Reviewed 20 September 2018

How the CCG Uses Your Information

This notice explains the NHS Vale of York Clinical Commissioning Group’s (CCG's) privacy policy and how we will use and protect any information about you that you give us when you contact us by whatever method.

This privacy notice only covers the NHS Vale of York CCG and does not cover any other organisations, including organisations that can be linked to from this site. It is important you are aware when you are moving to the site of, or engaging in correspondence with, another organisation that you read the privacy notice of that organisation. This notice explains :

Who We Are and What We Do

Data Protection Legislation

Information We Collect and How We Use It

Risk Stratification

Invoice Validation

Individual Funding Request (IFR)

Business Support Services

Case Management

Medicines Management Reviews

CCG Statutory Purposes

Referral Support Services

Visitors to Our Website

Making a Complaint to Us

FOI and EIR Requests

People Who Email Us


Information for Job Applicants

National Fraud Initiative

Keeping Information Secure and Confidential

Use of Cookies

Your Right to Opt Out

Retaining Information

Access to Personal Information

Caldicott Guardian

How to Contact Us

Further Information

Changes to this Privacy Notice

Who we are and what we do

NHS Vale of York Clinical Commissioning Group (hereafter referred to as “the CCG”) is responsible for implementing the commissioning roles as set out in the Health and Social Care Act 2012.

Clinical Commissioning Groups are overseen by NHS England, all GP practices now belong to a CCG, and together they are responsible for commissioning most health and care services for the local community, for example hospital services, nursing in the community and mental health services. We ensure the care providers provide safe, high-quality care, which includes responding to concerns from our citizens; please see below for details of how to make comments and complaints.

As a Clinical Commissioning Group we have many other functions, but these do not generally need data that may specifically identify an individual.

The CCG commissions healthcare services from a number of NHS bodies and non-NHS bodies, such as independent sector treatment centres, private providers and voluntary bodies. 

Primary Care is the first point of contact for someone when they contract an illness, suffer an injury or experience symptoms that are new to them. It is generally regarded as the ‘gateway’ to receiving more specialist care. This contact will be with a GP, Dentist or Optician. A list of our GP practices can be found here: 

Patients may be referred to a secondary care professional – a specialist with expertise on the patient’s issue. These are consultant-led services. Secondary care is usually (but not always) delivered in a hospital / clinic with the initial referral being made by a primary care professional.

We commission Secondary Care services from a range of providers of healthcare services, key providers are listed below.

York Teaching Hospital NHS Foundation Trust

Tees, Esk and Wear Valleys NHS Foundation Trust

Northern Doctors

Nuffield Health

Ramsay Healthcare UK

St. Leonards Hospice

These bodies will use your personal information to provide the healthcare services which they have been commissioned to provide. They publish information about how they use your personal information.

Data Protection Legislation

Under Data Protection Legislation, the CCG is required to register with the Information Commissioner's Office detailing all purposes for which personal identifiable data is collected, held and processed.

Data Protection Legislation states that personal data means data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller. So, personal identifiable data usually refers to grouped data. This may be your name, address, date of birth, etc. 

The CCG has a legal duty to protect any information we collect from you. We use leading technologies and encryption software to safeguard your data and keep strict security standards to prevent any unauthorised access to it.

The CCG will not pass on your details to any third party or other government department unless you consent to this or where it is necessary and we are allowed or required to by law.

The Information Commissioner's Office maintains a public register of organisations that process personal identifiable data. The NHS Vale of York Clinical Commissioning Group’s registration number is Z352696X.

View the CCG’s Notification online:

The entry sets down :

  • The purpose for which the personal data are held, such as the management of personnel, provision of health services to the local community, marketing or research;
  • Categories of individuals, such as employees, services users, CCG members
  • Categories of personal data held, such as name, address, medical history;
  • To whom the personal data will be disclosed, such as NHS England, Central Government;
  • Whether personal information will be transferred overseas.

Data Protection Officer (DPO) : Caroline Million
DPO contact details :

Information we collect and how we use it

For most of our work we do not need to know personal details. It should be noted that information which cannot identify an individual does not come under Data Protection Legislation.

The CCG receives, uses and holds anonymised / statistical information about health care provided to the population of the local community to allow it to better plan and commission health services for the local area.

The law provides some NHS bodies, particularly the Health and Social Care Information Centre (HSCIC), ways of collecting and using patient data that cannot identify a person (anonymised) to help commissioners to design and procure the combination of services that best suit the population they serve.

Anonymisation is the process of turning data into a form which does not identify individuals and where identification is not likely to take place. This allows for a much wider use of the information. The process of anonymising personal data protects it from inappropriate use or disclosure. (For further information regarding definitions and how Data Protection Legislation applies, please see ICO:  and NHS Digital:

Data may be linked and de-identified by these special bodies so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

Unless there is another lawful basis, only anonymous statistical data, normally aggregated, may also be passed to organisations with a legitimate interest, including universities, community safety units and research institutions

This could include :

  • Monitoring the quality and efficiency of services commissioned
  • Statistical analysis of the local populations illnesses
  • Preparing national data submissions for quality and cost

The CCG does not directly provide health care services and therefore does not create or hold any clinical records about any individuals. If you wish to have sight of your own personal health care records you will need to apply to your GP practice, or the NHS hospital or NHS organisation which provided your healthcare. Details about how to access your healthcare records may be found here:

There are some functions for which the CCG may process data that may identify an individual, however this is normally limited to an individual’s NHS number or postcode and there are controls in place to prevent the identity of that individual becoming known by staff within the CCG.

These functions are detailed below.

Risk stratification

The CCG commissions a Risk Stratification Service. This service enables your family doctor to undertake a pro-active approach to managing your health. A secure computer system reviews your personal information such as your name, NHS number, date of birth, post code and recent treatments you may have had at the surgery or in hospital and also any existing health conditions The purpose of this system is to alert your doctor to the likelihood of a possible deterioration in your health. This information will be used to get you early care and further treatment if needed. Your doctor will have provided information to you about this service.

Dr Foster (an organisation which is part of eMBED Health Consortium) has been contracted to provide risk stratification services. This is an approved exception under section 251 of the NHS Act 2006. The information will only be seen by qualified health workers involved in your care. NHS security systems will protect your health information and patient confidentiality at all times.

The CCG uses risk stratified data to understand the health needs of the local population in order to plan and commission the right services. This is called risk stratification for commissioning. The CCG does not have access to your personal data. The information is de-identified / pseudonymised. Pseudonymisation is a technical process that replaces identifiable information such as an NHS number, postcode, date of birth with a unique identification number to prevent the CCG staff working with the data tracing it back to an individual patient.

You have a right to opt out of your information being used for risk stratification profiling. Your GP practice will make you aware if your information is being used for risk stratification and your right to opt-out.

For further information please visit:

Involce validation

Invoice validation is an important process. It involves using your NHS number to confirm that the CCG is responsible for paying for your treatment. We will also use your NHS number to check whether your care has been funded through specialist commissioning, which NHS England will pay for. The process makes sure that the organisations providing your care are paid correctly. This is an approved exception under section 251 of the NHS Act 2006.

Individual Funding Request (IFR)

IFR is a process where patients and their GPs or Consultants can request treatments not routinely funded by the NHS. This service requires holding and processing patient identifiable information to assess requests for care and if appropriate approval. Sometimes, it may need to speak to the care providers about the patient, about the patient to assess the request. This service is provided by North East Commissioning Support (NECS). You are entitled to withdraw your consent to your personal information being shared but this may mean your funding request cannot be properly considered.

Business Support Services

Human Resources, Information Technology Management and Business Intelligence services are provided by eMBED Health Consortium.

Case Management

Continuing Healthcare, Funded Nursing Care, Mental Health & Vulnerable Adults, Adult Safeguarding, Mental Health & Vulnerable Adults and Children, Young People & Maternity Services, and Legal Services.  In order for the CCG to provide these services they need to collect and keep a record of personal information about the person to whom the service is to be provided. This record may be either written down or held electronically on computer, these details may include :

  • Basic details such as name, address, and next of kin
  • Details of health conditions, diagnostic tests, treatments and medications
  • Information from other health care professionals and those who provide care.

Note: This information may be shared with other agencies involved in providing care or where required by law, for example with social services or for safeguarding purposes. Such information will, however, only be shared with the appropriate consent or under a statutory legal requirement. You are entitled to object to your information being shared with specific agencies however you should note this may mean that the provision of appropriate care may be limited.

Medicines management review

This service performs a review of prescribed medications to ensure patients receive the most appropriate and cost effective treatments. 

CCG statuatory purposes

The CCG is required by law to report person identifiable information it may hold about you to other authorities under the following circumstances :

  • Statutory compliance, e.g. reporting of infectious diseases which may endanger the safety of others, such as meningitis or measles. (But not HIV/AIDS);
  • Investigation of the causes of an infection, sometimes contagious, which may cause risk to the public (Post Infection Review). We do not always need to ask permission to access a person’s record if there is a risk to the public, this is a statutory obligation on the CCG;

(The above may be linked to national statistical datasets in an anonymised format only in order to monitor trends of infectious diseases, other infections and birth rates.)

  • Where a formal court order has been issued;
  • Police investigations (in limited circumstances); and
  • To allow the organisation to fulfil its obligations to safeguarding children and vulnerable adults, this is a statutory obligation on all NHS Organisations. The CCG has a responsibility; along with other NHS organisations and every healthcare professional, to ensure that people in vulnerable circumstances are not only safe but also receive the highest possible standard of care. The welfare of the people who come into contact with the services commissioned by the CCG is paramount and it has a statutory responsibility for ensuring that the organisations from which they commission services provide a safe system that safeguards children and adults at risk of abuse or neglect. The CCG has a statutory duty to be members of Local Safeguarding Children Boards (LSCBs) and are expected to be fully engaged with local Safeguarding Adults Boards (SABs), working in partnership with local authorities to fulfil their safeguarding responsibilities.
  • The CCG must also share information with other organisations where there is an overriding public interest to do so.

Where information needs to be shared between organisations the CCG is a signatory to the North Yorkshire Multi-Agency Overarching Information Sharing Protocol. A copy of this protocol can be found here: This protocol enables the CCG to ensure that information is shared effectively with our partners and to ensure that information is being shared lawfully, appropriately and in compliance with best practice. The protocol establishes consistent principles and practices to govern the sharing of personal and non-personal information that takes place within and between partner agencies.

The CCG will collect information about you in order to respond to queries, enquiries or complaints you have raised and this applies to :

  • Visitors to our website
  • Complainants and other individuals.
  • FOI and EIR requests
  • People who use the CCG’s services.
  • Staff of the CCG

Referral Support Services

NHS Vale of York CCG commissions and hosts both the Referral Support Service and the Referral Management Service for the North Yorkshire CCG’s

When it has been identified by your GP that you require further diagnosis and/or treatment/care your GP will make a referral to a secondary care service. For some specialties your referral will be reviewed by an independent specialist doctor to ensure that you receive the most effective care. This involves a review of a copy of your GP referral against agreed clinical guidelines with the aim of ensuring the patient is seen by the right clinician, in the right place at the right time. These arrangements provide for an additional ‘check’ of referrals by a team of contracted clinicians. Your GP should discuss transferring your information to such a specialist with you during your consultation and request your permission for the transfer.

When you and your GP agree that you need a secondary care appointment, you can choose which hospital or clinic you go to. The Referral Support Service provides access to a system, (Choose and Book) that lets you choose your hospital or clinic and book your first appointment.

The Vale of York CCG also hosts the Referral Support Service for the Harrogate and Rural District CCG and Scarborough and Rural CCG.

Visitors to our website

When someone visits the CCG’s website information is collected in a standard internet log to enable the CCG to monitor how the website is used. This is done to find out things such as the number of visitors to the various parts of the site. This information is collected in such a way that does not identify people who have visited our websites.

From time to time, you may be asked to submit personal information about yourself (e.g. name and email address) in order to receive or use services on our website. Such services include bulletins, email updates, website feedback, requesting investigation of complaints and any other enquiries.

By entering your details in the fields requested or sending us an email, you enable the CCG and its service providers to provide you with the services you select. Any information you provide will only be used by the CCG, or our agents or service providers, and will not be disclosed to other parties unless we are obliged or permitted to do so.

We will hold your personal information on our systems for as long as you use the service you have requested, and remove it in the event the purpose has been met or when you no longer wish to continue your subscription.

Making a complaint to us

When we receive a complaint from anyone we will need to make up a file containing details of the complainant and the complaint they are making. How we use a complainant’s information to investigate a complaint is explained further on our Compliments and Complaints Page at:

Making an Freedom of Information Request and Environmental Information Regulations Requests

The Freedom of Information (FOI) Act gives you the right to ask any public sector organisation for all the recorded information they have on any subject. If your request is wholly or partly for “environmental information” the CCG will treat that part of your request as a request under the Environmental Information Regulations (EIR).

For further information on how to make and FOI or EIR request visit our Freedom of Information page at:

People who email us

Any email sent to the CCG, including any attachments, may be monitored and used by the CCG for reasons of security and for monitoring compliance with office policy. 

Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

If you post or send offensive, inappropriate or objectionable content anywhere on or otherwise engage in disruptive behaviour on we may use whatever information is available to us about you to stop such behaviour.


The CCG as NHS Employers needs to process information in relation to staff. This information is in a variety of ways to ensure staff are paid or provided other services related to their employment.

For more details regarding how staff data is used please see the Staff Privacy Notice available of the CCG intranet.

Information for job applicants

The CCG will process information provided by applicants for the management of their application and the subsequent selection process. This involves providing details provided by you on your application regarding your qualifications, skills and work experience, (but excluding your name, address and other personal data) to the short-listing and selection panels. After shortlisting full details provided by you on your application form will be provided to the interview panel. Details provided by you are also used to help fulfil our obligations to monitor equality and diversity within the organisation and process your application. You can find more information about the use of personal data throughout the application process from our business support providers, eMBED Health Consortium, at

Information will be retained on interview performance and the application in line with the retention periods of NHS England.

National Fraud Initiative

NHS Vale of York CCG is required by law to protect the public funds it administers. It may share information provided to it with other bodies responsible for auditing or administering public funds, in order to prevent and detect fraud.

The Cabinet Office is now responsible for carrying out the National Fraud Initiative. More information can be found here

Data matching involves comparing computer records held by one body against other computer records held by the same or another body to see how far they match. This is usually personal information. Computerised data matching allows potentially fraudulent claims and payments to be identified. Where a match is found it indicates that there is an inconsistency that requires further investigation. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out.

The Cabinet Office currently requires us to participate in a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data for matching within each exercise, and these are set out in the guidance, which can be found at by following the above link.

The processing of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under its powers in Part 6 of the Local Audit and Accountability Act 2014. It does not require the consent of the individuals concerned under Data Protection Legislation.

For specific details on the Cabinet Office National Fraud Initiative please follow the above link. Cabinet Officer Fair Processing in relation to the initiative can be found here

Keeping information secure and confidential

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality and all staff are trained to keep information confidential and have contractual obligations in respect of confidentiality, which are enforceable through disciplinary procedures.

Information provided in confidence will only be used for the purposes advised and consented to by the patient, unless there are circumstances covered by the law.

The NHS Confidentiality Code of Conduct applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared.

We also have a duty to show that the systems and processes we use are secure and that legal agreements are put in place to maintain security.

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

At the moment, among others, we work with :

  • North East of England Commissioning Support Unit (NECS); and
  • eMBED Health Consortium, who support the data gathering and processing across the Yorkshire and Humber area.

Use of Cookies

You can read more about how cookies work on the CCG website at: Cookies.

Your right to opt out

You have the right, in law and additionally in the NHS Constitution, to request that your confidential information is not used beyond your own care and treatment and to have your objections considered, and where your wishes cannot be followed, to be told the reasons including the legal basis.

NHS Digital provides a Guide to confidentiality in health and social care” which you may find useful before deciding if you would like to opt out. This guidance states that :

  • Patients can object to information about them leaving general practice in identifiable form for purposes other than direct care, so confidential information about them will not be shared. This is called a Type 1 objection.
  • Patients can object to information about them leaving the HSCIC in identifiable form, so confidential information about them will not be made available by the HSCIC other than for purposes of direct care. This is called a Type 2 objection.

If you wish to exercise your right to opt-out, please contact you GP surgery or alternatively to speak to somebody who will explain what impact this may have, please contact us at: or telephone 01904 555 870

There are some situations where an individual cannot opt out of their personal information being used these are detailed in the CCG Statutory purposes above.

Retaining information

We will only retain information for as long as necessary. Records are maintained in line with the NHS records management code of practice for health and social care found on the NHS Digital website. This guidance covers many types of health record and specifies the length of time they should be kept for (the minimum retention period).

All personal identifiable information is destroyed securely in accordance with Data Protection Legislation. 

Access to personal information

Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data. If we do hold any information about you we will:

  • Give you a description of that information
  • Tell you why we are holding it
  • Tell you who it could be disclosed to
  • Let you have a copy

If you want to access your data you must make the request in writing. Under special circumstances, some information may be withheld.

To make a request to NHS Vale of York CCG for any personal information we may hold, you will need to put the request in writing and send it to :

By email to: or

By post to: 
Subject Access Requests
NHS Vale of York Clinical Commissioning Group
West Offices
Station Rise
York, Y01 6GA

Caldicott Guardian

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. Each NHS organisation is required appoint a Caldicott Guardian; this was mandated for the NHS by Health Service Circular: HSC 1999/012. The CCG’s Caldicott Guardian is the CCG’s Executive Director of Quality & Nursing and may be contacted as detailed below.

How to contact us

If you want to request information about our privacy policy you can email us at : or write to us at:

NHS Vale of York Clinical Commissioning Group
West Offices
Station Rise
York, Y01 6GA

Phone 01904 555 870

For independent advice about protection, privacy or data sharing issues, you can contact:

The Information Commissioner
Wycliffe House
Water Lane
Cheshire, SK9 5AF

Phone: 08456 30 60 60 or 01625 54 57 45

2018 Vale of York Clinical Commissioning Group

Further information

For further information regarding how the NHS uses your data and how it is protected see the following :

NHS Care record guarantee

The NHS Constitution

NHS Digital guide to Confidentiality


Health Research Authority 

Changes to the privacy notice

If our privacy policy changes in any way, we will place an updated version on this page. Regularly reviewing the page ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

This Privacy / Fair Processing Notice was last reviewed March 2018.