Your Personal Information – what you need to know

Who we are and what we do

NHS Surrey Heath Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, as well as community and primary medical care (GP) services. We also have a performance monitoring role for these services, which includes ensuring that the highest quality of healthcare is provided and responding to any concerns from our patients on services offered. This is known as commissioning. For further information please refer to the ‘About Us’ page on our Website: http://www.surreyheathccg.nhs.uk/

Our Commitment to Data Privacy and Confidentiality Issues

We are committed to protecting your privacy and will only process data in accordance with the Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679 (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time.

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations..

NHS Surrey Heath CCG is a Data Controller as defined under the GDPR. We are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you, is done in compliance with the six Data Protection Principles as set out in Article 5 under GDPR.

All data controllers must notify the Information Commissioner’s Office (ICO) of all personal information processing activities. Our ICO Data Protection Registration number is A8265660 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health.

The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only a limited number of authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive role appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will only use the minimum amount of information necessary about you.

We will only retain information in accordance with the schedules set out in the Records Management Code of Practice.

What kind of information do we use?

As a Commissioner we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you, for example:

  • Your name, address, your date of birth and your NHS number, contact details
  • Details of your GP, what treatment you have received and where you received it
  • Details of concerns or complaints you have raised about your healthcare provision and we need to
    investigate
  • Details of clinical concerns raised by your General Practitioner (GP) or service providers about your healthcare provision
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are
    actively involved in our engagement and consultation activities or service user/Patient Participation Groups

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system.

We use the following types of information/data:

  • Personal Data – means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Article 4 of the GDPR
  • Special Categories of Personal Data – this term describes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Article 9 of the GDPR
  • Confidential Patient Information – this term describes information or data relating to their health and other matters disclosed to another (e.g. patient to clinician) in circumstances where it is reasonable to expect that the information will be held in confidence. Including both information ‘given in confidence’ and ‘that which is owed a duty of confidence’. As described in the Confidentiality: NHS code of Practice: Department of Health guidance on confidentiality 2003.
  • Pseudonymised – this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier, which obscures the ‘real world’ identity of the individual patient to those working with the data
  • Anonymised – this is data about individuals but with identifying details removed so that there is little or no risk of the individual being re-identified
  • Aggregated – anonymised information that is grouped together so that it doesn't identify individuals

Click here to view Surrey Heath CCG's full Privacy Policy and Fair Processing Notice.

NHS Care Record Guarantee

The pdf NHS Care Record Guarantee (128 KB) for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people's access to their own records; controls on others' access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves.

Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice.