Privacy notice

What we do

NHS Sutton Clinical Commissioning Group (CCG) is responsible for planning and buying (also known as 'commissioning') health services from healthcare providers such as hospitals, as well as directly providing some health services such as continuing healthcare and Individual Funding Requests.

We are a membership body made up of all GP practices in Sutton.  We do not provide healthcare services like a GP practice or hospital. Our role is to make sure the appropriate NHS care is in place for the people of Sutton within our available budget.

As an NHS organisation, Sutton CCG operates at a number of different levels in regards to the processing of personal data. We act as a Controller primarily for the management of data relating to our employees and those working on behalf of or with our organisation and also covering some NHS patient provider functions. 

What is a privacy notice?

The EU General Data Protection Regulation (GDPR) requires that Controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information.

A privacy notice should identify who the Controller is, including contact details for the Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long the data is kept, and the Controller's legal basis for processing.

Why we collect information about you

In carrying out our role and responsibilities as a commissioner of services for people living in Sutton, it is essential that the CCG has an understanding of the health and social care needs of our community.  The only way that we can achieve this is by using information that your GP, your clinician or your social worker has entered into your care record, as well as some information that is provided via external public sources such as, hospitals. This information may exist on paper or in electronic format and Sutton CCG ensures that these are kept safe and secure in an appropriate way.

We do not however, need to have and use all the information that is provided.  Where this is identified, information is de-identified by the Data Services for Commissioners Regional Offices (DSCRO) prior to being shared with the rest of the CCG for its use. Further information regarding this, can be provided on request.

We may keep your information in written form and / or in digital form. The records may include basic details about you, such as your name and address or may also contain more sensitive information about your health and social care usage and also information such as outcomes of needs assessments.

Sutton CCG may collect information about you which helps us to respond to your queries and help us to design services to improve the health needs and outcomes of local people.

How we use your information

Please select the information that is relevant to you from the documents below for full details on how your information is used.

CCG oversight and responsibility

Sutton CCG is supported by a number of key roles within the CCG led by the Senior Information Risk Owner, who is accountable for information risk management within the CCG; The Caldicott Guardian who advises the CCG on specific issues relating to the use of patient confidential data and the Data Protection Officer who provides advice and support to the CCG on Data Protection compliance and monitoring obligation. These roles have oversight of the handling of information within the CCG or by any support organisations we may buy services from.

The Senior Information Risk Officer or SIRO for the CCG is Geoff Price.

The Caldicott Guardian for the CCG is Dr Hervey Wilcox.

The Data Protection Officer for the CCG is Claire Edgeworth.

For more information on these roles, please see below.

Relevant links to associated documents or organisations:

If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links:

Information Governance Roles

The Senior Information Risk Officer (SIRO)

The SIRO is expected to understand how the strategic business goals of the CCG may be impacted by information risks and will report on these to the Information Governance Steering Group and Governing Body of the CCG, as appropriate.

The SIRO acts as an advocate for the appropriate management of information risks for the Governing Body and in internal discussions, and will provide written advice to the Chief Officer on the content of the Annual Governance Statement in regard to information risks.

The SIRO provides an essential role in ensuring that information risks are identified and actions taken to address them. They must also ensure that a framework for managing information incidents and risk are in place, used and understood. They will provide leadership and guidance to the organisations Information Asset Owners (IAO).

The Caldicott Guardian

All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. NHS Sutton CCG's Caldicott Guardian is Dr Jeff Croucher, Clinical Chair of the CCG's Governing Body, who is responsible for protecting the confidentiality of patients' and service-users' information and enabling appropriate information-sharing.

The Caldicott Guardian plays a key role in ensuring that NHS, Councils with Social Services responsibilities, and partner organisations, satisfy the highest practical standards for handling patient identifiable information. 

Acting as the 'conscience' of an organisation, the Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

The Data Protection Officer (DPO)

The Data Protection Officer (DPO) is responsible for ensuring that the CCG and its constituent business areas remain compliant at all times with data protection legislation, Privacy & Electronic Communications Regulations, Freedom of Information Act and the Environmental Information Regulations (information rights legislation).  

The DPO shall: lead on the provision of expert advice to the organisation on all matters concerning the information rights law, compliance, best practice and setting and maintaining standards. Provide a central point of contact for the information rights legislation both internally and with external stakeholders (including the office of the Information Commissioner).

The DPO reports to the highest level of management within the CCG. This ensures the DPO can act independently and without a conflict of interest.

Privacy Notice - Complaints Subject Access and Freedon of Information Requests.pdf
Privacy Notice - Direct Care.pdf
Privacy Notice - Incident Management.pdf
Privacy Notice - Medicines Management.pdf
Privacy Notice - Patient Communications.pdf
Privacy Notice - Patient Engagement Groups.pdf
Privacy Notice - Payments.pdf
Privacy Notice - Public Health.pdf
Privacy Notice - Quality Alerts.pdf
Privacy Notice - Safeguarding.pdf
Privacy Notice - Staffing Recruitment and Training.pdf