Fair Processing Notice

This page provides information about why the NHS records information about you and how it is used; with whom we may share information; your right to see your health records and how to request them; and how we keep your records confidential.

Click here to read our Fair Processing Notice

Personal Information

The CCG does not routinely hold medical records or confidential patient data. However, there are occasions when we do hold information that may identify you (known as personal information). When we do hold and use personal information, we will meet legal requirements that comply with one of the following:

  • The information is necessary for direct healthcare for patients.
  • We seek consent from individuals to be able to use their information for a specific purpose.
  • There is an overriding public interest in using the information e.g. in order to safeguard. an individual, or to prevent a serious crime.
  • There is a legal requirement that will allow us to use or provide information (e.g. a formal court order

The specific areas in which the CCG uses personal information are:

  • To deal with Individual Funding Requests - a process by which patients and their GPs/consultants can request special treatment(s) not routinely funded by the NHS.
  • Assessments for NHS Continuing Healthcare (a package of care for those with complex medical needs) as part of a direct patient care service.
  • Responding to your queries, concerns or complaints.
  • Assessment and evaluation of safeguarding concerns for individuals.
  • To collect and track data for people with learning disabilities and/or autism as part of the Transforming Care Programme (previously the Winterbourne Review Concordat: Programme of Action). For more information and to opt out of this data collection, contact HRCCG.transformingcare@nhs.net.

Protecting Your Privacy

The CCG is committed to protecting your privacy. We will only use information collected in accordance with the data protection legislation and will not use any information we may hold about you for any purpose other than that for which it was collected unless we have your consent.

Everyone working for the NHS is subject to the Common Law Duty of Confidence. The NHS Confidentiality Code of Conduct requires that all our staff protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared unless there is a legal exemption.

Commissioning data

The CCG is responsible for buying (also known as commissioning) health services from healthcare providers such as hospitals, for our local population. We also monitor the performance and quality of these services, which includes responding to any concerns from patients. We only use data that has been anonymised or pseudonymised* for these purposes.

The CCG may also share de-identified statistical information with other NHS and partner agencies for the purpose of improving local services, for example understanding how health conditions spread across our local area compared to other areas.

*Pseudonymised data is personal information that has been made anonymous to staff whose role does not legally require them to be able to identify individuals. It can be made re-identifiable, but only to designated staff with appropriate access rights e.g. health professionals who are responsible for the healthcare of the patients named in the information.

Invoice Validation

As part of the commissioning process the CCG is responsible for paying for health services. We are required to check healthcare invoices to ensure that they are accurate and genuine. To do this the CCG needs to be able to identify you to verify that the patient and the care provided match.

The CCG uses the services of NHS South, Central and West Commissioning Support Unit (SCWCSU) to undertake this activity on our behalf.

SCWCSU perform invoice validation within a secure processing environment and with a restricted number of authorised staff. Nationally, this arrangement is known as a Controlled Environment for Finance and is approved by NHS England. All activities and personal information relating to invoice validation remain within this Controlled Environment. 

Risk Stratification

Your GP uses your data to provide the best care they can for you. As part of this process your GP will use your personal and health data to undertake risk stratification, also known as ‘case finding’.

Risk stratification involves applying computer based algorithms, or calculations, to identify those patients registered with the GP Surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

To identify those patients individually from the patient community registered with your GP, without the Risk Stratification process, would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your GP Surgery uses the services of a health partner, SCWCSU to identify those most in need of preventative or improved care. This contract is arranged by us.

Neither the CCG nor SCWCSU will at any time have access to your personal or confidential data. The SCWCSU acts on behalf of your GP to organise this service with appropriate contractual and security measures only.

SCWCSU will automatically process your personal and confidential data without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical care to help prevent or better treat their condition. 

Processing takes place automatically and without human or manual handling. Data is extracted from your GP’s computer system, automatically processed, and only your GP is able to view the outcome, matching results against patients on their system.

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as ‘not to be extracted’ so it is not sent to SCWCSU for risk stratification purposes.

The lawful basis to use this information for risk stratification has been allowed by s251 NHS Act 2006 and is processed by SCWCSU or other approved providers only. For further information on Risk Stratification, please visit www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/ and www.hra.nhs.u k/about-the-hra/our-committees/section-251/

Right to opt out (fair processing)

Patients have a right to opt out of their information being used for risk stratification profiling. This must be done via the patient’s GP practice and the CCG cannot handle opt out requests.

It follows that GP Practices must make patients aware that their information is being used for these purposes and that they have a right to opt-out. This information is required for compliance with Data Protection legislation.

Your right to see your records - making a Subject Access Request

The Data Protection legislation entitles you to view information held about you and you can ask for a copy of your records. This is called a Subject Access Request (SAR). There are some guidelines when making a SAR:

  • Your request must be made in writing (by email is fine) to the organisation holding your information.
  • The NHS is required to respond to you within one month.
  • You will need to give adequate information to allow the information to be identified (e.g. your full name, address, date of birth, NHS number and details to allow us to locate the information which you seek) and you will be required to provide identification before information can be provided to you.

As explained above, SARs must be made directly to the organisation holding your records. The CCG does not hold your main healthcare records. Please contact your GP practice directly to see or obtain a copy of your records. In some cases, if you have received hospital treatment this may not be included in the healthcare records that your GP practice holds, so please contact the hospital/other provider directly in this circumstance.

If you think that there are inaccuracies in your record, you have the right to request that these be corrected or annotated. You must make this request to the organisation holding the records.

If you have any concerns about how your information may be shared, please discuss them with your healthcare provider, e.g. GP, nurse, dentist, or contact the data protection or information governance officers in the relevant organisation.

If you wish to make a Subject Access Request to the CCG (which would only relate to any information the CCG may directly hold about you) please contact us using the following details - SARs are processed by South, Central and West Commissioning Support Unit (SCWCSU):

Email: SCWCSU.IGEnquiries@nhs.net

Or by post:  NHS Hastings and Rother CCG Governance Team [Subject Access Requests], 36-38 Friars Walk, Lewes, East Sussex, BN7 2PB.

Caldicott Guardian 

Each NHS organisation must have a Caldicott Guardian in place who safeguards the use of personal confidential data and authorises the use of personal confidential data within the CCG.

A Caldicott Guardian is an expert on confidentiality issues and access to patient and service user records. The post is held by a senior person, who is responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing.

The Hastings and Rother CCG Caldicott Guardian is Dr Robert McNeilly.  Dr McNeilly can offer advice and information on queries about safeguarding the confidentiality of patient or service user information.

You can contact the Caldicott Guardian using the following details:

Address: Dr Robert McNeilly, Caldicott Guardian, NHS Hastings and Rother, Bexhill Hospital, Holliers Hill, Bexhill on Sea, East Sussex, TN40 2DZ

Email:  HRCCG.enquiries@nhs.net

More information about the role of Caldicott Guardians is available from the Health and Social Care Information Centre.

Information Commissioner's Office

For independent advice about data protection and data-sharing issues, contact the Information Commissioner's Office:

Call: 0303 123 1113

Email: casework@ico.org.uk

Website: www.ico.org.uk 

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Further information

If you have any questions about any of the contents of this Fair Processing Notice, please contact us at HRCCG.enquiries@nhs.net


  • Join our mailing list to stay up-to-date with the latest news:
  • subscribe