Fair Processing Notice
This notice is to inform you of the type of information (including personal information) that we hold, how that information is used, who we may share that information with, and how we keep it secure and confidential. It also includes details of how the wider NHS shares information and links to find out more.
What we do
Wandsworth Clinical Commissioning Group is responsible for commissioning or 'planning and paying for' some healthcare services for the people who live or work in the borough. Along with commissioning services, we are also responsible for monitoring how well these services are provided by listening to your experiences and dealing with concerns.
This section provides definitions for key terms which are used throughout this document.
Anonymised data, which is data about you but from which you cannot be personally identified
De-identified data with pseudonym identifier, which is data about you but we are able to track you through the patient pathway without using your personal information, and you cannot be personally identified.
De-identified data with weak pseudonym identifier such as the NHS number, We use this to link two or more types of datasets together using your NHS number. For example, using your NHS number to link and analyse datasets such as acute data with community data to see the full picture of your patient pathway. No other personal information is used during this process and you will not be personally identified. However, there may be times whereby you may be re-identified in the event of patient safety requirements, or re-identified for direct care purposes where we pass on information to your GP to treat you
Anonymised in Context (for commissioning purposes), which is de-identified data about you but from which you cannot be personally identified within a commissioning (CCG) environment. You may be personally identified if this data was available to a hospital or your GP. Like the above, we replace the NHS number with a locally generated pseudonym like hospital number;
Personal data from which you can be personally identified, for example name, address, postcode, date of birth
Sensitive personal data, information about your physical and mental health from which you can be identified
Primary care, in addition to GP practices, primary care covers dental practices, community pharmacies and high street optometrists.
Secondary care, secondary care covers treatment and care of a specialised medical service by Clinicians, for example, specialist doctors and nurses, within a health facility or hospital on referral by a primary care clinician (e.g. your GP).
Information sharing throughout the NHS
This section explains national information sharing initiatives and the information provided to Wandsworth CCG. Information in relation to Wandsworth CCG specific processing and purposes are outlined below under
What we use your information for and
Who we share your information with.
Care providers, such as general practices, acute and mental health hospitals, community services, walk in centres and nursing homes, sometimes share information with each other to facilitate your direct care.
The law provides some NHS bodies, particularly NHS Digital, ways of collecting sensitive personal data directly from care providers for secondary purposes, such as evaluating care provided at population level.
Data may be linked by these special bodies so that it can be used to improve health care and development, and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified. In some cases there may also be a need to link local datasets, which could include a range of acute-based services such as radiology, physiotherapy and audiology, as well as mental health and community-based services such as IAPT, district nursing and podiatry.
The dataset collected from secondary care providers, for example hospitals, by NHS Digital is referred to the Secondary Uses Service (SUS) is the single, comprehensive repository for healthcare data in England which enables a range of reporting and analyses to support the NHS in the delivery of healthcare services. When a patient or service user is treated or cared for, information is collected which supports their treatment. For further information, please visit NHS Digital’s website:
The following are the types of organisations NHS Digital receives data from, they then forward de-identified data an anonymised format or a de-identified format with NHS Number on to Wandsworth CCG to link and analyse the data. Wandsworth CCG only receive information in relation to patients registered with a GP in the Wandsworth area.
Types of organisations and types of information we receive:
- Acute Trusts – Hospitals, for example St. Georges University Hospitals NHS Trust, secondary care data such as A&E attendances, waiting times, diagnosis, treatments, and follow ups, length of stay, discharge information and next steps.
- Community trusts or community organisations, for example St. Georges Healthcare NHS Trust, community data such as outpatient information, waiting times, diagnosis and treatments, referrals and next steps, domiciliary and district nursing (which includes home visits) and community rehabilitation units.
- Mental Health Trusts or Mental Health organisations, for example South West London and St Georges Mental Health Trust, mental health data such as rehabilitation and outpatient attendances, waiting times, diagnosis, treatment, length of stay, discharge and referrals.
- Primary Care organisations, for example your local GP practice. We receive anonymised primary care data such as attendances, diagnosis, treatment, GP or GP practice visits, referrals, medication/prescriptions information, follow-ups and next steps.
Your choice about how your information is used
There are also choices you can make about how your information is used in relation to the processing outlined above, and you can choose to opt out of your information being shared or used for any purpose beyond providing your direct care. Please note that not choosing to share your information may have an impact on your care and by sharing your information will improve NHS services and the experience of treatment and care for our patients.
There are two types of opt-out. You can apply or withdraw either opt-out at any time by informing your GP practice.
If you do not want information that identifies you to be shared outside your GP practice, for purposes beyond your direct care, you can register a type 1 opt-out with your GP practice. This prevents your sensitive personal data from being used other than in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.
NHS Digital collects information from a range of places where people receive care, such as hospitals and community services. If you do not want your sensitive personal data to be shared outside of NHS Digital, for purposes other than for your direct care, you can register a type 2 opt-out with your GP practice.
For further information in relation to these opt-outs please see NHS Digital’s website:
What we use your information for
Improving and planning care services – population data
Wandsworth CCG use information in relation to patient registered with a Wandsworth GP to plan and review local care. For most of our commissioning functions, which are not for the purposes of direct care, we use information in a form that does not identify individuals and constitutes anonymised data. This means no one at the CCG can know your name, your date of birth, your postcode, address or NHS number. These purposes include:
- evaluation and review of services such as checking their quality and efficiency
- carrying out assessments of the conditions people living in Wandsworth are at risk of having so we can prioritise NHS services (termed risk stratification – further information is provided below)
- determining how we may prevent conditions people living in Wandsworth are at risk of having
- making sure our services can meet patient needs in the future
- preparing information on NHS performance
- reviewing the care we provide to make sure it is of the highest standard and identifying areas of improvement
Some of our commissioning functions need to use small amounts of de-identified data with a weak pseudonym identifier, such as your NHS numbers and/or your postcode. This information can be comprised of linked datasets which are provided to us by NHS Digital.
Wandsworth CCG use of this information is only carried out using permissions given to us under section 251 of NHS Act 2006. Such purposes of use include:
- monitoring how care is delivered to patients
- making sure services are working well and using resources properly
- redesigning and modernising services
- understanding particular health needs in different geographic areas
- enabling only clinicians who are involved in a patient's care to identify and contact patients, for example those who would benefit from Active Case Management ( process for managing care for patients with complex needs) including through a process of assessing the likelihood of you needing acute hospital admission (termed risk stratification – further information is provided below)
- supporting care service planning and commissioning
- verifying invoices from providers so we can pay for services (termed invoice validation – further information is provided below)
There may be times where one healthcare organisation will need to invoice another for treatment given to a patient. This can occur, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received.
Before paying the invoice, we will need to be sure that we are responsible for your treatment costs and not another CCG, as well as checking to ensure that the amount being billed for is correct. This process is known as invoice validation. For invoice validation to occur, a limited amount of personal data about you, which includes NHS number but no name or address information, needs to be shared between us and the hospital you received treatment at.
The use of your information for this purpose has been allowed under s251 of the NHS Act 2006, for more information please visit
Your GP uses your data to provide the best care they can for you. As part of this process, your GP will use your sensitive personal data to undertake risk stratification, also known as case finding.
Risk stratification involves applying computer based algorithms, or automated calculations, to identify those patients registered with the GP Surgery who are most at risk from certain medical conditions and who will benefit from clinical care to help prevent or better treat their condition.
To identify those patients individually from the patient community registered with your GP would be a lengthy and time-consuming process, which would by its nature potentially not identify individuals quickly and increase the time to improve care.
Your GP Surgery uses the services of a health partner, NHS NEL Commissioning Support Unit (NEL CSU) to identify those most in need of preventative or improved care. This contract is arranged by us. Sensitive personal data is extracted from your GP computer system, automatically processed, and only your GP is able to view the outcome, matching results against patients on their system.
NEL CSU will process your sensitive personal data through a fully automated process without any staff being able to view the data. Typically they will process your data using indicators such as your age, gender, NHS number and codes for your medical health to identify those who will benefit from clinical intervention.
We have implemented strict security controls to protect your confidentiality and recommend this as a secure and beneficial service to you. At all times, your GP remains accountable for how your data is processed. However, if you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NEL CSU for risk stratification purposes. The lawful basis to use this information for risk stratification has been allowed by s251 NHS Act 2006 and is processed by NEL CSU or other approved providers only. For further information on Risk Stratification, please visit
Your choice about how your information is used
If you wish, you can ask your GP for your data not to be processed for this purpose and your GP will mark your record as not to be extracted so it is not sent to NEL CSU for risk stratification purposes.
Specific services which use personal data
There are some functions where we use sensitive personal data. This may include your name, date of birth, address, summary of health details or outcomes of needs assessments. In most of these instances you have given us consent to hold this information while we were carrying out those functions or it is information you send directly to us. Some of these functions include:
- individual funding requests – where patients and their GPs request non-standard treatments
- assessments for continuing healthcare (a package of care for those with complex medical needs)
- organising specialist placements for people with learning disabilities, mental health needs and other complex needs
- responding to your queries, concerns or complaints
- assessment and evaluation of safeguarding concerns
- self-management services
How we keep information confidential
Everyone working for the NHS and Wandsworth CCG is subject to the Common Law Duty of Confidence. Under the NHS Confidentiality Code of Practice (https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/200146/Confidentiality_-_NHS_Code_of_Practice.pdf) all our staff are required to protect your information, inform you of how your information will be used and allow you to decide if and how your information can be shared. We take the security of information seriously and in line with NHS Information Security Management Code of Practice (http://systems.digital.nhs.uk/infogov/codes/securitycode.pdf). Information provided to us in confidence will only be used for the purposes that you have agreed to unless there are other circumstances that may require us to share it such as a requirement from a law.
Wandsworth CCG oversight
We have assigned a
Caldicott Guardian and Senior Information Risk Owner who have oversight of the handling of information within our CCG as well as support organisations that we may buy services from. The Caldicott Guardian has the role of overseeing and making decisions on information sharing, you can contact the Caldicott Guardian via the customer care team email@example.com. The Senior Information Risk Owner is accountable for information risk. Both roles are supported by the Information Governance Steering Group (IGSG) which meets regularly to discuss issues related to information governance. The group is formed of senior representatives within the CCG and is chaired by the Caldicott Guardian.
Who we share your information with
We may share your information for your benefit with other organisations such as general practices, acute and mental health hospitals, community services, walk in centres, nursing homes, directly from service users and many others. A full list of services can be found on ‘our services’ page [http://www.wandsworthccg.nhs.uk/localservices/Pages/default.aspx]. We may also share anonymised data with them for the purpose of improving local services: for example, understanding how health conditions spread across our local area compared to other areas.
We may also share your information with other non-NHS organisations from which you are also receiving care, such as social services and other providers from which we commission services. Where information sharing is required with these third parties, some personal and sensitive personal data is only shared where we have your explicit consent, some is shared where we have been given specific permissions from a law such as section 251 of the NHS act 2006 and in some instances where there are exceptional circumstances such as when the health or safety of others is at risk, or where the law requires us to do so.
Some of our IT systems, software and services involve the processing of personal or sensitive personal data by a third party supplier such as NEL CSU or other companies. These are usually providers recommended and well used in the NHS. We ensure external data processors that support us are legally and contractually bound to operate this process. They must be able to prove security arrangements are in place where data that could or does identify a person is processed.
What to do if you have concerns
You have the right to ask Wandsworth CCG not to use your information at any moment in time. There are possible consequences to not sharing but these will be fully explained to you to help you with making your decision. You can opt out at any time by contacting customer Care team on: email:
firstname.lastname@example.org or Customer Care, Wandsworth CCG, 1st floor 73-75 Upper Richmond Road, London SW15 2SR
How long we will keep your information for
There are different retention schedules for different types of information and types of record. In the NHS, all commissioners and providers apply retention schedules in accordance with the Information Governance Alliance’s Records Management Code of Practice for Health and Social Care. For more information, you can access the document here:
http://systems.digital.nhs.uk/infogov/iga/rmcop16718.pdf. The retention schedules start on page 53.
When destroying data we ensure that we, or third parties we contract to destroy data on our behalf, meet guidelines set out within principle 7 of the Data Protection Act 1998, the European Standard EN 15713 for paper copies and CESG standards (www.cesg.gov.uk) for secure destructions of electronic data.
How can you get access to your records processed by Wandsworth CCG?
The Data Protection Act 1998 gives you the right to see or have a copy of your health records. You do not need to give a reason but you may be charged a fee. If you want to access your records held by Wandsworth CCG you should make a written request to:
email@example.com or Customer Care, Wandsworth CCG, 1st floor 73-75 Upper Richmond Road, London SW15 2SR
If you would like to know more about how NHS Wandsworth Clinical Commissioning Group uses your information or if you have a concern or complaint please contact the Customer Care team on:
1st floor 73-75 Upper Richmond Road,
London SW15 2SR
Office hours: Mon to Fri 9.30am – 5.00pm
Tel: 020 020 8812 6600
If you are not happy with our responses about your use of information and data and have exhausted all the avenues in the CCG Complaints Process and wish to take your complaint to an independent body, you can do this by contacting the Information Commissioner's Office in writing to the following address:
Cheshire SK9 5AF
You can also telephone their helpline on 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number. Or email: firstname.lastname@example.org
Relevant links to associated documents or organisations
If you would like to find out more information on the wider health and care system approach to using personal information or other useful information, please click on the following links: