Who we are and what we do.
NHS East Surrey Clinical Commissioning Group (CCG) is responsible for commissioning (buying) hospital, community and mental health services across East Surrey. We are made up of 17 GP member practices that work together to ensure the people of East Surrey have access to high quality healthcare services. East Surrey CCG is the local NHS organisation that brings together local GPs and other experienced health professionals to take on planning, buying and monitoring responsibilities (also known as commissioning) for local health services. The CCG is responsible for planning, buying and monitoring:
- the care and treatment you may need in hospital and community health services, including district nurses, physiotherapy and other therapies
- mental health services
- the medicines you may be prescribed
We also have a role which includes managing patient feedback, including complaints, from our patients about services offered. This helps us to understand what is working well and what is causing problems for our patients.
The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website.
You can search by our CCG name or ICO Data Protection Register number: Z3622215.
The CCG is not responsible for hospital records or information held by your GP e.g. your GP record.
How we keep your information confidential and safe
Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence cannot normally be disclosed without your consent. However there are circumstances which may override this duty of confidence, for example where a disclosure is ordered by the courts.
The NHS Confidentiality Code of Practice requires all our staff to protect your information, tell you how it will be used, and allow you to decide if, and how, it can be shared.
We are also required to comply with other legislation relating to the use of personal information such as the Data Protection Act 1998.
We work closely with NHS South, Central and West Commissioning Support Unit to help ensure that your information is kept confidential and safe. You can read more about this in the following sections.
The CCG’s Accountable Officer is responsible for protecting the confidentiality of patient information. This person is supported by a Caldicott Guardian and another executive member of staff who is responsible for information risk and information security; this person is called the Senior Information Risk Owner or SIRO. The CCG’s Caldicott Guardianis responsible for protecting the confidentiality of patients’/service-users’ information and enabling appropriate information sharing, acting as the 'conscience' of the organisation. The Senior Information Risk Owner (SIRO) is responsible for the correct handling of information within our CCG as well as any other organisations that we may buy services from.
The SIRO and Caldicott Guardian can be contacted via: 01883 772800
What kind of Information do we use?
The CCG uses the following types of information/data:
- anonymised - about individuals but with identifying details removed
- identifiable - containing details that identify individuals
- pseudonymised - about individuals but with identifying details (such as name or NHS number) replaced with a unique code
- aggregated - anonymised information grouped together so that it doesn't identify individuals.
What do we use anonymised, pseudonymised and aggregated? data for?
We use anonymised data to plan health care services. Specifically we use it to:
- check the quality and efficiency of the health services we commission
- prepare performance reports on the services we commission.
- predict what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future
- review the care being provided to make sure it is of the highest standard.
What is my sensitive and personal information used for?
There are some times when the CCG may hold and use sensitive personal information about you. For example the CCG is required by law to perform certain services that involve the processing of sensitive personal information.
The areas where we regularly use sensitive personal information include:
- a process where you or your GP can request special treatments that are not routinely funded by the NHS, which are known as individual funding requests
- assessments for continuing healthcare and appeals
- responding to your queries, compliments or concerns
- assessment and evaluation of safeguarding concerns
Where there is a provision permitting the use of sensitive personal information under specific conditions, for example to:
- understand the local population needs and plan for future requirements, which is known as “risk stratification for commissioning".
- ensure that the CCG is billed accurately for the treatment of its patients, which is known as “invoice validation”.
- monitor access to services, waiting times and particular aspects of care.
Sensitive personal information may also be used in the following cases:
- the information is necessary for your direct healthcare
- CCGs responding to patients, carers or member of Parliament communication
- you have freely given your informed agreement (consent) for us to use your information for a specific purpose
- here is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
- there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
Do you share my information with other organisations?
We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.
The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person, to help Commissioners to design and procure the combination of services that best suit the population they serve.
It is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation. This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (hospital inpatient, outpatient and A&E data). When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity as the CCG does not have any access to patient identifiable data for this purpose.
NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how NHS Digital looks after information for more detailed documentation.
NHS England recognises the importance of protecting personal and confidential information in all that it does, all it directs or commissions, and takes care to meet its legal duties. Follow the links on the NHSE How we use your information page for more details.
Details of other organisations we share information with.
We may also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.
Although this is not an exhaustive detailed listing, the following lists key examples of the purposes and rationale for why we collect and process information;
Before awarding any contract and during the life of the contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.
What if I don’t want information about me shared with others?
If you do not want your information to be used for purposes beyond providing your care you can choose to opt out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices.
There are two types of opt-outs available at different levels. These include:
Type 1 opt-out
If you do not want personal confidential information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.
Type 2 opt–out
NHS Digital collects information from many places where people receive care, such as GP Surgeries, hospitals and community services.
To support their NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care; this is known as a 'Type 2 opt-out'.
If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.
For further information and support about Type 2 opt-outs you can contact NHS Digital:
Tel: 0300 303 5678
Visit the website http://content.digital.nhs.uk/article/7092/Information-on-type-2-opt-outs
Accessing your information
Under the Data Protection Act 1998, you have the right to see or be given a copy of personal data held about you. To gain access to your information you will need to make a Subject Access Request. Please be aware that we can only provide information held by us at the CCG and not information held by any other NHS organisation e.g. your GP.
There is no charge for providing this information.
If you wish to make a Subject Access Request or have any other concerns or questions please contact the Information Governance Team at:
NHS East Surrey CCG
Tandridge District Council Offices
8 Station Road
Tel 01883 772800
Please note that in order to respond to a Subject Access Request we will need to share information about you with the NHS South, Central and West CSU.
If you are not happy with our response to your subject access request please refer to our complaints process add hyperlink? If you have exhausted this process, wish to take your complaint to an independent body, and your complaint relates to Subject Access Requests or the handling of your personal information, you can contact the Information Commissioner's Office in writing at the following address:
You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number.
They are also contactable via email: firstname.lastname@example.org
Freedom of Information Requests:
The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.
If you have a comment, compliment or complaint about health services in East Surrey then please contact the complaints team.
If you would like this document in large print, on tape or in another language please contact us:
NHS East Surrey CCG
Tandridge District Council Offices
8 Station Road
Tel 01883 772800