CPCCG logo
Home » Privacy Statement

Privacy Statement

Cambridgeshire and Peterborough Clinical Commissioning Group purchases and manages services, to provide patients in our area with quality healthcare. To enable us to do this, we keep records that contain information about you and your health, and the care and treatment we have provided or plan to provide to you. Further information about the CCG is available to read here.

Fair processing notice

What Information do we hold and how do we use it

Cambridgeshire and Peterborough CCG are registered with the Information Commissioner’s Office (ICO) as a data controller. Details of our data protection registration are available through the ICO website (registration number Z358830X).

We are committed to protecting your privacy and will only use information collected lawfully in accordance with the Data Protection Act 1998 (DPA). We undertake not to use any information we may hold about you for any purpose other than that for which it was collected, unless we have obtained your consent*. This includes not sending the information overseas without permission. We do not sell personal information.
*See ‘information sharing’ in the CCG's Privacy Notice for instances where patients cannot opt out of their information being shared.

As the CCG is not involved in direct patient care, we do not routinely hold medical records, but may hold other personal information* relating to complaints, investigations, independent funding requests you may make, continuing healthcare funding, or reviews that we are carrying out on your behalf. We also hold information centrally which is used for statistical purposes to allow the NHS to plan the services it provides. We may also use anonymised and pseudonymised (see key definitions) data for research, audit and public health purposes.
*The CCG holds and retains personal information in accordance with the requirements set out in the Records Management Code of Practice for Health and Social Care 2016. 

NHS records may be electronic, paper or a mixture of both, and we may use a combination of working practices and technology to ensure that your information is kept confidential and secure.

Information Sharing

We will not share your information unless you ask us to do so, however, there are some instances where patients cannot opt out of having their information shared and information may be shared without explicit or implied consent. These instances may include:

  • Where the sharing is mandated by law or court order;
  • Where there are sufficient safeguarding or vulnerability concerns;
  • In order to assist the police in the prevention and detection of crime;
  • There is an overriding public interest in releasing or sharing information;
  • We have special permission for health and research purposes (granted by the Health Research Authority);
  • For the health and safety of others, for example to report an infectious disease such as meningitis or measles.

We work with a number of other NHS, partner agencies and other organisations* to provide healthcare and other services for you. We may also share anonymised and pseudonymised (see key definitions) statistical information with them for the purpose of
improving local services, for example understanding how conditions spread across our local area compared against other areas.
*See Cambridgeshire Information Sharing Framework in the CCG's Privacy Notice for further information and a list of the Organisations that have signed up to the Framework.

We also contract with other organisations to provide a range of services for us, for example providing some human resource services for our staff. In these instances we ensure that our partner agencies handle our information under strict conditions and in line with the law.

All CCG staff have contractual obligations of confidentiality, enforceable through disciplinary procedures. Staff with access to patient identifiable information receive appropriate on-going training to ensure they remain aware of their responsibilities. Our
staff are granted access to personal data on a need-to-know basis only.

How to opt out of having your personal information shared

If you wish to opt out of having your personal data shared please contact your GP in the first instance as local and national information sharing initiatives are derived from the GP record in the primary instance. There are possible consequences to not
sharing but these will be fully explained to you to help you with making your decision.

There are two different types of objection which both refer to information sharing for purposes other than that of direct patient care:

  • Type 1 objections occur when a patient objects to their GP about having their identifiable data shared outside of their GP practice.
  • Type 2 objections occur when a patient objects to their identifiable data being disclosed to NHS Digital (See Key Definitions).

NHS Digital monitors the number of patients applying their type 1 and 2 rights through aggregated (See Key Definitions) data sources. Whilst patients have the right to opt out of having their data shared for purposes other than direct patient care, sharing data allows the NHS to better understand the needs of patients. It also allows for more comprehensive performance monitoring of services and allows organisations to adequately benchmark themselves. This allows care providers and commissioners to work collaboratively to improve the quality of, and accessibility to, local services.

Primary and secondary care data

The CCG has limited cause to process data as we are not involved in direct patient care, we do however receive anonymised and pseudonymised primary and secondary care data (see key definitions) that has been processed on our behalf by data
processors contracted by us under strict information governance and information security conditions. Receiving data of this type enables us to analyse current health services and proposals for developing future services. It is sometimes necessary for
us to link separate anonymised individual datasets to be able to produce a comprehensive methodology for evaluation. This may involve linking primary care data with other non-identifiable data provided for secondary use (known as SUS* which includes inpatient; outpatient; A&E and other NHS services data).
*See Key Definitions in the CCG's Privacy Notice 

Invoice validation

We will use limited information about individual patients when validating invoices received for healthcare provided, to ensure the invoice is accurate. This will be performed in a secure environment and will be carried out by a limited number of authorised staff. These activities and all identifiable information will remain within a CEfF (Controlled Environment for Finance) approved by NHS England.

Section 251 support is currently in place for the CCG to be able to receive personal data to enable this work to take place (See related links – Health Research Authority / Key Definitions in the CCG's Privacy Notice).

Records management

The Records Management Code of Practice for Health and Social Care 2016 (see related links) sets out the required standards of practice in the management of records for those who work within or under contract to NHS organisations in England, based on current legal requirements and professional best practice. Data held by the CCG is retained in line with the Code of Practice’s retention schedules and thereafter confidentially destroyed or disposed of in accordance with the CCG’s Destruction and Disposal Policy. Detailed retention schedules, ie minimum periods for which various records that are created should be retained, in accordance to either their ongoing administrative value or as a result of statutory requirement can be found in Appendix 3 of the Code of Practice.

Your information: What do we need from you?

Please tell us as soon as possible if there are any changes, such as a new address. This helps us to keep your information reliable and up to date.

Contacting us about your information

Each NHS organisation has a senior person responsible for protecting the confidentiality of patient information and enabling appropriate information sharing.  This person is called the Caldicott Guardian, Carol Anderson is the CCG’s Caldicott Guardian.

If you have any questions or concerns regarding the information we hold on you, the use of your information or would like to discuss accessing your information, please contact the CCG’s Data Protection Officer at:

Data Protection Officer
Cambridgeshire and Peterborough CCG
Lockton House
Clarendon Road
Cambridge CB2 8FH.


Access to your Health Care Records

Information on how to access your information is available here or by contacting the Information Governance Team on 01223 725451 or capccg.infogov@nhs.net

Contacting us if you have a complaint or concern:

Patient Experience Team
FREEPHONE: 0800 279 2535 or telephone: 01223 725588
Email: capccg.pet@nhs.net
Patient Experience Team Fax: 01223 725 590

Further information can be found here.

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner’s Office at:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113 (Monday to Friday, 9am to 5pm)
Website: https://ico.org.uk/