How your information is used

This is the Privacy Notice for BaNES CCG.

1.Who we are

Bath and North East Somerset Clinical Commissioning Group (BaNES CCG) is responsible for securing, planning, designing and paying for your NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services. This is known as commissioning. We need to use information about you to enable us to do this effectively, efficiently and safely. For further information about the CCG please refer to the ‘About Us’ page on our website: To contact us about any of the points in this notice:

2.What is this document about?

This document tells you about information we collect and hold about you, what we do with it, how we will look after it and who we might share it with. It covers information we collect directly from you or receive from other individuals or organisations.

This notice is not exhaustive. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to or by post to:

Bath and North East Somerset Clinical Commissioning Group
St.Martin’s Hospital
Clara Cross Lane

3.Reviews of and changes to this page

We will keep our privacy notice under regular review. This privacy notice was last reviewed in May 2018.

4.Our commitment to data privacy and confidentiality

We are committed to protecting your privacy and will only process personal confidential data lawfully and in accordance with the Data Protection Legislation. This includes the General Data Protection Regulation (EU) 2016/679  (GDPR), the Data Protection Act (DPA) 2018, the Law Enforcement Directive (Directive (EU) 2016/680) (LED) and any applicable national Laws implementing them as amended from time to time.

In addition, consideration will also be given to all applicable Law concerning privacy, confidentiality, the processing and sharing of personal data including the Human Rights Act 1998, the Health and Social Care Act 2012 as amended by the Health and Social Care (Safety and Quality) Act 2015, the common law duty of confidentiality and the Privacy and Electronic Communications (EC Directive) Regulations.

BaNES CCG is a Data Controller under the terms of the GDPR. We are legally responsible for ensuring that all personal information that we hold and use is done so in compliance with the law.

All data controllers must register with the Information Commissioner’s Office (ICO). Our ICO Data Protection Register number is Z362781X and our entry can be found in the Data Protection Register on the Information Commissioner’s Office website.

Everyone working for the NHS has a legal duty to keep information about you confidential. The NHS Care Record Guarantee, the NHS Constitution, the Health and Social Care Information Centre Guide to Confidentiality, and the NHS Confidentiality Code of Practice provide a commitment that all NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

If you are receiving services from the NHS, we share information that does not identify you (anonymised) with other NHS, academic institutions and social care partner agencies for the purpose of improving local services, research, audit and public health.

We would not share information that identifies you unless we have a fair and lawful basis such as: ·

  • You have given us permission; ·
  • To protect children and vulnerable adults; ·
  • When a formal court order has been served on us; ·
  • When we are lawfully required to report certain information to the appropriate authorities e.g. to prevent fraud or a serious crime; ·
  • Emergency Planning reasons such as for protecting the health and safety of others; ·
  • When permission is given by the Secretary of State for Health or the Health Research Authority (HRA) on the advice of the Confidentiality Advisory Group to process confidential information without the explicit consent of individuals

The CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, or where undertaking a public function, in order to prevent and detect fraud.

All information that we hold about you will be held securely and confidentially. We use administrative and technical controls to do this. We use strict controls to ensure that only authorised staff are able to see information that identifies you. Only a limited number of authorised staff have access to information that identifies you where it is appropriate to their role and is strictly on a need-to-know basis.

All of our staff, contractors and committee members receive appropriate and on- going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.

In all circumstances we will only use the minimum amount of information necessary about you.

We will only keep information for as long as is necessary and in accordance with the retention periods set out in the Records Management Code of Practice for Health and Social Care 2016 –

When the retention period has expired and the information is no longer necessary for the stated purpose, the information will be destroyed. Personal confidential data held on paper is securely destroyed by Evergreen Security Shredding Ltd. Personal confidential data held electronically is securely destroyed by SCWCSU.

5.Overseas transfers

Your information will not be sent outside of the United Kingdom unless we are sure that your privacy will be protected in the same way as it would be in the UK. We will never sell any information about you.

6.Your rights

You have certain legal rights, including a right to have your information processed fairly and lawfully. You have the right to privacy and to expect the NHS to keep your information confidential and secure.

GDPR provides the following rights for individuals:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

7.What is the patient opt-out?

The NHS Constitution states “you have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered”. There may be occasions when it is not possible to exercise your right to “opt out”, such as when we have an obligation by law or for the purposes of safeguarding adults and children.

It is also important to note that by opting out there could be consequences, which will be discussed with you if you are considering using an opt-out.

There are several forms of opt- out available at different levels. These include for example:

  1. Information directly collected by the CCG:

Your choices can be exercised by withdrawing your consent for the sharing of information that identifies you, unless there is an overriding legal obligation.

  1. Information not directly collected by the CCG, but collected by organisations that provide NHS services:

7.1 Type 1 opt-out

If you do not want personal confidential data that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used, except when it is required by law and your consent is not needed, such as a public health emergency like an outbreak of a pandemic disease.

Patients are only able to register the opt-out at their GP practice.

Records for patients who have registered a ‘Type 1 opt-out’ will be identified using a particular code that will be applied to your medical records that will stop your records from being shared outside of your GP Practice.

7.2 Type 2 opt-out

NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.

To support those NHS constitutional rights, patients within England are able to opt out of their personal confidential data being shared by NHS Digital for purposes other than their own direct care, this is known as a ‘Type 2 opt-out’.

If you do not want your personal confidential information to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a ‘Type 2 opt-out’ with your GP practice.

Patients are only able to register the opt-out at their GP practice.

7.3 Further information and support about Type 2 opt-outs

For further information and support relating to Type 2 opt-outs please contact the NHS Digital contact centre at referencing ‘Type 2 opt-outs – Data requests’ in the subject line; or

Call NHS Digital on (0300) 303 5678; or

Visit the website

8.Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

9.Subject access requests

Individuals can find out if we hold any personal information by making a ‘subject access request’ under the GDPR. If we do hold information about you we will: ·

  • Give you a description of it; ·
  • Tell you why we are holding it; ·
  • Tell you who it could be disclosed to; ·
  • Let you have a copy of the information in an intelligible form, and
  • Correct any mistakes to information held.

To make a request for any personal information we may hold you need to put the request in writing by email or post to our contact address provided at the end of this notice.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting us at the contact address further below.

10.Confidentiality advice and support – Caldicott Guardian

The CCG has a Caldicott Guardian who is a senior person responsible for protecting the confidentiality of service user information and enabling appropriate and lawful information-sharing.

The Caldicott Guardian for the CCG is Lisa Harvey, Director of Nursing and Quality.

The CCG has a Data Protection Officer (DPO) responsible for monitoring compliance with the GDPR and other data protection laws, the organisations data protection policies, awareness-raising, training and audits.  The DPO acts as a contact point for the ICO, our employees and the public. They co-operate with the ICO and will consult on any other matter. When performing their tasks, the DPO has due regard to the risk associated with processing operations, and takes into account the nature, scope, context and purposes of processing.

The DPO for this organisation is: Julie-Anne Wales.

11.Personal Information we collect and hold about you

As a commissioner, we do not routinely hold or have access to your medical records. However, we may need to hold some personal information about you for the purposes set out below.

The types of information that we may collect and use include the following:

Personal Data is defined in the GDPR as data or information about a living person, which also identifies that person or allows that person to be identified when combined with other information held by the organisation. Identifying information includes name, address, date of birth, postcode and NHS number.

Special Cateogory Data is defined in the GDPR as information about an identifiable individual’s: racial or ethnic origin; political opinions; religious beliefs; trade union membership; health; sexual life; alleged criminal activity; or court proceedings.

Personal Confidential Data is personal information about identified or identifiable people, which is also confidential. ‘Personal’ includes the GDPR definition of personal data, but it also includes dead as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’ (e.g. health records) and is adapted to include ‘special category’ data as defined in the GDPR.

Pseudonymised Information is personal data that has undergone a technical process that replaces your identifiable information such as name or NHS number with a reference number. This hides the ‘real world’ identity of the individual patient to those working with the data.

Anonymised Information is data that has been changed into a form which does not identify individuals and where there is little or no risk of identification.

Aggregated information is anonymised data that is grouped together so that it does not identify any individuals.

12.Purposes for using your information

The following list oulines key examples of the purposes and rationale for why we collect and process information:


To process your personal information if it relates to a complaint where you have asked for our help or involvement.

Legal Basis

The CCG has a duty as to the improvement in quality of services under Section 14R NHS Act 2006 and will rely on your explicit consent as the basis to undertake such activities.

Complaint Processing Activities

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint. The identity could include name, address, date of birth and NHS number, but only if they are necessary for the complaint to be processed.

We will only use the personal information we collect to process the complaint and to check on the level of service being provided.

We usually have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with the NHS retention guidance. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Funding treatments

We will collect and process your personal information where we are required to fund specific treatment for you for a particular condition that is not already covered in our contracts. This may be called an “Individual Funding Request” (IFR). The identity could include name, address, date of birth and NHS number, but only if they are necessary for the IFR.

Legal Basis

The CCG has a duty to have regard to the need to reduce health inequalities in access to health services and health outcomes achieved as outlined in the Health and Social Care Act 2012.  The clinical professional who first identifies that you may need the treatment will explain to you the information that we need to collect and process in order for us to assess your needs and commission your care. We will require your explicit consent for us to collect your data for this purpose.

Continuing Healthcare

We will collect and process your identifiable information where you have asked us to undertake assessments for Continuing Healthcare (a package of care for those with complex medical needs) and commission resulting care packages. The identity could include name, address, date of birth and NHS number, but only if they are necessary for the assessment and commissioning.

Legal Basis

The CCG has a duty to have regard to the need to reduce health inequalities in access to health services and health outcomes achieved as outlined in the Health and Social Care Act 2012.  The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for us to assess your needs and commission your care.  We will rely on your explicit consent to undertake such activities.


We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns. The identity could include name, address, date of birth and NHS number, but only if they are necessary for the safeguarding process.

Legal Basis

The CCG has a statutory responsibility under the Children Act 2004, Care Act 2014 and safeguarding provision within the Data Protection Act 2018 – Section 1 Part 2 subsection 18 to ensure the safety of all children, and the safety of adults at risk of abuse and neglect.

Risk stratification

Risk stratification is a process for identifying and managing patients who are at high risk of emergency hospital admission.

Legal Basis

The use of identifiable data by CCGs and GPs for risk stratification has been approved by the Secretary of State, through the Confidentiality Advisory Group of the Health Research Authority and this approval has been extended to April 2017 which gives us a statutory legal basis under Section 251 of the NHS Act 2006 to process data for risk stratification purposes which sets aside the duty of confidentiality. We are committed to conducting risk stratification effectively, in ways that are consistent with the laws that protect your confidentiality.


Typically this is because patients have a long term condition such as Chronic Obstructive Pulmonary Disease. NHS England encourages CCGs and GPs to use risk stratification tools as part of their local strategies for supporting patients with long-term conditions and to help and prevent avoidable admissions.

Knowledge of the risk profile of our population will help the CCG to commission appropriate preventative services and to promote quality improvement in collaboration with our GP practices.

The risk stratification process

Risk stratification tools use various combinations of historic information about patients, for example, age, sex, diagnosis, patterns of hospital attendance and admission, and primary care data collected in GP practice systems.

The CCG will use pseudonymised information to understand the local population needs, whereas GPs will be able to identify which of their patients are at risk in order to offer a preventative service to them.

The CCG has commissioned South Central and West Commissioning Support Unit (SCWCSU) to conduct risk stratification on behalf of itself and its GP practices. There is an agreement between the CCG and SCWCSU that requires SCWCSU to protect the security and confidentiality of the data.

This processing for risk stratification follows these steps:

  • The CCG has asked NHS Digital to provide data identifiable by your NHS Number about your hospital attendances for risk stratification purposes and has signed an NHS Digital data sharing contract for the SUS (secondary use services) data.
  • Your GP practice instructs its GP IT system supplier to provide primary care data identifiable by your NHS Number for those patients that have not objected to Risk Stratification or there is no Type 1 objection made by the patient. The data is sent securely to SCWCSU.
  • Within the secure system, the risk stratification system automatically links and pseudonymises the identifiable data from GPs and NHS Digital.

SCWCSU analyse the data in pseudonymised form to produce a risk score for each patient.

The risk scores are only made available to users authorised by the GP practice where you are registered via a secure portal managed by SCWCSU.

If you do not wish information about you to be included in our risk stratification programme, please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Further information about risk stratification is available from:

Invoice Validation

The validation of invoices ensures that those who provide you with care and treatment can be paid the correct amount.

NHS Shared Business Services process invoices on behalf of BaNES CCG. SBS do not require and should not receive any patient confidential data to provide their services. However before payment can be made, the CCG need to validate the invoice – i.e. ensure that the treatment and amount is correct. In order to do this, personal confidential data is submitted by the health care provider to an approved and controlled secure environment operated by SCWCSU. Only certain data can be submitted, and only when it is necessary for the validation process. The identifiers used for invoice validation are NHS number, and local provider ID if the NHS number is not known to the provider, e.g. hospital number. SCWCSU use this information to check that the relevant invoice is correct and ready to be paid by the CCG.

The CCG has a duty to detect, report and investigate any incidents where a breach of confidentiality has been made.

Legal basis

The legal basis for SCWCSU to receive personal identifiable data for the purposes of invoice validation is provided by Section 251 of the NHS Act 2006.

For more information see: validationfaqs/

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal confidential data which you share with us.

Where you submit your details to us for involvement purposes, we will 11 only use your information for this purpose. You can opt out at any time by contacting us using our contact details at the end of this document.

Legal Basis

Under the NHS Act 2006 Section 14Z2, the CCG has a duty, in relation to health services provided (or which are to be provided) under arrangements made by the CCG exercising its functions, to make arrangements so as to secure that individuals to whom the services are being (or may be) provided are involved at various specified stages.

We will rely on your informed consent for this purpose.


This includes wider NHS purposes beyond the provision of direct care and treatment to you, such as managing and funding the NHS, monitoring activity to understand and plan the health needs of the population, and to gain evidence that will improve health and care through research.

Legal Basis

Under the Health & Social Care Act 2012 the CCG has a statutory legal basis for collecting and processing information for the purposes of commissioning.


Hospitals and community organisations that provide NHS-funded care must submit certain information to NHS Digital about services provided to our patients and service users.

This information is generally known as Secondary Use (or SUS) data and is contained in approved commissioning datasets. NHS Digital provide the datasets to the CCG.

The datasets include information about the service users who have received care and treatment from those health providers that we are responsible for funding. The CCG is unable to identify you from these datasets. They do not include your name, home address, NHS number, post code or date of birth. Information such as your age, ethnicity and gender, as well as coded information about any clinic or accident and emergency attendances, hospital admissions and treatment will be included.

The specific terms and conditions and security controls that we are obliged to follow when using these commissioning datasets can also be found at

We also receive similar information from GP Practices within our CCG membership that does not identify you. We use this dataset for a number of purposes such as:

  • Performance managing contracts ·
  • Reviewing the care delivered by providers to ensure service users are receiving quality and cost effective care
  • To prepare statistics on NHS performance to understand health needs and support service re-design, modernisation and improvement
  • To help us plan future services to ensure they continue to meet our local population needs
  • To reconcile claims for payments for services received in your GP Practice
  • To audit NHS accounts and services

Aggregated or anonymous data about the activity undertaken and outcomes delivered by the services commissioned by the CCG is shared with relevant B&NES Council employees who are working on joint commissioning with the CCG, and with CCG employees working in the Council in an integrated role.

If you do not wish your information to be included in these datasets, even though it does not directly identify you to us, please contact your GP Practice and they can apply a code to your records that will stop your information from being included.

For other organisations to provide support services for us

The CCG will use the services of the additional data processors, who will provide additional expertise to support the work of the CCG:

Legal Basis

We have entered into contracts with other NHS organisations to provide some services for us or on our behalf. These organisations are known as “data processors”. Below are details of our data processors and the function that they carry out on our behalf:

SCWCSU – for Commissioning Intelligence analysis which adds value to the analysis of data that does not directly identify individuals –

NHS Litigation Authority – for Claims Management (we rely on your consent) –

NHS Shared Business Service – for Invoice Validation (see above) –

University Hospitals Bristol provide data centre services to SCWCSU above

Legal basis

These organisations are subject to the same legal rules and conditions for keeping personal confidential data and secure and are underpinned by a contract with us. Before awarding any contract, we ensure that organisations will look after your information to the same high standards that we do. Those organisations can only use your information for the service we have contracted them for and cannot use it for any other purpose.

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information 13 without the need to seek informed consent from each individual service user.


This is to support research proposals and activities in our commissioning system.

Legal Basis

Your explicit consent will be obtained as the legal basis to process identifiable information for research purposes.

Sometimes research can be undertaken using anonymized or aggregated information that does not identify you. The law does not require us to obtain your consent in this case, but the organisation holding your information will make notices available on the premises and on the website about any research projects that are undertaken.


Researchers can provide direct benefit to individuals who take part in medical trials and indirect benefit to the population as a whole.

Service user records can also be used to identify people to invite them to take part in clinical trials, other interventional studies or studies purely using information from medical records.


Where identifiable data is needed for research, service users will be approached by the organisation where treatment was received, to see if they wish to participate in research studies.

If you do not wish your information to be used for research, whether identifiable or non-identifiable, please let your GP Practice know. They will add a code to your records that will stop your information from being used for research.

Primary and Secondary Care

We commission a number of organisations to provide primary and secondary healthcare services to you. These organisations may be within the NHS or outside the NHS.

Primary Care services cover GP Practices, Dental Practices, Community Pharmacies and high street Optometrists.

Secondary Care services are usually (but not always) delivered in a hospital or clinic with the initial referral being received from Primary Care.

These organisations may share identifiable, pseudonymised, anonymized, aggregated, personal confidential and sensitive personal data information with us for the following purposes:

  • To look after the health of the general public such as notifying 14 central NHS groups of outbreaks of infectious diseases
  • To undertake clinical audit of the quality of services provided
  • To carry out risk profiling to identify patients who would benefit from proactive intervention
  • To perform case management where the NHS offers intervention and integrated care programmes involving multiple health and social care providers
  • To report and investigate, complaints, claims and untoward incidents
  • To prepare statistics on our performance for the Department of Health
  • To review out care to make sure that it is of the highest standard


Through sharing information ethically and lawfully the NHS is able to improve its understanding of the most important health needs and the quality of the treatment and care provided.

Legal Basis

We have the power to collect information under the Health & Social Care Act 2012.  Your information is only accessed by authorised persons and not disclosed to other organisations. We will never share your personal information unless a legal basis has been identified for the different purposes of sharing or we have obtained your explicit consent.

13.Further information

Further information about the way in which the NHS uses personal confidential data and your rights in that respect can be found at the links below:

The NHS Care Record Guarantee:

This guarantee is a commitment that NHS organisations and those providing care on behalf of the NHS will use records about you in ways that respect your rights and promote your health and wellbeing.

The NHS Constitution:

The Constitution establishes the principles and values of the NHS in England. It sets out rights to which patients, public and staff are entitled, and pledges which the NHS is committed to achieve, together with responsibilities, which the public, patients and staff owe to one another to ensure that the NHS operates fairly and effectively.

To share or not to share? Information Governance Review:

This was an independent review of information about service users shared across the health and care system led by Dame Fiona Caldicott and was published in 2013.

Review of data security, consent and opt-outs:

A further review by Dame Fiona Caldicott published in 2016.

NHS Commissioning Board – Better Data, Informed Commissioning, Driving Improved Outcomes: Clinical Data Sets:

Provides further information about the data flowing within the NHS to support commissioning.

NHS Digital:

NHS Digital are the trusted national provider of high-quality information, data and IT systems for health and social care and are responsible for collecting data from across the health and social care system. and

Information Commissioner’s Office (ICO):

The ICO is the Regulator for the Data Protection Legislation and offer independent advice and guidance on the law and personal data, including your rights and how to access your personal information.

Health Research Authority:

The HRA protects and promotes the interests of patients and the public in health and social care research.

14.Contact us

Post: Bath and North East Somerset Clinical Commissioning Group St.Martin’s Hospital Clara Cross Lane Bath BA2 5RP

Tel: 01225 831800


For independent advice about data protection, privacy and data-sharing issues, you can contact the:

Information Commissioner
Wycliffe House, Water Lane, Wilmslow, 16 Cheshire, SK9 5AF.
Tel: 08456 30 60 60 or 01625 54 57 45