This notice sets out how Surrey Heath Clinical Commissioning Group ensures that any data or correspondence which is personal is administered in accordance with data protection requirements. The notice covers the following:

  • Feedback form
  • Complaints/Compliments
  • Requests for information   
  • Recruitment to support the organisation (employed or voluntary)
  • Integrated Care project

Wherever possible, where you have provided personal information to us, we will ensure that when we use your correspondence/information or personal data, we will use in an anonymous format (no personal information included).  Where personal information is used we will seek your consent to do this, however there may be certain circumstances in which we are legally required to share your personal information without your consent for example:

  • Safeguarding
  • By a court order
  • Prevent disorder or crime
  • Notifiable diseases

Access to personal information held about you
Under the Data Protection Act 1998 and the Access to Health Records Act 1990, you are entitled to receive copies of all personal information held about you.  Any requests made will be jointly managed by both Surrey Heath CCG and South Commissioning Support Unit staff unless you specifically state in your request that you do not wish this to happen.

If you do not wish to consent to your personal information being shared with us or have any concerns or questions about the use of your personal information please contact us on This email address is being protected from spambots. You need JavaScript enabled to view it..  However, we would advise that in some instances and we would explain these to you, withholding permission to share your personal information could have a detrimental and serious impact on the services and responses we can offer you.

How we keep your personal information confidential
Under the NHS Confidentiality Code of Conduct, all of our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. This will be recorded.

Visitors to our websites
When someone visits the CCG Website we collect standard internet log information and details of behaviour patterns.  We do this to find out things such as the number of visitors to the various parts of the site.  We collect this information in a way which does not identify anyone.  We collect identifiable information from visitors to our website who register in order to comment on forum threads or to receive further information on specific topics.  This information is held securely and only used for the purposes provided.

We do not make any other attempt to find out the identities of those visiting our website.  We will not associate any data gathered from this site with any personally identifying information from any source.  If we do want to collect personally identifiable information through our website, we will make it clear when we collect the personal information and will explain what we intend to do with it. 

YouTube Cookies
We embed videos from official NHS YouTube channels using YouTube’s privacy-enhanced mode.

Links to other websites
This privacy notice does not cover the links within this site linking to other websites.  We encourage you to read the privacy statements on the other websites you visit.

Job applicants, current and former employees
When individuals apply to work for the CCG, we will use the information supplied to us to process applications and to monitor recruitment statistics.  Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing you beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted.  We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment with us, we will compile a file relating to their employment.   The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment.  Once their employment with the CCG has ended, we will retain the file in accordance with the requirements of our retention schedule and will then delete it.

Invoice validation
We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain with the Controlled Environment for Finance (CEfF) approved by NHS England.

The NHS Care Record Guarantee 
The NHS Care Record Guarantee for England sets out the rules that govern how patient information is used in the NHS and what control the patient can have over this. It covers people's access to their own records; controls on others' access; how access will be monitored and policed; options people have to further limit access; access in an emergency; and what happens when someone cannot make decisions for themselves.

Everyone who works for the NHS or for organisations delivering services under contract to the NHS has to comply with this guarantee which was first published in 2005 and is regularly reviewed by the National Information Governance Board to ensure it remains clear and continues to reflect the law and best practice. 

Changes to this privacy notice
We keep our privacy notice under regular review.  This Fair Processing notice was reviewed in May 2017.