Privacy Notice

Who we are

NHS Derby and Derbyshire CCG has responsibility for buying (or commissioning) services across our county.

A major part of our work is effective planning, buying and monitoring of services from healthcare providers, such as hospitals and GP Practices. This means making sure that the NHS services that people need locally are available and making sure that those services are high quality and value for money.

This privacy notice tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It covers information we collect directly from you or receive from other individuals or organisations.  

This notice does not provide exhaustive detail, however, we are happy to provide any additional information or explanation needed.  

We keep our privacy notice under regular review: it was last reviewed in April 2019. 

Our Commitment to Data Privacy and Confidentiality Issues 

We are committed to protecting your privacy and will only ‘process’ data (processing refers to how data is Held, Obtained, Recorded, Used and Shared)  in accordance with Data Protection Legislation. 

This includes ensuring the CCG comply with the General Data Protection Regulation (EU) 2016/679  (GDPR), the Data Protection Act (DPA) 2018, and any applicable national Laws as required. 

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including:

  • the Human Rights Act 1998,

  • the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015,

  • the common law duty of confidentiality, and the

  • Privacy and Electronic Communications (EC Directive) Regulations 

As a Data Controller, the CCG has a duty to:

  • keep sufficient information to provide services and fulfil our legal responsibilities

  • keep your records secure and accurate

  • only keep your information as long as is required

  • collect, store and use the information you provide in a manner that is compatible with the EU General Data Protection Regulation and the Data Protection Act.  

Things you can do to help us:

  • make sure we have identified you correctly by letting us know when you change address or name; and

  • tell us if any of your information we hold is wrong.  


Personal Information we hold about you

As a commissioner, we do not routinely hold or have any access to medical records.  The provider of your healthcare for example an Acute Trust, or GP would hold this information.  However, we may need to hold some information about you, for example:  

  • If you have made a complaint to us about healthcare that you have received and we need to investigate

  • If access to specific treatments is regulated via eligibility criteria which include the Individual Funding Request process

  • If you ask us to provide funding for Continuing Healthcare or personal health budget services

  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care

  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user participation groups

  • In circumstances where our safeguarding staff are involved in the most serious cases.

  • In circumstances where our Quality teams are undertaking monitoring visits, limited clinical information may be accessed in a de-identified form.

  • Where information processing falls within the CCGs infection control oversight functions.

Our records may include relevant information that you have told us, information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment. Our records may be held on paper or in a computer system. 

We may share your information with other organisations as follows:

  • as required by law
  • to prevent and detect fraud and mistakes
  • to make payments to NHS Service providers
  • to secure the effective and efficient delivery of NHS and related services
  • for benefits and tax administration
  • as part of an appeal

Your information will not be transferred outside the European Economic Area, unless this is stated in the privacy notice of the service you use. 

Why we process your information

For some of our services, we need to collect personal data so we can get in touch, or provide the service. The CCGs can use your personal data under many different laws. The main ones that apply are the NHS Act 2006, the Health and Social Care Act 2012, the Care Act 2014, the Data Protection Act 2018 and the General Data Protection Regulations, but there are many more.  

In many cases there is a statutory requirement to process your data and we can do so without your consent. For some services where individuals choose to engage with e.g. where someone wishes us to include them on our mailing list, the CCG process this data by requesting your explicit consent.  

The CCG have in place arrangements to handle limited amounts of person confidential data. These data include limited data processed in accordance with our validation of referral (where treatments are restricted), and indirectly where the CCG perform an oversight function for monitoring the quality of the services commissioned.  

Where CCGs hold a contract for the provision of a clinical service, the organisation which deliver that service are the Data Controller. These providers are under contract and have to keep your details safe and secure, and use them only to provide the service.  

The CCG has undertaken an assurance exercise, validated via the completion of the Data Security and Protection toolkit, which has assured the legal basis of processing for each of the CCG’s activities. The CCG processes person identifiable data for the following purposes: 

  • Financial Transactions including processing applications for funding treatments
  • Invoice validation
  • Dealing with complaints
  • Processing Safeguarding referrals
  • Continuing Healthcare
  • Risk Stratification
  • Patient & public involvement  - where you have agreed for us to contact you to gain your views about the services we commission Regulatory Oversight and Quality monitoring functions
  • National registries
  • To ensure we meet our legal and statutory obligations
  • Clinical audit
  • GP data including performance and monitoring information
  • Investigating and managing serious incidents

As an employer, the CCG will process employee data for the following purposes:

  • To ensure that the information we hold about you is kept up-to-date;

  • To deal with any employee / employer related disputes that may arise;

  • Payroll purposes;

  • For assessment and analysis purposes to help improve the operation and performance of the CCG;

  • To inform the development of recruiting and retention policies so that they are relevant to the CCG’s workforce;

  • To enable the monitoring of protected characteristics in accordance with the Equality Act 2010 and ensure that the CCG continues to meet equality standards;

  • To prevent, detect and prosecute against fraud;

  • To respond to requests made by a “relevant authority” under Section 29 of the Data Protection Act 2018, such as the police, government departments and local authorities with the regulatory powers to request access to personal data without the consent of the data subject for the purposes of the prevention or detection of crime.

  • In accordance with the consent provided by you as part of your terms and conditions of employment; and

  • To comply with the CCG’s legal obligations as an employer; i.e. HMRC and pensions.  

Keeping your personal information

Your personal data will only be retained by the CCGs where there is a clear lawful basis to do so, and this will not be retained for longer than is necessary. The CCG ensures that we comply with best practice in relation to the retention and destruction of records.   

Your rights

You have certain legal rights, including:

  • to have your information processed fairly and lawfully

  • to request access any personal information we hold about you

  • the right to privacy, and to expect the NHS to keep your information confidential and secure

  • to request that your confidential information is not used beyond your own care and treatment and to have your objections considered

  • to request that any inaccurate data that we hold about you is corrected.  

These are commitments set out in the NHS Constitution, for further information please visit:  

Subject access requests and requests to correct errors  

Individuals can find out if we hold any personal information about them by making a ‘subject access request’ under the Data Protection Act 2018. If we do hold information about you we will:  

  • Give you a description of it

  • Tell you why we are holding it

  • Tell you who it could be disclosed to; and

  • Let you view or have a copy of your personal information in an intelligible form.  

To make a request for any personal information we may hold you need to put the request in writing to the address provided below.  

Subject Access Request 

To make a request for any personal information we may hold, please see NHS Derby and Derbyshire CCG’s Subject Access Request Procedure.

Information not directly collected by the CCG, but collected by organisations that provide NHS services

Type 1 opt-out 

If you do not want personal data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease. 

Patients are only able to register the opt-out at their GP practice. 

Type 2 opt-out: information held by NHS Digital

Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out.

From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-Out.

The template privacy notice text can be found at: 

How each of our services uses your information

You can view the privacy notices for each of our services:

  1. Complaints & PALS
  2. Individual Funding Requests
  3. Patient & Public Involvement
  4. Personal Health Budgets
  5. Care Homes
  6. Safeguarding
  7. Staff – Past, Present & Future
  8. Brain Injury
  9. Specialist Hospital Funding
  10. Transforming Care
  11. Medicines Management
  12. Medicines Order Line
  13. Treatment Reviews
  14. Procedures of Limited Clinical Value
  15. Continuing Healthcare
  16. Special Educational Needs and/Or Disabilities 
  17. Commissioning Purposes 
  18. National Fraud Initiative 
  19. Safeguarding Children Partnership
  20. Support for Primary Care Network Population Health Management

Our Data Processors 

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed. The CCG remains the data controller (the organisation responsible for determining the purposes for which and the manner in which personal data is used under Data Protection Legislation) of such information at all times. Please click herefor a list of our Data Processors 

Contact us

If you have any queries, concerns or want to request that we change or delete your information you may contact the Derbyshire CCGs at the following address:

Data Protection Officer
Dr Steve Lloyd
First Floor
Cardinal Square
10 Nottingham Road
DE1 3QT  


Data Protection Officers are responsible for upholding your rights and making sure we process your information correctly.  

Concerns about how we are using your information 

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.  

For more information about Data Protection, or if you are unsatisfied with the way the your personal information has been handled, you can contact the national regulator, the Information Commissioner’s Office, at:  

The Office of the Information Commissioner Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AX Email:


Website and Social Media  

We will use the Internet to communicate with the public and promote public participation. Through our social media accounts and website, we will post photos, videos, and sound recordings of our work and events, which may sometimes include personal data. Although we seek consent, this may not always be possible when capturing large crowds or public street scenes. If you are ever unhappy about being included in any of these publications, please contact us.  

Communications undertaken by the CCG

For key functions of the CCG, it is essential that we maintain lists of professional contacts.  Where the CCG are communicating with the public about specific events or engagement – we will make announcements within local media, and contact those people who have expressed an interest in being kept informed and who have shared their contact details with us.  In this case, the CCGs do not share details with any other parties, and each person can withdraw their consent for the CCG to hold their information at any time.  

The lawful basis for processing this data is the consent of the individual data subject, and this can be withdrawn at any time. 

Where the CCG maintains contact lists of professional contacts, whether this be key primary care contacts, or contacts within care homes, pharmacies or optometrists – this is key to ensuring that information about CCG services and developments are shared with partners, and engagement across all care partners is maintained. Again, the CCG do not share details with any other parties. The lawful basis for this processing is one the two following:

Where the CCGs maintain contact lists of GP practice contacts, this is to enable the oversight and management of the GP Contract, and the lawful basis is Contract.

Where the CCGs maintain contact lists for services contracted via NHS England – for example optometrists, care homes, pharmacists and other care providers, the lawful basis for processing this data is the consent of the individual and company involved, and this can be withdrawn at any time. To do join or unsubscribe from this list please contact:

Covid-19 and Your Information (17 April 2020)

This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements the CCG’s main Privacy Notice. 

The health and social care system is facing significant pressures due to the Covid-19 outbreak. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the outbreak. In the current emergency it has become even more important to share health and care information across relevant organisations.

Existing law which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency is being used during this outbreak. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the Covid-19 outbreak. Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data. 

During this period of emergency, opt-outs will not generally apply to the data used to support the Covid-19 outbreak, due to the public interest in sharing information. This includesNational Data Opt-outs. Where data is used and shared under these laws your right to have personal data erased will also not apply. It may also take us longer to respond to Subject Access requests, Freedom of Information requests and new opt-out requests whilst we focus our efforts on responding to the outbreak. 

In order to look after your health and care needs we may share your confidential patient information including health and care records with clinical and non clinical staff in other health and care providers, for example neighbouring GP practices, hospitals and NHS 111. 

We will also be required to share personal/confidential patient information with health and care organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the outbreak. Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is here.   

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the Covid-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves. All the data held in the platform is subject to strict controls that meet the requirements of data protection legislation. 

In such circumstances where you tell us you’re experiencing Covid-19 symptoms we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. 

We may amend this privacy notice at any time so please review it frequently. The date at the top of this page will be amended each time this notice is updated. 

Last modified: 21/02/2022