Research Authority: The HRA protects and promotes the interests of patients and the public in health and social care research.
Data may be de-identified and linked by organisations so that it can be used to improve healthcare and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. When analysing current health services and proposals for developing future services it is sometime necessary to link separate individual data sets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E) In some cases there may also be a need to link local datasets which could include a range of acute-based services such as radiology, physiotherapy, audiology etc, as well as mental health and community-based services such as Improving Access to Psychology Therapies, district nursing, podiatry etc. When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data.
If you have any questions or concerns regarding how we use your information, please contact us at:
Chiltern Clinical Commissioning Group
Chiltern District Council Offices
King George V Road
For independent advice about data protection, privacy and data-sharing issues, you can contact:
Tel: 08456 30 60 60 or 01625 54 57 45