How we use your information (Privacy Notice)

Privacy Notice

NHS Swale Clinical Commissioning Group (CCG) is responsible for buying (also known as commissioning) health services from healthcare providers such as hospitals and GPs, for our local population. We also monitor the performance and quality of these services. In general we only use data that has been anonymised or pseudonymised[1] for these purposes. For further information on who the CCG are and what we do please visit our About Us page

This Privacy Notice tells you about

  • Who we are
  • The type of information (including personal data and special categories of information) that the CCG holds and why.
  • How the CCG uses the information.
  • Who the CCG may share that information with.
  • How we keep the information, safe, secure and confidential.
  • How you can contact us regarding your rights.

Full details on each data flow are included in the Data Flows Map section below.

The CCG is a Controller under the terms of the General Data Protection Regulations (GDPR) / Data Protection Act 2018 (the Act). This means we are legally responsible for ensuring that all personal information that we process i.e. hold, obtain, record, use or share about you is carried out in compliance with the Data Protection Principles.

All Controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is Z3589887 and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Under the new General Data Protection Regulation (GDPR), which comes into force on the 25 May 2018, the CCG as a public authority must appoint a data protection officer (DPO). All CCGs must also appoint a Caldicott Guardian and Senior Information Risk Officer (SIRO). We have already established these roles – please see the key individuals section below for more information.

In addition to this privacy notice, the CCG has a staff privacy notice in place, available to download HERE

[1] Pseudonymised data/information is anonymous to the people who hold or receive it (e.g. a research team), but contains information or codes that would allow others (e.g. those responsible for the individual’s care) to identify an individual from it.

Our Commitment to Data Privacy, Security and Confidentiality

We are committed to protecting your privacy and will only process personal confidential data in accordance with the Data Protection Act 2018, the Common Law Duty of Confidentiality and the Human Rights Act 1998.

Everyone working for the NHS has a legal duty to keep information about you confidential and comply with the Common Law Duty of Confidence. The information we do hold about you, whether in paper or electronic form, is therefore protected from unauthorised access. Under the NHS Confidentiality Code of Conduct, all our staff are also required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. The NHS Care Record Guarantee and NHS Constitution provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this, such as the issuing of encrypted secure IT equipment to all staff. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on-going Data Security Awareness training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

We will not share any information about you to any third party. We will only obtain and use the minimum amount of information necessary about you.

Roles within the CCG

For information on how to contact the CCG’s Data Protection Officer, Caldicott Guardian or Senior Information Risk Owner, please see the contact details in the complaints and questions section below.

Data Protection Officer

The Head of Corporate Governance is the CCG’s Data Protection Officer. Contact details for the Data Protection Officer can be found within the complaints or questions section below.

The DPO’s minimum tasks are defined in Article 39 of the GDPR. These are

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed

Caldicott Guardian

All NHS organisations are required to appoint a Caldicott Guardian to ensure compliance with patient data confidentiality. The CCG’s Caldicott Guardian is Chief Nurse Paula Wilkins, who is responsible for protecting the confidentiality of patients’ and service-users’ information and enabling appropriate information-sharing.

The Caldicott Guardian plays a key role in ensuring that the CCG satisfy the highest possible standards for handling personal information.

Acting as the ‘conscience’ of an organisation, the Caldicott Guardian actively supports work to enable information sharing where it is appropriate to share, and advises on options for lawful and ethical processing of information.

Senior Information Risk Officer (SIRO)

In addition to the Caldicott Guardian, CCGs also have a SIRO who owns the CCG’s overall information risk policy and risk assessment process. This involves ensuring there are robust incident reporting process for any information risks identified by the CCG. The CCG’s SIRO is the Company Secretary.

Why the NHS collects information about you

The NHS aims to provide you with the highest quality health care. To do this we must keep records about you, your health and the care we have provided or plan to provide to you.

Your doctor and other health professionals caring for you, such as nurses or physiotherapists, keep records about your health and treatment so that they are able to provide you with the best possible care. These records are called your ‘health care record’ and may be stored in paper form or on computer and electronic systems and may include:

  • Basic details about you, such as your address, date of birth, NHS number, and next of kin.
  • Details of the contacts we have had with you, such as clinical visits.
  • Notes and reports about your health.
  • Details and records about your treatment and care results of x-rays, laboratory tests etc. Your health care records are used for the following reasons:
  • By healthcare professionals looking after you to have accurate and up-to-date information about you to help them decide on any future care you may require.
  • To ensure accurate and complete information is available, should you see another doctor or be referred to a specialist or another part of the NHS.
  • To have a good basis for assessing the type and quality of care you have received.
  • To ensure your concerns can be properly investigated if you need to complain.

How your data is used to help the NHS

The law provides some NHS bodies, such as NHS Digital, the ability to collect and use patient data that cannot identify a person which they can then provide to help commissioners (CCGs) to design and acquire the combination of services that best suit the population they serve.

Data may be linked and anonymised by these bodies so that it can be used to improve health care and development and monitor NHS performance. This is often referred to as a ‘secondary use’ of data. Where data is used for these statistical purposes, rigorous measures are taken to ensure individual patients cannot be identified (see information below regarding anonymisation).

Information the CCG collects and how we use it

For the majority of the work that the CCG carries out, we do not need to use personal confidential data and wherever possible, anonymised data is used. Anonymised data refers to the process of turning personal and/or sensitive data into a form which does not identify individuals and where identification is not likely to take place. The Data Protection Act 2018 / GDPR only applies to personal identifiable information and therefore anonymised data is not covered by the act as there is only a slim, to no, chance of the information being re-identifiable.

We hold information centrally which is used for statistical purposes to allow us to plan the commissioning (funding) of healthcare services. We will only use anonymised data for this. Examples of this include:

  • To check the quality and efficiency of the health services we commission.
  • To prepare performance reports on the services we commission.
  • Checking NHS accounts and services.
  • Working out what illnesses people will have in the future so that we can work with the local services to make sure that patient needs are met.
  • Reviewing the care we commission to make sure it is of the highest standard.As the CCG is a commissioning organisation responsible for funding services, we do not provide any healthcare services and therefore we do not routinely hold medical records or patient confidential data. There are some specific areas, however, where we do hold and use personal confidential information. In order to process that information we will have met a legal requirement, as follows:
    • Meeting a legal basis for processing under the Data Protection Act 2018.
    • To protect children or vulnerable adults.
    • Where there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime.
    • Where there is a legal requirement that will allow us to use or provide information (e.g. a formal court order).
    • Where we have special permission for health or research purposes (granted by the Health Research Authority Section 251).
    • For the health and safety of others, for example to report an infectious disease.The CCG has a limited number of functions, where personal confidentiality is required. Full details of these functions are included within the Data Flows Map section.

Your Rights (including opt outs and accessing your data)

The GDPR / Data Protection Act 2018 provides the following rights for individuals depending on the legal basis for processing as identified within the data flows map at the end of this notice:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision making including profiling.

Further information on these rights can be accessed here.

If you wish to exercise any of the rights available to you, or to speak to somebody to understand what impact this may have, if any, please contact the Data Protection Officer using the contact details in the complaints or questions section below:

Data Subject Access Requests

Under the GDPR / Data Protection Act 2018, you have the right to make a request to see or obtain copies of the information that the CCG holds about you; this is referred to as a Subject Access Request. Under the Act you are entitled to be told if any personal information is held about you, and if it is, to be given:

  • A copy of the information in permanent form if requested.
  • An explanation of any technical or complicated terms e.g. medical terminology or abbreviations.
  • An explanation of where we got your information from.
  • A description of the information, the purposes for processing the information, who we are sharing the information with, if anyone, and how long we will be keeping the information.
  • Information on the safeguards in place for any data being transferred outside of the European Union
  • An explanation of the logic involved in any automated decisions (if you have specifically asked for this)
  • Information regarding your other rights under the GDPR / Data Protection Act 2018.

To view or access a copy of your health records please write to the Data Protection Officer using the contact details in the complaints or questions section below, giving as much detail as possible on the record(s) you wish to access.

We will ask you for proof of your identity and proof of your address. The CCG then has one month to respond to your request, from receipt of the above information.

The CCG is able to extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, the CCG will inform you within one month of the receipt of the request and explain why the extension is necessary.

As noted above, the CCG holds limited health information about you where it can use this for direct care purposes. You may also need to contact those NHS organisation(s) where you are being, or have been treated.

Further information on Data Subject Access Requests can be found via the Information Commissioners Office (ICO).

Can I access the records of my children?

You may be able to access the records of your child/children.  However, if a clinician has stated that he/she believes your child/children to be competent to make their own decisions, then you will not have an automatic right of access. If this is the case, any requests for copies of your child’s records will need to be with the consent of your child

To apply for access, please use the procedure above.

How long will it take?

We are obliged to comply with our obligations promptly, within one month from the date your request is received. If clarification of your request is needed, the one month period does not start until that is received.

How much will it cost?

The CCG will provide a copy of your information free of charge. However, the CCG can charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive. The CCG may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that the CCG will charge for all subsequent access requests. The fee will be based on the administrative cost of providing the information.

Can I be refused access to my health records?

You can be refused access to your records or part of them if:

  • Your healthcare provider/clinician thinks you or someone else could be harmed as a result of the disclosure.
  • The information relates to, or was provided by, a third party (that is someone other than yourself) and they have not given their permission for their comments to be divulged to you.Manifestly unfounded or excessive requests
  • Where requests are manifestly unfounded or excessive, in particular because they are repetitive, the CCG can:
  •  Charge a reasonable fee taking into account the administrative costs of providing the information; or
  • Refuse to respond.Where the CCG refuses to respond to a request, we will provide a full explaination as to the reasons why to the individual, informing them of their right to complain to the Information Commissioners Office and to a judicial remedy without undue delay, at the latest within one month.

Should you be unhappy with the outcome of your request, you should in the first instance contact the CCG who will discuss your request and any ongoing concerns you may have.

You are also free to contact the Information Commissioner’s Office directly in the event you remain dissatisfied whose contact details are included within the questions and complaints section below.

Can I access the records of a deceased person?

Under the Access to Health Records Act 1990, you may request access to the records of a deceased person if you are the executor of their will, or if you have a claim on them.  However, if the deceased person has stated in their will that they do not wish anyone to have access, their wishes must be upheld.

To request access to a deceased person’s records please write to the following:

Primary Care Support England
Faith House, 2 St Faiths Street,
Maidstone Kent ME14 1LL

General Enquiries: 01622 655 000

Opting out

You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. If your wishes cannot be followed you will be told the reasons (including the legal basis) for that decision. This includes situations such as to fulfil our safeguarding obligations and any areas where we have legal obligations to share your information.

If you wish to exercise your right to opt-out, or to speak to somebody to understand what, if any, impact this may have please contact the Data Protection Officer using the contact details in the complaints or questions section below:

Information collected by other NHS organisations

There are two types of opt-out, detailed below. If you do wish to apply either opt-out you will need to register this with your GP practice and they will mark your choice in your medical record. Please note you can also withdraw either opt-out at any time by informing your GP practice.

Type 1 opt-out

This opt-out applies if you do not want personal confidential information that identifies you to be shared outside your GP practice for purposes beyond your direct care. This prevents your personal confidential information from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.

Records for patients who have registered a Type 1 opt-out will be marked with a particular code which automatically stops the records from being shared outside of the GP Practice system.

Type 2 opt-out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. A Type 2 opt out applies if you do not want your personal confidential information to be shared outside of NHS Digital for purposes other than for your direct care. A direction from the Secretary of State sets out the Department of Health policy as to how Type 2 opt-outs must be applied and instructs NHS Digital to apply Type 2 opt-outs from 29 April 2016.

When NHS Digital have collected information about your Type 2 opt-out from your GP practice they use that to create a record of all current Type 2 opt-outs. Then NHS Digital use that record to check against any set of data that is to be made available by NHS Digital to another organisation and remove all of your personal confidential information if it is in that data set, before that data is made available.

The direction sets out the scope of when your Type 2 opt-out does not apply, such as when there is a legal requirement to release information, or where you have given your consent to a specific release of your information.

There are also some limited circumstances, which are set out in the direction, when NHS Digital will not apply your Type 2 opt-out to information made available. These are cases where:

  • The Secretary of State for Health has identified the information flow is very important.
  • There are complex technical barriers that make it very difficult to apply opt-outs. For more information on how NHS Digital collect and use opt-out information

Changes to opt outs from the 25 May 2018

NHS Digital is developing a new system to support the national data opt-out which will give patients more control over how identifiable health and care information is used. The system will offer patients and the public the opportunity to make an informed choice about whether they wish their personally identifiable data to be used just for their individual care and treatment or also used for research and planning purposes.

NHS Digital is developing the system now and further information is available at Patients and the public will be able to use the system from 25 May 2018. All health and care organisations will be required to uphold patient and public choices by March 2020. The national data opt-out will be introduced alongside the new data protection legislation.

Further information on how to access the opt out will be published on this page as soon as it is available.

Retaining and Destroying Information


Any information obtained by the CCG will be retained for as long as is necessary for the purpose we collected it for.

Records are kept in accordance with Data Protection Act 2018 principles and are maintained in line with the Records Management Code of Practice for Health and Social Care retention schedule which determines the length of time records should be kept. Further information on retention periods is included within the data flows map under the ‘Information the CCG collects and how we use it’ section above.

For further information regarding how your records are managed, stored and retained please see the Records of Management Code of Practice.


Destruction of data will only happen following a review of the information at the end of its retention period. Where data has been identified for disposal we have the following responsibilities:

  • To ensure that information held in manual form (regardless of whether originally or printed from the IT systems) is destroyed using a reputable confidential waste company that complies with European Standard EN15713.
  • To ensure that electronic storage media used to hold or process information are destroyed or overwritten to current CESG standards.
  • To retain copies of all relevant overwriting verification reports and/or certificates of secure destruction of NHS information at the conclusion of the contract (where we have contracted with external organisations to do this for us).
  • To ensure that any arrangement made to sub-contract secure disposal services from another provider, complies with clause GC12 of the NHS Standard Contract and with assurance that the sub-contractor’s organisational and technical security measures comply with the Data Protection Act 2018.

Complaints or questions

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the CCGs Data Protection Officer, Helen Foreman, at this email address:

Or by post to: Swale CCG, Bramblefield Clinic, Groverhurst Road, Kemlsey, Sittingbourne, Kent, ME10 2ST

Phone: 03000 425100

Further information on the Data Protection Officer’s role and responsibilities can be found under the section below on our commitment to data privacy, security and confidentiality.

For independent advice about data protection, privacy and data-sharing issues, or to make a complaint about how your data is used and processed, you can contact:

The Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Phone: 08456 30 60 60 or 01625 54 57 45


Reviews and changes to this page

We will keep our privacy notice under regular review. This privacy notice was last reviewed in May 2018.

A full copy of the data flows map which details individual data processor activities, including the purposes and rationale for why we collect and process information can be accessed HERE

A word version of this document can be downloaded HERE