​​How we use your information (Fair Processing notice)

Fair Processing Notice

This Fair processing notice or privacy notice tells you what to expect when and how Sutton CCG collects and handles personal information.

This notice is to inform you of the type of information that we, as your clinical commissioning group (CCG), holds, how that information is used, who we may share that information with, and how we keep it secure and confidential.

What we do

We are responsible for planning, buying and monitoring (also known as commissioning) health services from healthcare providers, such as hospitals and GP practices, for our local population to ensure the highest quality of healthcare. We also have a performance monitoring role of these services, which includes responding to any concerns from our patients on services offered.

How we keep your information confidential and safe

Everyone working for the NHS is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes advised with consent given by the patient, unless there are other circumstances covered by the law.

Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, tell you of how your information will be used, and allow you to decide if and how your information can be shared.

CCG oversight

We have assigned a Caldicott Guardian and Senior Information Risk Owner who have oversight of the handling of information within our CCG as well as support organisations that we may buy services from. The Caldicott Guardian has the role of overseeing and making decisions on information sharing. The Senior Information Risk Owner is accountable for information risk. Both roles are supported by the Information Governance Steering Group (IGSG) which meets regularly to discuss issues related to information governance. The group is formed of senior representatives from each team within our CCG and is chaired by the Senior Information Risk Owner.

Definition of data types

This section provides definitions for key terms which are used throughout the text below to describe different data types.

Anonymised data, which is data about you but from which you cannot be personally identified

De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified.

De-identified data with weak pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you

Anonymised in Context data (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment. You may be personally identified if this data was available to a hospital or your GP.  Like the above, we replace the NHS number with a locally generated pseudonym like hospital number;

Personal data, information from which you can be personally identified, for example name, address, postcode, date of birth

Sensitive personal data, information about your physical and mental health from which you can be identified

What are Primary Care Data and Secondary Care Data?

As many people's first point of contact with the NHS, around 90 per cent of patient interaction is with primary care services. In addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists. Primary Care Data relates to information which has been sourced from these types of services.

Secondary Care covers treatment and care of a specialised medical service by Clinicians, for example, specialist doctors and nurses, within a health facility or hospital on referral by a primary care clinician (e.g. your GP). Secondary Care data relates to information which have been sourced from these types of services.


What do we use your information for?

Improving, planning and managing care services – population data

We use the above types of data to plan health care services. Specifically, we use it to:

  • check the quality and efficiency of the health services we commission;
  • prepare performance reports on the services we commission;
  • work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future; and
  • review the care being provided to make sure it is of the highest standard.

Care providers, such as general practices, acute and mental health hospitals, community services, walk in centres and nursing homes, sometimes share information with each other to facilitate your direct care.

The law provides some NHS bodies, particularly NHS Digital, ways of collecting sensitive personal data directly from care providers for secondary purposes, such as evaluating care provided at population level.

Data may be linked by these special bodies so that it can be used to improve health care and development, and monitor NHS performance. In some cases there may also be a need to link local datasets, which could include a range of acute-based services such as radiology, physiotherapy and audiology, as well as mental health and community-based services such as IAPT, district nursing and podiatry.

The dataset collected from secondary care providers, for example hospitals, by NHS Digital is referred to the Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital's website: http://digital.nhs.uk/sus

The following are the types of organisations NHS Digital receives data from, and then forwards on to our data processor in an anonymised format or a de-identified format with NHS Number in order to link and analyse the data. Where data is used for these statistical purposes, stringent measures are taken to ensure individuals cannot be identified.

Types of organisations and types of information we receive:

  • Acute Trusts – Hospitals, for example Epsom and St Helier University Hospitals NHS Trust. We receive anonymised acute data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.
  • Community trusts or community organisations, for example The Royal Marsden NHS Foundation Trust. We receive anonymised community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units. 
  • Mental Health Trusts or Mental Health organisations, for example South West London and St Georges Mental Health Trust. We receive anonymised mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge, referrals and next steps.
  • Primary Care organisations, for example your local GP practice. We receive anonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information and follow-ups.

We may also contract with other organisations to process this data. We ensure external data processors that support us are legally and contractually bound to operate this process. They must be able to prove security arrangements are in place where data that could or does identify a person is processed.

Currently, the external data processors we work with include (amongst others):

  • NHS NEL Commissioning Support Unit

This is how all the above processing works:

  FPN picture small.png

Invoice Validation

There may be times where one healthcare organisation will need to invoice another for treatment given to a patient. This can occur, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received.

Before paying the invoice, we will need to be sure that we are responsible for your treatment costs and not another CCG, as well as checking to ensure that the amount being billed for is correct. This process is known as invoice validation. For invoice validation to occur, a limited amount of information about you, which includes NHS number but no name or address information, needs to be shared between us and the hospital you received treatment at.

The use of your information for this purpose has been allowed under s251 of the NHS Act 2006, for more information please visit http://www.hra.nhs.uk/about-the-hra/our-committees/section-251 /


Risk stratification

Your GP uses your data to provide the best care they can for you.  As part of this process, your GP will use your sensitive personal data to undertake risk stratification, also known as case finding.

Risk stratification involves applying computer based algorithms, or automated calculations, to identify those patients registered with the GP Surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.

To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.

Your GP Surgery uses the services of a health partner, NHS NEL Commissioning Support Unit Commissioning Support Unit (NEL Commissioning Support Unit) to identify those most in need of preventative or improved care.  This contract is arranged by us. Sensitive personal data is extracted from your GP computer system, automatically processed, and only your GP is able to view the outcome, matching results against patients on their system.

NEL Commissioning Support Unit will process your sensitive personal data through a fully automated process without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention. 

We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NEL Commissioning Support Unit for risk stratification purposes. The lawful basis to use this information for risk stratification has been allowed by s251 NHS Act 2006 and is processed by NEL Commissioning Support Unit or other approved providers only. For further information on Risk Stratification, please visit https://www.england.nhs.uk/ourwork/tsd/ig/risk-stratification/ and http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/

Sutton Integrated Digital Care Record

This sharing of information will help the health and social care system to work together to improve care services in Sutton, through better planning and working in a more joined-up way.

Only GPs, hospital doctors, nurses, social workers and other health and social care professionals, who provide you with direct care, will have access to your health and social care information, known as your Integrated Digital Care Record.

The integrated digital care record will include test results, medications, allergies and social, health and wellbeing information relevant to your care. The professionals treating you will be able to look at computer records of the care you get from other organisations, including your GP, social care worker or the hospital.

You have the choice about whether to share your integrated digital care record and who can see it.

You'll be asked to give your consent when healthcare professionals want to access your records in appointments and you can say no. You can 'opt-out' at any time. If you would like to do this, please tell your care provider.

Handling continuing healthcare (CHC) applications

If you make an application for Continuing Healthcare (CHC) funding, Sutton CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers. This process is nationally defined and we follow a standard process and Sutton CCG uses standard information collection tools when assessing eligibility for CHC applications.

Handling individual funding requests (IFR) applications

If you make an Individual Funding Request (IFR) to fund treatment not routinely commissioned Sutton CCG will use the information you provide and where needed request further information from care providers to identify eligibility for funding. If agreed, arrangements will be put in place to arrange and pay for the agreed funding packages with appointed care providers.

Supporting medicines optimisation

CCGs support local GP practices with prescribing queries which generally don't require personal data. Where specialist support is required (eg to order a drug that comes in solid form, in gas or liquid) Sutton CCG's medicines optimisation team will order this on behalf of a GP to support your care.

Supporting medicines management

Sutton CCG pharmacists work with the GP practice to provide advice on medicines and prescribing queries, and review prescribing of medicines to ensure that it is safe and cost-effective. This is done with practice agreement. No personal data is removed from the practice and no changes are made to patient's records without permission from the GP. Patient records may be viewed from the CCG's premises and via secure laptops in care homes or patient homes.


Advice and guidance is provided to care providers to ensure that adult and children's safeguarding matters are managed appropriately. Access to and sharing of personal data will be required in some limited circumstances where it's legally required for the safety of the individuals concerned.

Post infection reviews

Clinical Commissioning Groups collaborate closely with the organisations involved in providing patient care, to jointly identify and agree the possible causes of, or factors that contributed to, a patient's infection.

CCGs will lead the Post Infection Review in the circumstances set out in the Post Infection Review Guidance, issued by NHS England. They will be able to use the results of the Post Infection Review to inform the mandatory healthcare associated infections reporting system.

Incident management

Sutton CCG is accountable for effective governance and learning following all Serious Incidents (SIs) and  work closely with all provider organisations as well as commissioning staff members to ensure all SIs are reported and managed appropriately. The Francis Report (February 2013) emphasised that commissioners should have a primary responsibility for ensuring quality, as well as providers.

Managing conflicts of interest

We manage conflicts of interest as part of our day-to-day activities. Effective handling of conflicts of interest is crucial to give confidence to patients, tax payers, healthcare providers and parliament that CCG commissioning decisions are robust, fair, transparent and offer value for money. It is essential in order to protect healthcare professionals and maintain public trust in the NHS. Failure to manage conflicts of interest could lead to legal challenge and even criminal action in the event of fraud, bribery and corruption.

Section 14O of the National Health Service Act 2006 (as amended by the Health and Social Care Act 2012) ("the Act") sets out the minimum requirements of what both NHS England and CCGs must do in terms of managing conflicts of interest.

Any persons who are included in the declaration of interest registers can contact the Data Protection Officers for Sutton CCG at:

NEL Commissioning Support Unit

75 - 77 Worship St, London EC2A 2DU

You can email: nelcsu.information-governance@nhs.net


Complaints, PALS enquiries and MP enquiries

Complaints about services commissioned by Sutton CCG can be made by any one either verbally or in writing. 

In order to address your complaint fully, Sutton CCG will need your data or that of the person you are complaining on behalf of (e.g. a child), including: 

  • Your name
  • Address
  • Telephone number
  • E-mail address
  • The nature of your complaint
  • Consent to complain on someone's behalf (if applicable)
  • How you wish to be contacted 

Sutton CCG will keep a record of your original complaint, including a written record if you have made a verbal complaint; as well as any subsequent correspondence relating to the complaint from any source. This information is kept securely and electronically on site at the CCG. Only the Complaints Officer, Head of Governance and the responsible staff to provide you with a response will have access to any information you provide in order to make a complaint. We may have to look into your medical records or other documentation in order to resolve your complaint but would not keep that information in the complaint record, unless it is provided to Sutton CCG by yourself when making the complaint. Once a complaint is resolved, the information we hold is stored and destroyed in accordance with the Information Governance Alliance's Records Management Code of Practice for Health and Social Care (see 'How long we will keep your information and how we will destroy information' below).

Often complaints are received incorrectly by Sutton CCG and they need to be responded to by another NHS body. You will be asked to give written consent for Sutton CCG to share your information directly with that body and will also be given the option to contact them directly instead. When a complaint is shared with another NHS body, Sutton CCG will destroy any information and correspondence once the complaint is resolved.

The complaints team also receive Patient Advice and Liaison Service (PALS) enquiries and MP enquiries, where patients have asked their MP to contact Sutton CCG on their behalf. Data is collected and retained as per the complaints process described above. Once these enquiries have been resolved, the information we hold is stored and destroyed in accordance with the Information Governance Alliance's Records Management Code of Practice for Health and Social Care (see 'How long we will keep your information and how we will destroy information' below).

All complaints, PALS and MP enquiries received by Sutton CCG will be reviewed to see what lessons Sutton CCG can learn from them and where improvements can be made, as Sutton CCG recognises the importance of patient and public feedback in our ongoing development of a high quality, responsive and accessible service. This includes complaints sent to another NHS body and PALS and MP enquiries. Anonymised data regarding complaints and enquiries made to Sutton CCG is therefore reviewed quarterly at our Quality Committee, the minutes of which are available to the public, and any learning is taken forward to improve services.

Sometimes patients are unhappy with Sutton CCG's response to their complaint and ask the Parliamentary and Health Service Ombudsman to investigate their complaint. In order to comply with this process Sutton CCG will securely share with the Ombudsman copies of all documentation retained regarding the complaint in question. Once the Ombudsman has resolved the complaint, the information we hold, along with any correspondence with the Ombudsman, is stored and destroyed in accordance with the Information Governance Alliance's Records Management Code of Practice for Health and Social Care (see 'How long we will keep your information and how we will destroy information' below).

Patient right to object to processing/opt-out

There are choices you can make about how your information is used, and you can choose to opt out of your information being shared or used for any purpose beyond providing your care. Please note that not choosing to share your information may have an impact on your care and by sharing your information will improve NHS services and the experience of treatment and care for our patients.

If you do not want your information to be used for any purpose beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record.

There are two types of opt-out. You can withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-outs

If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Type 2 opt-outs

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a type 2 opt-out with your GP practice.


How long we will keep your information and how we will destroy information

There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance's Records Management Code of Practice for Health and Social Care. For more information, you can access the document here: http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf. The retention schedules start on page 53.

When destroying data we ensure that we, or third parties we contract to destroy data on our behalf, meet guidelines set out within principle 7 of the Data Protection Act 1998, the European Standard EN 15713 for paper copies and CESG standards (www.cesg.gov.uk) for secure destructions of electronic data.

Employee information

We collect information about individuals who work for us for the following purposes:

  • the administration of prospective, current and past employees including self-employed, contract personnel, temporary staff or voluntary workers
  • the recruitment and selection process
  • administration of non-CCG staff contracted to provide services on our behalf
  • planning and management of our workload or business activity
  • occupational health service
  • administration of agents or other intermediaries
  • pensions administration
  • payment administration
  • disciplinary matters, staff disputes, employment tribunals
  • staff training and development
  • ensuring staff are appropriately supported in their roles
  • vetting checks
  • assessing our performance against equality objectives as set out by the Equality Act 2010

Members of staff can apply for a copy of the records we hold about them by following the same processes outlined above in 'Accessing your information held by NHS Sutton CCG'


Relevant links to associated documents or organisations

If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links:

NHS Constitution: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/480482/NHS_Constitution_WEB.pdf

NHS Care Record Guarantee: http://systems.digital.nhs.uk/rasmartcards/strategy/nhscrg

NHS Digital's Guide to Confidentiality: http://systems.digital.nhs.uk/infogov/confidentiality

Information Commissioner's Office: https://ico.org.uk/

Health Research Authority: http://www.hra.nhs.uk/

Health Research Authority Confidentiality Advisory Group (CAG): http://www.hra.nhs.uk/about-the-hra/our-committees/section-251/ 

For more information about care records and how to access them see NHS Choices http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/overview.aspx. For details about how public bodies must make information available, see the model publication scheme published by the Information Commissioner's Office. https://ico.org.uk/for-organisations/guide-to-freedom-of-information/publication-scheme/

Accessing your information held by NHS Sutton CCG

Under the Data Protection Act 1998 you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request (SAR) to NHS Sutton CCG.

We may charge a reasonable fee for the administration of the request, set down in law as follows:

  • If the information is only held electronically we may charge up to £10 for complying
  • If the information is only held wholly or partly in paper format we may charge up to £50 for complying.

If you wish to make a SAR please contact the Information Governance Team c/o:

NHS NEL Commissioning Support Unit Commissioning Support Unit
1 Lower Marsh
London SE1 7NT

Email: nelcsu.information-governance@nhs.net

Note: In order to deal with a SAR, Sutton CCG will need to share information with the NEL Commissioning Support Unit Commissioning Support Unit (SECSU).


Freedom of information requests (FOI)

The Freedom of Information Act (2000) gives every Individual the right to request information held by Government Agencies. Private Companies are not subject to this act. Please note that a Freedom of Information Request is not the same as a Subject Access Request.

For postal requests, please send to the Freedom of Information Team at:

Freedom of Information Manager
C/O NHS NEL Commissioning Support Unit Commissioning Support Unit
1 Lower Marsh
London SE1 7NT

You can also email your request to: nelcsu.foi@nhs.net

Your request for information must be made in writing and you are entitled to a response within 20 working days.

Decommissioning of services

The CCG will retain legal responsibility for the information held about you until it is formally dissolved or until agreements are put in place to transfer responsibility.


If you have a comment, compliment or complaint about how your information has been used in Sutton then please contact the complaints team:

Phone: 020 3668 1200
Email: sutccg.complaints@nhs.net
Letter: NHS Sutton CCG, Priory Crescent, Cheam, Sutton SM3 8LR

If you are not happy with our responses about your use of information and data and have exhausted all the avenues in the CCG Complaints Process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing to the following address:

Wycliffe House
Water Lane
Cheshire SK9 5AF

You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.  Or email: casework@ico.org.uk