The CCG no longer exists and we are now an Integrated Care Board click here to view our new site

Coronavirus updates, vaccination and testing information can be found here

Privacy policy

This privacy notice tells you about information we obtain, hold and use about you. It describes what we do with it, how we will look after it and who we share it with. It covers information we collect directly from you as well as information we may get from other individuals or organisations. 

This notice does not provide exhaustive detail. However, we keep and maintain accurate and detailed records about how your information is used. We can provide further detail and explanation outside of this information should it be requested and without charge. Contact details for us can be found at the end of this page. 

Any requests for further information should be sent to the contact address at the bottom of this page. 

  • How long we hold information for and our destruction arrangements 
  • Sharing your information with other organisations or individuals (third parties) 
  • Other organisations that provide services for us 
  • Protecting your privacy 
  • Your rights 
  • Subject access requests and requests to correct errors 
  • Opting Out 
  • Staff Related Information 
  • Further Information 
  • Our contact details 

Covid-19 and Your Information

This notice describes how we may use your information to protect you and others during the COVID-19 pandemic. It supplements our main Privacy Notice.

The health and social care system is facing significant pressures due to the COVID-19 pandemic. Health and care information is essential to deliver care to individuals, to support health and social care services and to protect public health. Information will also be vital in researching, monitoring, tracking and managing the pandemic. In the current emergency, it has become even more important to share health and care information across relevant organisations.

Existing laws, which allows confidential patient information to be used and shared appropriately and lawfully in a public health emergency, is being used during this pandemic. Using this law the Secretary of State has required NHS Digital; NHS England and Improvement; Arms- Length Bodies (such as Public Health England); local authorities; health organisations and GPs to share confidential patient information to respond to the COVID-19 pandemic. Any information used or shared during the COVID-19 pandemic will be limited to the period of the pandemic unless there is another legal basis to use the data. Further information is available from

and some FAQs on this law are available from NHSx

As a commissioning organisation, we process very little patient information. However, that being said we have teams within the CCG that process patient information due to the nature of their role and are as follows;

·     Continuing Healthcare

·     Individual Funding Request

·     Complaints

·     Referral Management

·     Safeguarding

·     Personal Health Budgets

Please note that during this time it may also take us longer to respond to Individual Rights requests which include right of access requests (also known as Subject Access requests) and Freedom of Information requests whilst we focus our efforts on responding to the pandemic.

In order to look after your health and care needs we may share your confidential patient information with other organisations. We may also be required to share personal confidential information with other organisations and other bodies engaged in disease surveillance for the purposes of protecting public health, providing healthcare services to the public and monitoring and managing the pandemic.  Further information from NHSx about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the COVID-19 response is available here

We may also use the details we have to send public health messages to you, either by phone, text or email.

NHS England and Improvement and NHSX have developed a single, secure store to gather data from across the health and care system to inform the COVID-19 response. This includes data already collected by NHS England, NHS Improvement, Public Health England and NHS Digital. New data will include 999 call data, data about hospital occupancy and A&E capacity data as well as data provided by patients themselves at the data held in the platform is subject to strict controls that meet the requirements of data protection legislation.   

In such circumstances where you tell us you’re experiencing COVID-19 symptoms and this is highlighted via one of our team we may need to collect specific health data about you.  Where we need to do so, we will not collect more information than we require and we will ensure that any information collected is treated with the appropriate safeguards. 

 We may amend this privacy notice at any time so please review it frequently. 

We hope that this Privacy Notice has been helpful in explaining how we may need to share your information in regards to the COVID-19 pandemic. If you have any further queries / or would like further information, please visit the following website:

Or contact us at:

Who we are

The Nottingham & Nottinghamshire Clinical Commissioning Group was established on the 1st April 2020 following the merger of NHS Nottingham City, NHS Nottingham West, NHS Nottingham North and East, NHS Rushcliffe, Mansfield & Ashfield and Newark & Sherwood CCGs. All General Practices in Nottinghamshire are members of the CCG. 

The CCG is responsible for ensuring there is effective planning, buying and monitoring of services from healthcare providers such as hospitals and GP practices in place. This means making sure that the NHS services that people need in the Nottinghamshire area are available as well as making sure that those services are high quality and value for money. This is known as “commissioning”. 

We need to use information about you to enable us to do this effectively, efficiently and safely. As Data Controllers, we are responsible for how your information is used and explaining that to you.  

For more information about the CCG please see our about us section.  

The Types Of Information We Use

For the majority of our work we do not need to know the personal details of individuals who live in our community, and this is our preferred way of working. It should be noted that information which cannot identify an individual is not covered by data protection law. There are different types of information collected and used across the NHS. We use six types of information/data: 

  • Anonymised data, which is data about you but from which you cannot be personally identified; 
  • De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified; 
  • De-identified data with weakly pseudonym identifier such as the NHS number. We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute hospital data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you; 
  • Anonymised information (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment. 
  • Personal data from which you can be personally identified 
  • Special category (sensitive) information/data about you from which you can be identified. 

Personal data and personal sensitive data are only used where it is lawfully and absolutely necessary. 

Information we collect

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning of healthcare services. We will only use anonymised data for this purpose which will mean you would not be able to be identified from that information. Examples of this include: 

  • Evaluation and review of services such as checking their quality and efficiency. 
  • Checking NHS accounts and services. 
  • Working out what illnesses people will have in the future so that we can work with the local primary care services such as GPs, community services and hospital services to make sure that patient needs are met. 
  • Preparing performance reports about the services we commission 
  • Reviewing the care we commission to make sure it is of the highest standard. 
  • We will only use information that may identify you (known also as personal, confidential data) in accordance with Data Protection law. Under Data Protection law we are required to have a legal basis if we wish to process any personal information. 

Reasons we might need to use personal information

The areas where we use personal information are: 

  • Individual funding requests – a process where patients and their GPs can request special treatments not routinely funded by the NHS. 
  • Continuing Healthcare Assessments (a package of care for those with complex medical needs). 
  • Personal Health Budgets – a process involving planning and agreement of a budget to support an individual’s health and wellbeing needs. 
  • Responding to your queries, concerns or complaints. 
  • Incident investigations. 
  • Assessment and evaluation of safeguarding concerns for individuals. 
  • If you are a member of our patient participation group, or have asked us to keep you up to date about our work and involved in our engagement and public consultations. 
  • Staff personal confidential information for employment purposes (see below for further information about staff personal information use). 

 We keep your information in written form and / or on a computer securely and confidentially. 

The records may include basic personal details about you, such as your name, address and NHS number. They may also contain more sensitive information about your health and also information such as outcomes of needs assessments, funding requests or details relating to your complaint investigation. 

To ensure that the NHS continues to run lawfully and efficiently, the Secretary of State for Health has given limited permission for us (and other NHS commissioners) to use certain confidential patient information without explicit consent, but only when it is necessary for the work listed above. We have to meet strict conditions that are set out in section 251 of the NHS Act 2006, and approval is given based on the advice of the Health Research Authority’s Confidentiality and Advisory Group 

Finance/validating invoices

Invoice validation is an important process in ensuring that patient care is paid for correctly. It involves using a patient’s NHS number to check which CCG is responsible for paying for their treatment. We can also use an NHS number to check that care has been funded through specialist commissioning, which NHS England pays for.  

The process makes sure that the organisations providing care are paid correctly. All information with NHS numbers collected to validate invoices is held within a secure, controlled environment within the CCG. The use of personal data by CCGs for invoice validation has been approved by the Confidentiality Advisory Group of the Health Research Authority and it is anticipated this will be in place until at least end of September 2018. This approval provides the legal basis for the CCGs to process personal data for invoice validation purposes. 

Risk stratification and proactive care management

Risk stratification is a process GPs use to help them to identify a person who may benefit from a targeted healthcare intervention and to help prevent un-planned hospital admissions or reduced the risk of certain diseases developing such as type 2 diabetes.  This is called risk stratification for case-finding. 

The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services.  This is called risk stratification for commissioning.  The CCG does not have access to person identifiable data.  The information is pseudonymised. 

Commissioning Purposes

Hospitals and community setting organisations that provide NHS-funded care must by law submit certain information to NHS Digital about services provided to you and the population we serve.  This information is known as commissioning datasets.  The CCG obtains these datasets from NHS Digital which relate to patients registered with our GP practices.  This enables us to plan, design, purchase and pay for the best possible care available for you 

The datasets we receive from NHS Digital have been linked and are in a format that does not directly identify you.  Information such as your age, ethnicity and gender as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included. 

We also receive similar information from the GP Practices within our CCG membership that also does not identify you. 

  • We use these datasets (Secondary User Service (SUS) Service Level Agreement Monitoring (SLAM)) for a number of purposes such as: 
  • Performance managing contracts; 
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care;  
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement; 
  • To help us plan future services to ensure they continue to meet our local population needs; 
  • To reconcile claims for payments for services received in your GP Practice; 
  • To audit NHS accounts and services. 

Patient Experience: Complaints, Concerns or Enquiries made to us

When we receive a complaint, concern or enquiry from a person, we make up a file containing the details of the complaint, concern or enquiry. This normally contains the identity of the person and any other individuals involved in the complaint, it may also include the person’s relevant medical records.  

We will only use the personal information we collect to process a concern or enquiry, or complaint in line with the NHS complaints regulations. We are required to disclose the person’s identity to the service that the complaint, concern or enquiry is about in order to carry out the complaint, concern or enquiry process. If a person making an enquiry or raising a concern does not want their identifying information to be disclosed, we will respect that but that may mean that the concern or enquiry is not able to be resolved fully. It is not possible to handle a complaint on an anonymous basis.  

We may pass on anonymised information from the complaint, enquiry or concern to our commissioners so that they can reflect on the experience of the person using the service, and where possible and appropriate use that information to improve the services we commission.  

We will keep personal information securely in uniquely referenced concern, enquiry and complaint files in line with our retention policy. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. 

Continuing Healthcare (CHC) 

We will process your personal data to approve funding packages based on the eligibility for Continuing Healthcare. The personal data will include details of your current health needs identified during assessment of eligibility for CHC and your medical history where relevant.  

For Mid-Nottinghamshire patients the service is provided by the CCG and for all other Nottingham & Nottinghamshire CCG patients the service is provided by Nottingham City Care Partnership on behalf of the CCG. 

The legal basis for data flows  

The CCG processes personal data under a variety of legal bases depending on the data being processed and the purposes it is processed. 

For each instance a legal basis is identified and recorded. The legal bases most commonly used are: 

Condition for processing personal data (from Article 6(1))  
the data subject has given consent to the processing of their personal data for one or more specific purposes;  This option may be used for example when we keep individuals up to date with general news and events in the CCG. For other uses of personal data it is usually a very last resort. Consent must meet criteria of being freely given, specific, informed and unambiguous indication with affirmative action (in agreement). 
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;  A less common used condition for our purposes for processing personal data. Required where a contract with an individual is or will be put in place. 
processing is necessary for compliance with a legal obligation to which the controller is subject;  Applies where there is another legal requirement. It may be a court order or a duty under another law. 
processing is necessary in order to protect the vital interests of the data subject;  Where the matter is concerns an instance of life or death. 
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;  The most likely condition to be used by the CCG for processing of personal data. 
Condition processing special category (sensitive) personal data (from Article 9 (2)0  
Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law. Used in limited instances (as above). Explicit consent must meet criteria specified under data protection law. 
Necessary for the carrying out of obligations under employment, social security or social protection law, or a collective agreement We would use this condition for processing personal data about staff for employment purposes 
Necessary to protect the vital interests of a data subject who is physically or legally incapable of giving consent. Used where the matter concerns an instance of life or death and an individual affected is not able to make a decision themselves. 
Necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity. Used in instances of legal matters. 
Necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguarding measures.   
Necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional Most commonly applied condition for the CCG processing personal data for the management of health or social care systems. 
Necessary for reasons of public interest in the area of public health, such as protecting against serious cross border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices Used for public health purposes. 

(Section 251 of the NHS Act 2006) 

The Secretary of State for Health gives limited permission for CCGs (and other NHS commissioners) to use certain confidential patient information when it is necessary for our work for purposes other than direct care such as information from NHS Digital for commissioning, Risk Stratification and Invoice Validation. 

This approval is given under Regulations made under Section 251 of the NHS Act 2006 and is based on the approval of the Health Research Authority’s Confidentiality and Advisory Group

This allows the Secretary of State for Health to make regulations to set aside the common law duty of confidence for defined medical purposes. Section 251 came about because it was recognised that there were essential activities of the NHS, and important medical research, that required the use of identifiable patient information – but, because patient consent had not been obtained to use people’s personal and confidential information for these other purposes, there was no secure basis in law for these uses. 

Section 251 was established to enable the common law duty of confidentiality to be overridden to enable disclosure of confidential patient information for medical purposes, where it was not possible to use anonymised information and where seeking consent was not practical, having regard to the cost and technology available. 

More information about Section 251 is available from the Health Research Authority web site. 

How long we hold information for and our destruction arrangements  

All records held by the CCG will be kept for the duration specified by national guidance from NHS Digital (Information Governance Alliance), found in the Records Management Code of Practice for Health and Social Care 2016. 

In all circumstances data will be retained in accordance with data protection requirements and ‘kept for no longer than is absolutely necessary’. 

Once data is no longer required it will be destroyed securely: 

  • Paper records will be destroyed in line with international standards. Where external confidential waste suppliers are used these will be under contract and assurance that destruction meets the necessary legal requirements and standards. 
  • For digital media permanent destruction will be achieved by over writing the media a sufficient number of times or physical destruction of media by breaking it up into small pieces. 

Sharing your information with other organisations or individuals (third parties) 

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS and social care partner agencies for the purpose of improving local services, research, audit and public health. 

We would not share information that identifies you unless; 

  • You have given us permission • This is anonymised and therefore non-personal data • We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime • It is necessary to protect children and vulnerable adults from harm • A formal court order has been served upon us; and/or  • For the health and safety of others, for example to report an infectious disease like meningitis or measles. 

Other organisations that provide services for us 

We have entered into contracts with other NHS organisations to provide other services for us. These include holding and processing data including patient information on our behalf in provision of Information Technology (IT) services or providing human resources services for our staff. These services are subject to the same legal rules and conditions for keeping personal information confidential and secure. We are responsible for making sure that staff in those organisations are appropriately trained, that procedures are in place to keep information secure and protect privacy. 

The CCG also has services that support this function provided by a Data Management Team. These services are also subject to the same legal rules and conditions for keeping personal information confidential and secure. Where possible a pseudonymisation technique (whereby identifiable information is replaced with an alias) is used so that other NHS staff processing data on our behalf do not have access to information such as the NHS number and data cannot be tracked back to individuals. 

We will not otherwise share, sell or distribute any of your personal information to any third party (other person or organisation) without your consent, unless required by law. Data collected will not be sent to countries where the laws do not protect your privacy to the same extent as the law in the UK, unless rigorous checks on the security and confidentiality of that data are carried out in line with the requirements of the General Data Protection Regulation. 

Protecting your privacy 

We are committed to protecting your privacy and will only process personal information in accordance with the General Data Protection Regulation, the Data Protection Act 2018, the Human Rights Act 1998 and the Common Law Duty of Confidence.  

The CCG is a Data Controller under the terms of data protection law and is legally responsible for ensuring that all personal information that is processed i.e. held, obtained, recorded, used or shared about individuals is done in compliance with the six Data Protection Principles. All data controllers must notify the Information Commissioner’s Office of all personal information processing activities. Our registration details can be found on the public register of Data Controllers: Information Commissioner’s Public Register of Data Controllers. 

 All information that we hold about individuals will be held securely and confidentially. We use administrative and technical controls to do this. All of our staff, contractors and committee members receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures. We will only use the minimum and proportionate amount of personal information necessary. Where possible we will use information that does not directly identify individuals, but when it becomes necessary for us to know or use personal information a person, we will only do this when we have either a legal basis or have that person’s consent. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies individuals, where it is appropriate to their role, and is strictly on a need-to-know basis. 

The CCG has a Caldicott Guardian (see “Contact us”, below) who is the person responsible for protecting the confidentiality of patient information and enabling appropriate and lawful information sharing. 

Your rights 

You have certain rights under Data Protection legislation, including: 

  • to have your information processed fairly and lawfully 
  • to request access any personal information we hold about you (Subject Access Request) 
  • the right to privacy, and to expect the NHS to keep your information confidential and secure 
  • the right to restrict processing. 
  • to request that any inaccurate data that we hold about you is corrected 
  • in some circumstances the right to data portability. 
  • in some circumstances to have data erased. 
  • to object to automated decision making and profiling.  Currently the CCG does not use automated individual decision-making (making a decision solely by automated means without any human involvement).   

These are commitments set out in the NHS Constitution, for further information please visit: 

Subject Access Requests and How to Exercise Other Rights 

Individuals can access personal information about them by making a ‘subject access request’ under the EU General Data Protection Regulation. If we do hold information about you we will: 

  • confirm this to you; 
  • give you a copy in a format that is easy to understand; 
  • provide the information within one month, or contact you if that is not going to be possible; 
  • not charge you a fee; unless there are extenuating circumstances. 

To make a request for any personal information we may hold and/or to exercise any of your other rights under Data Protection legislation please contact us using the details at the end of this page. 

Opting out 

Confidential information can be used for improving health, care and services including: 

  • planning to improve health and care services 
  • research, for example to find a cure for serious illnesses. 

If you do not wish us to share or process your information for purposes beyond your direct care, or have any concerns then please let us know. There are two types of objection that can be applied to your information –  

Type 1 opt-out

If you do not want personal confidential data to be shared outside your GP practice, for purposes beyond your direct care you can register a type 1 opt-out with your GP practice. Patients are only able to register the opt-out at their GP practice. 

National Data Opt-Out: information held by NHS Digital 

Previously you could tell your GP surgery if you did not want NHS Digital, to share confidential patient information that it collects from the across the health and care service for purposes other than your individual care. This was called a type 2 opt-out. 

From 25 May 2018 the type 2 opt-out has been replaced by the National Data Opt-Out. Any type 2 opt-outs recorded by your GP practice up to 11th October 2018 have been automatically converted to a National Data Opt-out 

Objections will be respected, except in very limited circumstances such as: 

  • You have given explicit permission for a particular use of data (e.g. a research project) • Data is anonymised and therefore non personal data • We are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime • It is necessary to protect children and vulnerable adults from harm • A formal court order has been served upon us • For the health and safety of others, for example to report an infectious disease like meningitis or measles. 

You have the right to refuse/ withdraw consent to information sharing at any time and your decision will not affect your individual care. 

Further information on the National Data Opt-Out and how to set a National Data Opt-Out can be found here at: 

Staff Related Information  

Job Applications, Current and Former Employees 

When individuals apply to work at Nottingham and Nottinghamshire CCG, we will use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference we will not do so without informing them beforehand unless the disclosure is required by law. 

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data. 

Once a person has taken up employment with us, we will compile a file relating to their employment. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s employment. Once their employment with the Nottingham and Nottinghamshire   Clinical Commissioning Group has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it. 

In order to comply with our obligations as an employer we will need to share your personal information with other organisations for the purpose of managing your employment, these are: 

  • NHS Arden & GEM CSU 
  • COPE (Consultants in Occupational Health, Physiotherapy and Ergonomics)   
  • Sugarman Health and Wellbeing  
  • NHS  Shared Business Services 

Further information 

The links below give more information about your rights and the ways that the NHS uses personal information: 

Our Contact Details 

If you have any questions or concerns regarding how we use your information or wish to submit a Subject Access Request for access to personal information, please contact us at: 

Information Governance 

NHS Nottingham & Nottinghamshire CCG 

Sir John Robinson House
Sir John Robinson Way


Telephone: 0115 883 9508 

Caldicott Guardian 

The contact details for the Nottingham & Nottinghamshire CCG Caldicott Guardian, who is the most senior person in the organisation responsible for patient confidentiality, are: 

Rosa Waddingham, Chief Nurse & Director of Quality: 

Data Protection Officer 

Loretta Bradley 

Information Governance 

NHS Nottingham & Nottinghamshire CCG 

Sir John Robinson House
Sir John Robinson Way


Telephone: 0115 883 9508 

Data Protection Regulator 

If you have any concerns about the processing of your information you may also contact the Data Protection Regulator: 

Information Commissioner’s Office 
Wycliffe House 
SK9 5AF 

This privacy notice was reviewed in April 2020.