Fair processing notice

Who we are and what we do

Crawley / Horsham and Mid Sussex Clinical Commissioning Group (CCG) is responsible for securing, planning, designing and paying for NHS services, including planned and emergency hospital care, mental health, rehabilitation, community and primary medical care (GP) services.

This is known as commissioning. As Commissioners we need to use information about you to enable us to do this effectively, efficiently and safely, and to monitor the performance of these services.

For further information please refer to the ‘About Us’ page on our internet: http://www.crawleyccg.nhs.uk/about-us/

What is this Fair Processing Notice about?

This Fair Processing Notice (FPN) is part of our programme to make it transparent as to what data processing activities we carry out in order to meet our commissioning obligations.

This FPN tells you about information we collect and hold about you, what we do with it, how we keep it secure (confidential), who we might share it with and what your rights are in relation to your information.

How do we keep your information confidential and safe?

Everyone working for the NHS is subject to the Common Law Duty of Confidentiality. This means that any information that you provide in confidence cannot normally be disclosed without your consent. However there are circumstances which may override this duty of confidence, for example where a disclosure is ordered by the courts.

The NHS Confidentiality Code of Practice requires all our staff to protect your information, tell you how it will be used, and allow you to decide if, and how, it can be shared.

We are also required to comply with other legislation relating to the use of personal information such as the Data Protection Act 20188, and General Data Protection Regulations (GDPR)

Who is Responsible for Looking after your data?

The individuals appointed to the following roles are responsible for all information about you held by the CCG, whether you are a patient, service user, member of staff, or member of the public.

Senior Information Risk Officer (SIRO),  A Senior Information Risk Officer (known as a SIRO) is responsible for ensuring that your information is handled securely.

Crawley CCG’ s SIRO is: 

Data Protection Officer, (DPO) We have a Data Protection Officer who is a Data Protection and Information and Cyber Security expert, reporting directly to the highest level of management within the CCG.

The DPO acts independently and is responsible for informing and advising the CCG and our staff of their obligations under the existing and forthcoming Data Protection related law. The DPO is also responsible awareness-raising, staff training, the provision of advice and monitoring the CCG’s compliance with all European and UK data protection law and the CCG’s data protection related policies. 

Crawley CCG’s DPO is: 

Caldicott Guardian: A Caldicott Guardian is responsible for making sure that your information is handled properly in line with your rights and the law. They ensure information is shared appropriately, effectively acting as the conscience of the organisation.

Crawley CCG’ s Caldicott Guardian is: 

Information Governance Team: Information Governance services are  provided to East Surrey CCG by South Central and West Commissioning Support unit (SCW CSU), The CSU Information Governance Team is responsible for supporting the Caldicott Guardian, Senior Information Risk Officer and the Data Protection Officer in ensuring that your personal information is collected, used and shared appropriately, securely and in line with the law. 

Information Governance Team (East Surrey CCG):  

What kind of information we use?

As a Commissioner we do not routinely hold or have access to your medical records.  However, we may need to hold some personal information about you, for example:

  • Your name, address, your date of birth, your NHS number and contact details
  • Details of your GP, what treatment you have received and where you received it
  • Details of concerns or complaints you have raised about your health care provision and we need to investigate
  • If you ask us for our help or involvement with your healthcare, or where we are required to fund specific specialised treatment for a particular condition that is not already covered in our contracts with organisations that provide NHS care
  • If you ask us to keep you regularly informed and up-to-date about the work of the CCG, or if you are actively involved in our engagement and consultation activities or service user/Patient Participation Groups

Our records may include relevant information that you have told us, or information provided on your behalf by relatives or those who care for you and know you well, or from health professionals and other staff directly involved in your care and treatment.  Our records may be held on paper or electronically in a computer system. 

We use the following types of information/data:

  • Personal – this is information containing details that identify individuals. The following are data items that are considered identifiable: name, address, NHS Number, full postcode, date of birth.
  • Special Categories – personal data revealing: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, sex life or sexual orientation, and health, biometric or genetic data
  • Confidential Information - this term describes information or data about identified or identifiable individuals, which should be kept private or secret and includes deceased as well as living people. ‘Confidential’ includes both information ‘given in confidence’ and ‘that which is owed a duty of confidence’.
  • Pseudonymised - this is data that has undergone a technical process that replaces your identifiable information such as NHS number, postcode, date of birth with a unique identifier. Pseudonymised data is individual-level information where individuals can be distinguished by using a coded reference, which does not reveal their ‘real world’ identity. When data has been pseudonymised it still retains a level of detail in the replaced data that should allow tracking back of the data to its original state.
  • Anonymised – this is data about individuals in a form that does not identify individuals and where identification through its combination with other data is not likely to take place.
  • Aggregated – this is statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.

We use anonymised data to plan health care services. Specifically we use it to:

  • check the quality and efficiency of the health services we commission
  • prepare performance reports on the services we commission.
  • work out what illnesses people will have in the future, so we can plan and prioritise services and ensure these meet the needs of patients in the future – this is called Risk Stratification
  • review the care being provided to make sure it is of the highest standard

The main functions the CCG performs and the type of data we use to complete this function are listed below:

NHS Continuing Health Care (CHC Applications)

When individuals make applications for Continuing Health Care funding, Horsham and Mid Sussex CCG will use personal identifiable information (PID) to request information from care providers to identify eligibility for funding.

Horsham and Mid Sussex CCG have contracted NHS Costal West Sussex CCG to deliver this service on our behalf 

This process is nationally defined and the CCG follow a National process using standard information collection tools when assessing eligibility for CHC applications.

The clinical professional who first sees you to discuss your needs will explain to you the information that they need to collect and process in order for your needs to be assessed and commission your care; they will gain your explicit consent to share this. You have the right to withdraw your consent at any time.

Risk Stratification

Risk stratification is a process that usespseudonymised/anonymised and aggregate, de-identified personal data from health care services to determine which people are at risk of experiencing certain outcomes, such as unplanned hospital admissions.                     

Risk stratification tools are used by CCGs to analyse the overall health of a population using data which is anonymised in line with the Information Commissioner's Office (ICO) Anonymisation Code of Practice.  The combined CCGs Secondary Use Service (SUS) data and GP data which contains an identifier (usually NHS number) is made available to clinicians with a legitimate relationship with their patients to enable them to identify which patients should be offered targeted preventative support to reduce those risks.

The CCG has commissioned a company – DOCOBO  to provide the risk stratification software solution on behalf of itself and its GP practices.

Reports produced from the system including identifiable data are only provided back to your GP or member of your care team. CCG commissioners do also have access to the risk stratification tool to support and inform commissioning decisions but they CANNOT see patient identifiable data as part of this.

There is currently Section 251 of the NHS Act 2006 support in place to allow the CCG’s risk stratification tool to receive and link identifiable patient information from NHS Digital and from local GP practices.

If you do not wish information about you to be included in the risk stratification programme please contact your GP Practice. They can add a code to your records that will stop your information from being used for this purpose.

Safeguarding Adults and Children

Advice and guidance is provided to care providers to ensure that adult and children's safeguarding matters are managed appropriately. Access to identifiable information will be shared in some limited circumstances where it's legally required for the safety of the individuals concerned. We will collect and process identifiable information where we need to assess and evaluate any safeguarding concerns.

The CCG rely on a statutory basis, defined under the Care Act 2012 rather than consent to process information for this use.

Comments, Complaints, Concerns and Compliments

When the CCG receives any feedback from an individual, whether it be a comment, concern, complaint or compliment the CCG would normally include personal information about the individual or others involved in the communication.

Before we proceed with handling your complaint we will obtain the explicit, written consent of the patient involved. We ensure they are aware of how and with whom their data may be shared by us, including if they have a representative they wish us to deal with on their behalf.

Supporting Medicines Management and Optimisation

Horsham and Mid Sussex CCG pharmacists work with GP practices to provide advice on medicines and prescribing queries, process repeat prescription requests and review prescribing of medicines to ensure that it is safe and cost-effective. This may require the use of identifiable information.

In cases where identifiable data is required, this is done with practice agreement and in the case of repeat prescription processing with patient consent. No data is removed from the practice’s clinical system and no changes are made to patient's records without permission from the GP. Patient records may be viewed remotely via secure laptops from the CCG's premises and in care homes or patient homes.

Identifiable data is also used by our pharmacists in order to review and authorise (if appropriate) requests for high cost drugs which are not routinely funded. In cases where identifiable data is required, this is done with the consent of the patients via the electronic high cost drug authorisation form. The legal basis for the CCG to process this information is in order to provide Direct Care Provision (GDPR Art. 9(2)(h)) to a patient.

Invoice Processing and Validation

The CCG may need to pay another healthcare provider for services delivered, for example, when you need hospital treatment while away from home on holiday. The hospital at which you were seen may need to invoice us for the treatment you received. 

Before paying the invoice, we will need to be sure that we, and not another CCG, are responsible for your treatment costs as well as checking to ensure that the amount you are being billed for is correct. This process is known as invoice validation. For invoice validation to occur, a limited amount of Identifiable (Personal Information about you needs to be processed).

Once the invoice has been paid, the limited information held about you for this purpose is deleted, as it is no longer required. If the information is needed again, to respond to a question, it will be requested from the healthcare provider, the question answered and the information deleted again.

CCCG’s are required to complete this task under - Section 251 NHS Act 2006, NHS Constitution (Health and Social Care Act 2012)

Horsham and Mid Sussex CCG use other organisations to process invoices on our behalf – NHS Shared Business Services (SBS) and NHS South, Central and West Commissioning Support Unit (CSU).

Patient and Public Involvement

If you have asked us to keep you regularly informed and up to date about the work of the CCG or if you are actively involved in our engagement and consultation activities or patient participation groups, we will collect and process personal identifiable data which you have agreed to share with us.

We will rely on your explicit consent for this purpose. You have the right to withdraw your consent at any time.

Where you submit your details to us for involvement purposes, we will only use your information for this purpose.

Quality Monitoring and Incident investigation

Horsham and Mid Sussex CCG is responsible for ensuring that the care that you receive is safe, effective, and of good quality and we have a statutory duty under the Health and Social Care Act 2012, Part 1, Section 26, in securing continuous improvement in the quality of services provided.

If concerns are raised about the care provided or an incident has happened we need to investigate. 

To do this we may require Identifiable/ Personal Information/ Pseudonymised/ Anonymised data given to us by GP’s and other health care professionals that may include details of the care you have received and any concerns about that care. 

Commissioning Services

Type of Information – Pseudonymised/ Anonymised

Purpose – To collect NHS data about services we have commissioned to provide services to you.  We also work with other local CCGs and often hold joint contracts and commission joint services to make best use of the money available to us.

Legal Basis - Our legal basis for collecting and processing information for this purpose is statutory.  We set our reporting requirements as part of our contracts with NHS service providers and do not ask them to give us identifiable data about you. 

Data Processor – NHS Digital collect various data sets from NHS service providers that have been agreed locally.  All identifying information about you is removed by NHS Digital before the information is made available for the CCG to monitor and manage its contracts.  We also have signed a Data Sharing contract with NHS Digital and have been given approval to use a wide range of data to help us commission care services.  This agreement makes sure that we only process data that does not identify you, that we keep the information secure and we do not share it without the agreement of NHS Digital.  For more information about the types of data that NHS Digital collect please use this link http://digital.nhs.uk/datasets .

National Registries

National Registries (such as the Learning Disabilities Register) have statutory permission under Section 251 of the NHS Act 2006, to collect and hold service user identifiable information without the need to seek informed consent from each individual service user.

Do you share my information with other organisations?

We commission a number of organisations (both within and outside the NHS) to provide healthcare services to you. We may also share anonymised statistical information with them for the purpose of improving local services, for example understanding how health conditions spread across our local area compared against other areas.

The law provides some NHS bodies, particularly NHS Digital, (formally the Health and Social Care Information Centre) ways of collecting and using patient data that cannot identify a person to help Commissioners to design and procure the combination of services that best suit the population they serve.

We may also share information with NHS England and NHS Digital. If you do not want your information to be used for purposes beyond providing your care you can choose to opt-out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices.

NHS Digital takes the responsibility for looking after care information very seriously. Please follow links on how we look after information for more detailed documentation.

NHS England recognises the importance of protecting personal and confidential information in all that we do, all we direct or commission, and takes care to meet its legal duties. Follow the links on the How we use your information page for more details.

Details of data linkage with other datasets

Data may be de-identified and linked so that it can be used to improve health care and development and monitor NHS performance. Where data is used for these statistical purposes, stringent measures are taken to ensure individual patients cannot be identified.

When analysing current health services and proposals for developing future services it is sometimes necessary to link separate individual datasets to be able to produce a comprehensive evaluation.  This may involve linking primary care GP data with other data such as secondary uses service (SUS) data (inpatient, outpatient and A&E).  When carrying out this analysis, the linkage of these datasets is always done using a unique identifier that does not reveal a person’s identity.

We may also contract with other organisations to process data. These organisations are known as Data Processors. We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

We share sensitive information with the following organisations.

We share anonymised data with the following organisations.

What are your rights?

Your right to be informed

You have the right to be provided with certain information whenever we use your personal data, this is known as the right to be informed. The information we have to provide includes:

  • Who we are (known as the ‘data controller’)
  • The contact details of our Data Protection Officer
  •  What personal data we hold, e.g. your name, address, DOB (unless we have collected it from you directly)
  • What we are doing with your personal data (the purpose)
  • What legal reason we have to use your data in this way
  • If our legal reason is your consent (most of the time it won’t be) that you have the right to withdraw your consent at any time
  • Which other organisations we will share your personal data with
  • How long we will keep your personal data for (or how we work out the length of time)
  • Where we got your data from (unless we collected it from you directly)
  • Whether we will need to send your data outside of Europe and how we will make sure it is safe and legal if we do
  • That you have the right to complain about how we are using your personal data to the Information Commissioner’s Office (ICO) 
  • Whether we will use any computer processes with your data which make decisions about you (known as ‘automated decision making’) and if so, how those computer decisions work (known as ‘the logic’) and what consequences there will be for you.
Your Rights.jpg

Your right to access your personal data

You can request a copy of the personal information we hold about you, as well as why we hold that personal information, who has access to that personal information and where we got that personal information from at any time. This is known as the right to access. To make this type of request you can email: CSESCA.SAR@nhs.net.

Please note that NHS Crawley does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal health records, you will need to apply to your GP practice, the hospital or NHS organisation which provided your healthcare.

Your right to obtain your personal information in a portable format

You have the right to get copies of your personal information from us in a format that can be easily re-used. You can also ask us to pass on your personal information to other organisations. This is known as the right to data portability. To request this, please contact us using the details above.

Your right to correct your personal data

You have the right to question any information we hold about you that you believe is wrong, out of date or incomplete. If you do, we will take reasonable steps to check its accuracy and correct it. This is known as the right to rectification.

If you need to ask us to correct your personal data or update your contact details, you can do so by contacting us using the details above.

Your rights to object to our use of your personal data or ask us to delete it

You have the right to object to our use of your personal information, or to ask us to delete, remove or stop using your personal information if there is no need for us to keep it. These are known as the right to object and the right to erasure (commonly known as the ‘right to be forgotten’).

If you feel that we should no longer be using your personal information, or that we are illegally using your data, you can request that we erase the personal information we hold on you. When we receive your request, we will confirm whether the personal information has been deleted or tell you the reason why it cannot be deleted. There may be legal reasons why we need to keep your personal information.

If you want to object to how we use your personal information or ask us to erase it, please contact us using the details above.

Your right to restrict our use of your personal information

You also have the right to restrict our use of your personal information so that it can only be used for certain things, such as legal claims or to exercise legal rights. In this situation, we would not use or share your information in other ways while it is restricted. This is known as the right to restriction.

You can ask us to restrict the use of your personal information if:

  • it is not accurate;
  • it has been used unlawfully but you don’t want us to delete it;
  • it is not relevant any more, but you want us to keep it for use in legal claims; or
  • you have already asked us to stop using your personal information but you are waiting for us to assess your request and confirm whether we are permitted to continue using the personal information under data protection law.

If you want to restrict our use of your personal information, please contact us using the details above.

Your rights relating to automated decision making and profiling

Automated decisions are when a computer makes a decision about you based on data which is collected and processed only by electronic means (e.g. on computers) AND that decision has a significant effect on you. This means there is no human involved before the decision is made. Profiling is any form of computer-based data usage which is done to analyse or predict things about you.

By law, automated decisions cannot be undertaken on children. Automated decisions can only be conducted on sensitive data (this includes health data) when we have asked your permission (consent) or we have conclusively demonstrated that the process is necessary in the wider public interest.

The rights you have about automated decision making are:

  • Not to be subject to an automated decision, and therefore to have a human involved in any decisions about you.
  • To have any automated decisions explained to you
  • To give your own opinion about the decision being made
  • To challenge the decision, if you are not in agreement with it

We have to take special precautions whenever we undertake profiling activity. This includes providing information about what profiling we are doing in our fair processing notice, ensuring we are using adequate statistical procedures, ensuring we have appropriate information security processes and ensuring we have robust procedures in place to prevent errors.

We do not currently conduct any automated decision making or profiling. If we begin to at any point in the future details will be provided in this fair processing notice.

What safeguards are in place to ensure data that identifies me is secure?

We only use information that may identify you in accordance with the Data Protection Act 2018, and  General Data Protection Guidelines GDPR). These laws require us to process personal data only if there is a legitimate basis for doing so and that any processing must be fair and lawful.

Within the health sector, we also have to follow the common law duty of confidence, which means that where identifiable information about you has been given in confidence, it should be treated as confidential and only shared for the purpose of providing direct healthcare.  

The NHS Digital Code of Practice on Confidential Information applies to all of our staff, and they are required to protect your information, inform you of how your information will be used, and allow you to decide if and how your information can be shared. All CCG staff are expected to make sure information is kept confidential and receive annual training on how to do this. This is monitored by the CCG and can be enforced through disciplinary procedures.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

We ensure external data processors that support us are legally and contractually bound to operate and prove security arrangements are in place where data that could or does identify a person are processed.

The CCG is registered with the Information Commissioner’s Office (ICO) as a data controller and collects data for a variety of purposes. A copy of the registration is available through the ICO website. You can search by our CCG name or ICO Data Protection Register number Z3563040 

How long do you hold confidential information for?

All records held by the CCG will be kept for the duration specified by national guidance from the Department of Health,https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016

Gaining access to the data we hold about you

The CCG does not directly provide health care services and therefore does not hold personal healthcare records. If you wish to have sight of, or obtain copies of your own personal health care records you will need to apply to your GP Practice, the hospital or NHS Organisation which provided your health care.

Everybody has the right to see, or have a copy, of data we hold that can identify you, with some exceptions. You do not need to give a reason to see your data, and it is free to access.

If you wish to have a copy of any information the CCG may hold about you, you may submit an Individual Rights Request (IRR), this is free of charge.

 To make the request in writing, please contact:

e-mail: csesca.sar@nhs.net


The Information Governance Manager
Horsham and Mid Sussex Clinical Commissioning Group
Crawley Hospital, West Green Drive
West Sussex
RH11 7DH  

What if I don’t want information about me shared with others?

If you do not want your information to be used for purposes beyond providing your care you can choose to opt out. If you wish to do so, please inform your GP practice and they will mark your choice in your medical record. You can opt out of your data being used for some purposes. You can withdraw your opt-out choice at any time by informing your GP practice. More information is available on NHS Digital Your personal information choices.

There are two types of opt-outs available at different levels. These include:

Type 1 opt-out

If you do not want personal confidential information that identifies you to be shared outside your GP practice you can register a ‘Type 1 opt-out’ with your GP practice. This prevents your personal confidential information from being used except for your direct health care needs and in particular circumstances required by law, such as a public health emergency like an outbreak of a pandemic disease.  Patients are only able to register the opt-out at their GP practice and your records will be identified using a particular code that will stop your records from being shared outside of your GP Practice.

National Data Opt-out

The national data opt-out was introduced on 25 May 2018 and replaces the previous ‘type 2’ opt-out.  NHS Digital collects information from a range of places where people receive care, such as hospitals and community services.  The new programme provides a facility for individuals to opt-out from the use of their data for research or planning purposes.  For anyone who had an existing type 2 opt-out, it will have been automatically converted to a national data opt-out from 25 May 2018 and will receive a letter giving them more information and a leaflet explaining the new national data opt-out. The national data opt-out choice can be viewed or changed at any time by using the online service at .www.nhs.uk/your-nhs-data-matters 

For further information and support about national data opt-outs you can contact NHS Digital:

Tel: 0300 303 5678 

Email: enquiries@nhsdigital.nhs.uk

Alternatively visit the website http://content.digital.nhs.uk/article/7092/Information-on-type-2-opt-outs this may have, if any, please contact us.

What is the right to know?

The Freedom of Information Act 2000 (FOIA) gives people a general right of access to information held by or on behalf of public authorities, promoting a culture of openness and accountability across the public sector.

What sort of information can I request?

In theory, you can request any information that Crawley CCG holds that does not fall under an exemption. You may not ask for information that is covered by the Data Protection Act 20 under FOIA.  However you can request this under a subject Access Request – see section above ‘Gaining access to the data we hold about you’.

How do I make a request for information?

Your request must be in writing and can be either posted or emailed to:

Email: SCWCSU.FOI@nhs.net

Post: Crawley CCG, Crawley Hospital, West Green Drive, Crawley, West Sussex, RH11 7DH

We use NHS South, Central and West Commissioning Support Unit, which is part of the NHS, to process our freedom of information request; however all responses will be carried out by the CCG.  If you have any concerns about this process or would like further information please contact a member of the FOI team at the address above.

For independent advice about data protection, privacy, data sharing issues and your rights you can contact:

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Telephone: 0303 123 1113 (local rate) or 01625 545 745

Email: casework@ico.org.uk

Visit the ICO website

Complaints or questions

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring concerns to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. Please contact us.